Chinese Uni-App Framework Abused to Power Over 200,000 Investment Scam Sites
Infoblox reveals that over 200,000 scam websites are built using the legitimate Chinese open-source framework Uni-App, enabling a massive ecosystem of investment fraud.
More than 200,000 websites are using investment scam templates built with the Chinese open-source framework Uni-App, according to a new report from Infoblox. The cross-platform development toolkit, which allows developers to create Vue.js codebases deployable as mobile apps, desktop applications, or mobile-optimized websites, has become a favorite among cybercriminals for its ease of use and legitimate appearance.
Uni-App is widely used in China and supported by a large developer ecosystem, powering thousands of legitimate products. Its maker, DCloud, does not appear to be involved in the fraudulent use. However, Infoblox discovered that threat actors are selling pre-built investment scam templates on underground markets, and numerous scam websites using these templates are linked to the same cluster of activity.
“Beyond the technical connections, we also uncovered patterns in the growth of the DCloud investment sites, along with coordinated dips in new domain registrations seen across scam websites on diverse hosts, an indication of a centralized owner facing disruption or making coordinated changes across all their DCloud investment scam sites,” the cybersecurity firm noted.
Infoblox identified over 236,000 second-level domains powering the scam infrastructure, ranging from fake crypto exchanges to fake gambling, brand impersonation, WhatsApp phishing, and multi-language pig-butchering websites. Among them is the infamous RainbowEx platform, a fake cryptocurrency platform that made international headlines after thousands of residents of a small Argentine town were duped into pouring money into it.
Hosted across numerous providers, the scam second-level domains have been launched since mid-2022, with a sharp increase observed since late 2024, after the RainbowEx scandal. “After October 2024, that figure jumped to roughly 15,000 newly observed sites per month at peak. The framework appears to have become a known platform within the scam-operator ecosystem due to the coverage it received by major news outlets,” Infoblox noted.
The largest portion of DCloud-fingerprinted sites consists of investment scam domains, run by multiple unrelated operators, “possibly dozens, even hundreds.” In addition to fake cryptocurrency exchanges and ‘deposit-and-trade’ platforms, they also include crypto wallet drainers, prediction-market and gambling impersonators, messaging platform phishing, and other phishing and credential-harvesting sites.
Lightning Shared Scooter Co. (LSSC), an operation that likely caused millions of dollars in losses in the US, was also using Uni-App. It promised investors sharp increases in passive revenue through funding a high-tech scooter-sharing company, and increased its sense of legitimacy through physical storefronts. A similar scooter-investment operation, Yuechi Sharing Technology Ltd. (YST), currently active in Australia, New Zealand, and the United States, also has a frontend built using the Uni-App framework. YST, Infoblox says, has legitimate registration paperwork but is connected to a network of other investment-scam websites.
“For the last two years, there’s been a dramatic scaling up of scam websites using the DCloud framework, and operators of these sites continue to launch complex real-world schemes to trick victims. It’s overdue to holistically track threat actors operating in this ecosystem and attempt to identify commonalities that indicate shared ownership of the sites,” Infoblox concluded. The findings highlight how legitimate development tools can be weaponized at scale, and underscore the need for coordinated tracking of such infrastructure.