Chinese Framework Powers Over 200,000 Scam Sites as Infrastructure Threats Evolve

Security researchers at Infoblox have identified more than 200,000 websites built using the Chinese open-source framework DCloud Uni-App that are actively running investment scams, phishing campaigns, and fake cryptocurrency platforms. The activity has been ongoing since mid-2022 and escalated sharply after October 2024.

Infoblox tracked over 236,000 second-level domains tied to the scam infrastructure. Among them was RainbowEx, a fake cryptocurrency platform that defrauded thousands of residents in a small Argentine town, making international headlines before the same template set saw a surge in deployments.

Abuse of a Legitimate Cross-Platform Toolkit

DCloud Uni-App is a legitimate Vue.js based development framework that allows code to be deployed as mobile apps, desktop apps, or mobile optimized websites. It is widely used in China and supported by a large developer ecosystem. DCloud itself does not appear complicit in the fraudulent use, but threat actors are selling prebuilt scam templates that run on the framework. Infoblox estimates that "dozens, even hundreds" of separate operators are running these sites, with some linked to real world operations such as Lightning Shared Scooter Co. (LSSC) and Yuechi Sharing Technology Ltd. (YST), which promised high returns from scooter sharing investments.

Types of scam sites observed include:

• Fake cryptocurrency exchanges and deposit-and-trade platforms
• Crypto wallet drainers and prediction-market impersonators
• WhatsApp phishing and multi-language pig-butchering websites
• Brand impersonation and credential-harvesting pages

Signal Attacks and Education Sector Third-Party Breaches Broaden the Concern

While the DCloud abuse illustrates how legitimate developer infrastructure can be weaponized at scale, other infrastructure threats are emerging concurrently. The FBI and CISA issued an updated advisory warning that Russian intelligence hackers are targeting Signal users' backup recovery keys. If an attacker obtains the key through phishing, they can restore a target's backup and read messages even if the user changes devices. This technique, attributed to the threat group UNC5792, has already compromised thousands of accounts worldwide, the agencies said.

Separately, a growing wave of third-party breaches is hitting the education sector, where institutions rely heavily on external vendors for learning management systems, student record platforms, and financial aid tools. Dark Reading reported that attackers are increasingly exploiting these trusted relationships, using compromised vendor credentials to deploy ransomware and steal sensitive student data. The breaches have forced schools to reassess vendor risk management practices, often after the fact.

These three developments share a common theme: attackers are targeting the infrastructure layers that organizations depend on, whether it be software frameworks, encrypted communication tools, or supply chain vendors. Infoblox urged the security community to begin "holistically tracking threat actors operating in this ecosystem" and identifying ownership patterns across the mushrooming scam sites. For Signal users, the FBI recommends enabling registration lock and regularly reviewing linked devices. For educational institutions, stronger contractual security requirements and continuous monitoring of vendor access have become urgent priorities.