The Scale of the Infrastructure
Security researchers at Infoblox have uncovered a sprawling network of over 236,000 malicious websites built using the legitimate DCloud Uni-App framework. This Chinese open-source development tool is being exploited to create convincing templates for fake cryptocurrency exchanges, pig butchering operations, phishing pages, and crypto wallet drainers. The campaign has been active since mid-2022 and continues to expand rapidly.
How the Scams Operate
The fraudulent sites employ a variety of tactics to deceive victims. Some impersonate well-known cryptocurrency exchanges with fake trading interfaces that show fictitious returns until victims attempt withdrawals. Others trick users into connecting their cryptocurrency wallets by masquerading as verification flows for popular platforms like BNB Chain or Tether. A notable subset of these operations uses invitation code systems that require victims to be recruited by existing affiliates, effectively converting each victim into a recruiter in a pyramid scheme structure.
Technical Indicators and Hosting Patterns
Infoblox identified two distinct populations of malicious DCloud sites. The first group carries the framework’s default signatures and includes both legitimate Chinese businesses and malicious operations. A second, larger subset of investment scam sites has been active since mid-2022, with sophisticated operators stripping default DCloud scaffolding to evade fingerprint based detection. Most domains are hosted on legitimate providers like Cloudflare, Alibaba Cloud, and Amazon Web Services, while approximately 6% leverage bulletproof hosting services resistant to takedown requests.
Source: The Hacker News
