A massive network of over 200,000 scam websites has been uncovered by cybersecurity firm Infoblox, all powered by a Chinese open-source framework called Uni-App. This framework is widely used in China for building legitimate applications and websites, but threat actors have exploited its popularity to create a sprawling ecosystem of investment scams that have already duped thousands of people around the world.
Uni-App allows developers to create codebases that can be deployed as mobile and desktop applications, or as mobile-optimized websites simultaneously. The framework’s maker, DCloud, has no apparent involvement in the fraudulent use of its technology. However, threat actors have been selling investment scam templates built with Uni-App, and numerous scam websites using these templates appear to be linked to the same cluster of activity.
Infoblox discovered that over 236,000 second-level domains are powering this scam infrastructure, ranging from fake crypto exchanges to brand impersonation and WhatsApp phishing sites. The most notorious example is the RainbowEx platform, a fake cryptocurrency exchange that made international headlines after it duped thousands of residents in an Argentine town into pouring money into it.
The use of Uni-App has become a known platform within the scam-operator ecosystem due to its popularity among legitimate developers. Infoblox notes that the framework’s reputation was amplified by major news outlets, making it a go-to choice for threat actors. As a result, the number of new sites launched using Uni-App skyrocketed after the RainbowEx scandal in 2024.
The largest portion of DCloud-fingerprinted sites consists of investment scam domains run by multiple unrelated operators, possibly dozens or even hundreds. These scams include fake cryptocurrency exchanges and “deposit-and-trade” platforms, as well as crypto wallet drainers, prediction-market and gambling impersonators, messaging platform phishing, and other phishing and credential-harvesting sites.
The use of Uni-App has also been linked to high-profile scams like Lightning Shared Scooter Co. (LSSC), which promised investors sharp increases in passive revenue through funding a high-tech scooter-sharing company. Similar operations have popped up in Australia, New Zealand, and the United States, including Yuechi Sharing Technology Ltd., which currently operates legitimate-looking storefronts.
Infoblox notes that it’s overdue to holistically track threat actors operating in this ecosystem and identify commonalities that indicate shared ownership of the sites. As more people fall victim to these scams, it’s essential for users to be aware of the dangers of investment scams and how they operate.
To stay safe online, users should be cautious when investing in unfamiliar companies or websites, especially those promising unusually high returns. Legitimate businesses will not pressure you into making a decision quickly or ask for personal details through unsecured channels. Always research the company thoroughly and verify its legitimacy before parting with your hard-earned money.
Source: SecurityWeek — 2026-06-27