Chinese Framework Powers 200,000 Scam Sites

Over 200,000 websites have been found to be using a Chinese open-source framework called Uni-App, which is being exploited by threat actors to power massive investment scam operations. According to cybersecurity firm Infoblox, these scams are linked to the same cluster of activity and share patterns in growth and domain registration, suggesting a centralized owner or group of owners coordinating their efforts.

Uni-App is a cross-platform development toolkit that allows developers to create Vue.js codebases for mobile and desktop applications, as well as mobile-optimized websites. It’s widely used in China and has a robust developer ecosystem backing it. However, its legitimate use is being hijacked by scammers who are selling investment scam templates using the framework. These templates are then deployed on thousands of websites, often hosted across multiple providers.

Infoblox identified over 236,000 second-level domains powering the scam infrastructure, which includes fake cryptocurrency exchanges, phishing sites, and brand impersonation scams. One notable example is the RainbowEx platform, a fake cryptocurrency exchange that was exposed last year after it swindled thousands of residents in an Argentine town out of millions of dollars.

The use of Uni-App has become so widespread that the framework appears to have become a known platform within the scam operator ecosystem. Since the RainbowEx scandal broke, Infoblox notes that there’s been a significant increase in new scam sites being launched each month – roughly 15,000 at peak. The majority of these sites are investment scams, with some also operating fake cryptocurrency exchanges and “deposit-and-trade” platforms.

Some notable examples of Uni-App-powered scams include Lightning Shared Scooter Co., which likely caused millions of dollars in losses in the US, and Yuechi Sharing Technology Ltd., a scooter-investment operation currently active in Australia, New Zealand, and the US. While both operations have legitimate registration paperwork, they’re connected to networks of other investment-scam websites.

The scale and sophistication of these scams are a stark reminder that threat actors continue to evolve and adapt their tactics. It’s essential for cybersecurity professionals and regulators to stay vigilant and work together to combat this ecosystem of scammers. As Infoblox notes, “it’s overdue to holistically track threat actors operating in this ecosystem and attempt to identify commonalities that indicate shared ownership of the sites.”


Source: SecurityWeek — 2026-06-27