"For the last two years, there's been a dramatic scaling up of scam websites using the DCloud framework, and operators of these sites continue to launch complex real-world schemes to trick victims," Infoblox said in an exhaustive report published last week.
Infoblox's key findings
DNS threat intelligence firm Infoblox identified 236,493 distinct second-level domains built with templates from the DCloud Uni-App framework that are powering a wide array of fraudulent operations. The flagged sites include bogus cryptocurrency exchanges, multi-language pig-butchering operations, WhatsApp phishing networks, fake gambling platforms, brand-impersonation storefronts, and crypto wallet drainers. Infoblox emphasizes that while DCloud Uni-App is a legitimate open-source cross-platform framework, the company observed consistent malicious traits across the scam subset.
Techniques: wallet drainers, impersonation, and invitation gates
Infoblox cataloged several repeat technical and social-engineering patterns. Among them are fake brokerage and exchange interfaces that display fictitious trading activity until victims try to withdraw funds; wallet-drainer flows that pose as BNB Chain or Tether verification prompts to trick users into connecting wallets; and gambling or prediction-market interfaces that simulate rigged outcomes. Messaging-platform phishing was also prominent, with lookalike WhatsApp help domains such as "whats-zwp[.]vip" and "faq-whatsapp-center[.]com" used to harvest credentials. Investment schemes often require an invitation code at registration, a gate that converts victims into recruiters — a classic pyramid dynamic described in Infoblox's analysis.
Scale, timeline, and geographic reach
Infoblox traces the malicious investment-scam population of DCloud-built sites back to mid-2022, distinct from the broader DCloud fingerprint population that goes back to 2021 and includes legitimate Chinese businesses. The rogue domains span every continent, operate in at least eight languages, and impersonate entities ranging from major stock exchanges to retail brands and messaging platforms. Infoblox cites the RainbowEx case — a bogus crypto exchange that surfaced in late 2024 after a Ponzi scheme affected tens of thousands in San Pedro, Argentina — noting that seven people linked to that operation were arrested later that year.
Infrastructure choices: mainstream clouds and bulletproof hosting
The majority of the DCloud-built investment-scam domains are hosted on mainstream providers such as Cloudflare, Alibaba Cloud, Tencent Cloud, and Amazon Web Services. About 6% of visible scam domains were observed on bulletproof hosting (BPH) providers, with CTG Server Limited (AS152194) named as an example. Infoblox separates the malicious population into a "vanilla" tier — sites carrying the default DCloud fingerprint and often running on mainstream hosting — and an "evasive" tier, where operators strip framework signatures and are roughly twice as likely to use BPH. Infoblox interprets this as a correlation between operator sophistication in obscuring fingerprints and the choice of infrastructure resistant to takedown.
Template marketplaces, centralization signals, and specific fronts
Infoblox assesses that unknown threat actors are selling DCloud investment-scam templates, while also finding indications of centralized ownership across a substantial portion of the scam ecosystem. Evidence cited includes coordinated drops in new domain registrations across different hosts, shared technical fingerprints, common victim-communication methods, and similar hosting decisions. Infoblox points to concrete examples of commercial fronts and campaigns: a scooter-investment scam run under the Yuechi Sharing Technology Ltd. brand targeting Australia, New Zealand, and the U.S., and an active bicycle-sharing investment-themed scam operating under a U.K.-registered corporate front that holds a genuine U.S. federal money-services license.
What this means for technologists, regulators, and end users
- Technologists and security teams: Expect evasive operators to strip framework fingerprints and migrate to BPH when pressured; monitoring for both vanilla DCloud signatures and behavior associated with the evasive tier will be necessary to track the full threat surface.
- Regulators and enforcement: The RainbowEx example and arrests tied to late 2024 illustrate that takedown and law-enforcement action can follow large-scale schemes; coordinated disruptions that cause domain-registration drops may signal progress or shifts in operator behavior.
- End users and victims: Fraudulent sites use convincing interfaces, invitation-code recruitment gates, and off-platform branded chat services to sustain schemes; victims drawn into deposit-and-trade flows or wallet-verification prompts are at particular risk of financial loss or wallet draining.
Infoblox's analysis paints a cyber-fraud ecosystem that has scaled rapidly by packaging templates and exploiting a legitimate development framework. The behavioral fingerprints — from invitation gates to hosting decisions — offer defenders signals to follow even as operators try to erase the telltale DCloud scaffolding. The next practical question is whether continued tracking and coordinated disruption will force these operators back to less centralized patterns, or simply accelerate their move into harder-to-takedown infrastructure.
