More than 236,000 websites are leveraging scam templates built on DCloud Uni-App, a legitimate Chinese open-source cross-platform application development framework, according to new research from Infoblox. The scale of the abuse highlights how threat actors are systematically co-opting mainstream developer tooling to rapidly deploy fraudulent infrastructure.

What Is Being Built

The templates identified by Infoblox power a broad range of criminal operations, including:

  • Bogus cryptocurrency exchanges designed to trick victims into depositing funds they cannot withdraw
  • Pig-butchering platforms operating across multiple languages, targeting victims in different geographic regions
  • WhatsApp phishing networks used to harvest credentials or redirect victims to fraudulent investment sites
  • Fake gambling platforms and brand-impersonation schemes targeting well-known companies

Why DCloud Uni-App

DCloud Uni-App is a widely used, legitimate framework that allows developers to build applications deployable across web, mobile, and desktop environments from a single codebase. Its cross-platform nature makes it attractive for rapid deployment, and its legitimacy helps fraudulent sites blend in with ordinary web traffic, complicating detection by security tools that rely on reputation signals.

By building scam operations on top of a recognized framework, threat actors reduce development overhead while gaining a degree of camouflage. The reuse of standardized templates across hundreds of thousands of domains also suggests a coordinated, industrialized operation rather than isolated actors.

Scope and Implications

The 236,000-site figure underscores the industrialized nature of modern fraud infrastructure. Security teams should treat DCloud Uni-App-based sites with elevated scrutiny, particularly those promoting investment opportunities or cryptocurrency services, and should monitor for phishing domains using the framework’s characteristic structural patterns. DNS-layer visibility is likely to be valuable in identifying clusters of related infrastructure before victims are reached.