A legitimate Chinese cross-platform development framework has become the technical foundation for a sprawling investment scam ecosystem, according to research published by Infoblox. The firm identified more than 236,000 second-level domains fingerprinted to DCloud’s Uni-App framework, spanning fake cryptocurrency exchanges, wallet drainers, gambling impersonators, messaging-platform phishing, and multi-language pig-butchering operations.

Why Uni-App?

Uni-App is a legitimate, widely used toolkit that lets developers write a single Vue.js codebase and deploy it simultaneously as mobile apps and mobile-optimized websites. Its broad adoption in China, combined with a mature developer ecosystem, makes it straightforward for scam operators to purchase ready-made investment-scam templates and stand up convincing sites quickly. Infoblox is careful to note that DCloud, the framework’s maintainer, does not appear to be involved in or aware of its fraudulent use.

Scale and Coordination

The scam infrastructure has been growing since mid-2022, but Infoblox observed a pronounced acceleration beginning in late 2024, which the researchers link to international news coverage of the RainbowEx scandal, a fake cryptocurrency platform that defrauded thousands of residents in a small Argentine town. Following that coverage, new site registrations peaked at roughly 15,000 per month.

Infoblox’s analysis uncovered evidence of centralized control within at least part of the ecosystem: coordinated dips in new domain registrations were observed simultaneously across sites hosted on disparate providers, suggesting a single owner managing disruptions or rolling out changes across the entire portfolio.

Notable Operations

  • RainbowEx, a fake crypto exchange that attracted international attention after causing significant losses among residents of an Argentine town.
  • Lightning Shared Scooter Co. (LSSC), a US-facing scheme that promised passive income through a fictitious high-tech scooter-sharing company, bolstered by physical storefronts, and likely caused millions of dollars in losses.
  • Yuechi Sharing Technology Ltd. (YST), a similar scooter-investment operation currently active in Australia, New Zealand, and the United States. Despite holding legitimate registration paperwork, YST’s frontend is built on Uni-App and is connected to a broader network of investment-scam websites.

Operator Landscape

The DCloud-fingerprinted sites are not the product of a single criminal group. Infoblox assesses that the investment-scam segment alone is run by multiple unrelated operators, potentially dozens or even hundreds. The variety of scam types hosted on the infrastructure includes deposit-and-trade platforms, crypto wallet drainers, prediction-market impersonators, and credential-harvesting phishing pages.

Defensive Implications

Infoblox argues that the two-year growth trajectory and the framework’s recognizable technical fingerprint create an actionable opportunity for defenders. Because Uni-App leaves consistent artifacts, security teams and threat-intelligence platforms can use those markers to identify and cluster scam infrastructure more holistically, potentially exposing shared ownership across superficially unrelated sites. The firm recommends that the security community begin tracking this ecosystem systematically rather than responding to individual scam operations in isolation.