236,000 DCloud Uni-App Sites Used in Crypto Scams, Phishing, and Wallet Drainers

Infoblox researchers uncovered more than 236,000 websites exploiting DCloud Uni-App, a legitimate Chinese open-source development framework, to host cryptocurrency investment scams, phishing operations, and wallet-draining attacks.

DCloud Uni-App enables developers to build cross-platform applications from a single codebase. Threat actors repurposed pre-built scam templates within the framework to rapidly deploy fraudulent sites targeting crypto investors. The infected sites operate fake exchanges, counterfeit gambling platforms, and bogus investment schemes.

The campaign employs several attack vectors. Pig-butchering operations use multilingual content to romance-scam victims into depositing funds into fake trading platforms. WhatsApp phishing networks impersonate legitimate services to harvest credentials. Wallet-draining sites trick users into connecting legitimate crypto wallets, allowing attackers to extract funds.

The scale reveals a systematic abuse pattern. Threat actors distribute Uni-App templates containing malicious code, allowing rapid site proliferation across multiple domains. This approach reduces development time and technical barriers to launching fraud at scale. The framework's legitimacy provides cover, as security tools may not flag known-good software used for illicit purposes.

Organizations should monitor for Uni-App-based domains within their networks, particularly traffic to cryptocurrency or trading platforms. Users should verify site authenticity through official channels and avoid connecting wallets to unverified platforms. Security teams should implement DNS filtering for known scam domains and educate staff on pig-butchering tactics, which often begin with social engineering on professional networks like LinkedIn.

DCloud has not been compromised. The framework itself remains secure. Attackers simply abuse its accessibility and cross-platform capabilities to distribute fraud templates. The threat extends beyond crypto investors to anyone targeted by phishing or credential-harvesting operations using Uni-App-based sites.

This campaign