236K Sites Exploit DCloud Uni-App for Crypto Scams, Phishing

Infoblox has identified over 236,000 websites actively leveraging investment scam templates built on DCloud Uni-App, a legitimate Chinese open-source cross-platform development framework. These sites are used to host bogus cryptocurrency exchanges, run multi-language pig-butchering operations, and deploy WhatsApp phishing networks, according to the cybersecurity firm.

The scale of the abuse is significant, with the fraudulent infrastructure spanning fake gambling platforms, brand-impersonation pages, and wallet-draining schemes. DCloud Uni-App's cross-platform capabilities make it an attractive vector for attackers seeking to rapidly deploy convincing, scalable scam sites without building custom code from scratch.

The attack vector relies on the framework's legitimate template system, which allows developers to create responsive sites for web and mobile. Scammers have repurposed these tools to produce lookalike interfaces that mimic real crypto exchanges and financial services, luring victims into depositing funds or connecting wallets directly to drainers.

No specific patches or mitigations from DCloud have been announced regarding this abuse. Organizations should monitor for Uni-App-branded pages visiting their networks and educate users to verify URLs before engaging with crypto platforms or unsolicited links.

Attribution remains unclear, though the infrastructure's reliance on Chinese-origin software suggests a potential regional nexus. The findings underscore a broader trend of legitimate development tools being weaponized for systematic fraud operations.