{"id":13776,"date":"2026-06-25T05:58:34","date_gmt":"2026-06-25T12:58:34","guid":{"rendered":"https:\/\/www.infoblox.com\/blog\/?p=13776"},"modified":"2026-06-25T08:26:16","modified_gmt":"2026-06-25T15:26:16","slug":"from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\/","title":{"rendered":"From San Pedro to Salinas: How a Chinese Framework \u201cDCloud Uni-App\u201d Powers a Global Scam Economy"},"content":{"rendered":"<p>In 2024, a small Argentine town called San Pedro became the focus of international press coverage after thousands of residents (approximately 20% of the total population), including the chief of police and members of the city council, discovered that a cryptocurrency platform they had invested in and been promoting was a coordinated scam. The platform, called RainbowEx, displayed fictional trading activity, pulled deposits from victims through stablecoin transfers, and blocked withdrawals once the scheme was publicly exposed. The complex scandal was covered by <a href=\"https:\/\/www.nytimes.com\/2025\/03\/28\/business\/rainbowex-crypto-ponzi-scheme.html\" target=\"_blank\">The New York Times<\/a>, <a href=\"https:\/\/www.laopinionsemanario.com.ar\/noticia\/rainbowex-el-informe-que-revela-por-que-la-china-es-un-esquema-piramidal-la-app-captura-datos-personales\" target=\"_blank\">La Opini\u00f3n Semanario<\/a>, <a href=\"https:\/\/buenosairesherald.com\/society\/crime\/no-gold-at-the-end-of-this-rainbow-the-scam-that-engulfed-an-argentine-town\" target=\"_blank\">Buenos Aires Herald<\/a>, and other prominent news outlets.<\/p>\n<p>What happened in San Pedro made international headlines. What went under the radar was the discovery that RainbowEx was not bespoke fraud. It was a <em>template<\/em>: the visual scaffolding for the exchange, the registration flow, the trading dashboard, and the Telegram-driven price calls, were all built using a Chinese web-developer framework called <strong>DCloud Uni-App <\/strong>(DCloud)<strong> <\/strong>(en.uniapp[.]dcloud[.]io), an open-source toolkit for building cross-platform mobile applications.<\/p>\n<p>DCloud is also, as Infoblox Threat Intel research now shows, the technical foundation underneath at least <strong>236,493 distinct second-level domains <\/strong>identified as scam infrastructure: from RainbowEx-style fake crypto exchanges to multi-language pig-butchering operations, WhatsApp phishing networks, fake gambling platforms, brand-impersonation sites, and crypto wallet drainers. RainbowEx was not the start. It was one well-publicized chapter of a much larger, older, and still-active operation. One where the scaffolding is shared, many of the actors are decentralized, and countless victims are globally dispersed. <\/p>\n<p>In our investigation of scam websites using DCloud, we were also able to map some hosting patterns and private technical fingerprints, which points to at least one large-scale threat actor controlling a large portion of these scam sites.<\/p>\n<p>And what we observed online has not stayed only online. The same investment scam template family now anchors physical-world fraud operations, including the 2024\u20132025 Lightning Shared Scooter Co. (LSSC) mobility investment scam that the U.S. press extensively <a href=\"https:\/\/www.nbcnews.com\/news\/us-news\/electric-scooter-scam-lightning-shared-scooter-co-investors-rcna226832\" target=\"_blank\">covered<\/a> last August, and a currently-active bicycle sharing investment scam registered with the U.S. Treasury Department as a money-services business, recruiting Americans through another mobility investment scam at the time of this writing.<\/p>\n<p>This is the story of the DCloud open-source framework, why defenders should be tracking websites built with it, and how we can use this shared code to better understand the investment scam ecosystem emanating from mostly Chinese threat actors.<\/p>\n<h3>What is DCloud, and Why Does it Matter?<\/h3>\n<p>DCloud is a Chinese open-source software company based in Beijing. Its flagship product, the <a href=\"https:\/\/en.uniapp.dcloud.io\/\" target=\"_blank\">Uni-App framework<\/a>, is a cross-platform development toolkit (analogous to React Native or Flutter) that lets developers write a single Vue.js codebase and deploy it as a mobile application, a desktop application, and a mobile-optimized website simultaneously. The framework is legitimate, widely used in mainland China, and supported by an active developer ecosystem. Thousands of legitimate Chinese businesses ship products built on it, and we have no evidence DCloud is involved in the fraudulent use of its framework by these actors.<\/p>\n<p>The framework leaves behind a recognizable shape. Every Uni-App project, by default, ships with a handful of shared resources; none of them are inherently malicious. They are simply the default scaffolding that every Uni-App project includes when it is built, the way every WordPress site shares certain underlying file paths, and every React app ships with a recognizable build artifacts.<\/p>\n<p>There are likely threat actors selling DCloud investment scam templates, but we\u2019ve also found indications of centralized ownership across huge swaths of DCloud investment scam websites. Beyond the technical connections, we also uncovered patterns in the growth of the DCloud investment sites, along with coordinated dips in new domain registrations seen across scam websites on diverse hosts, an indication of a centralized owner facing disruption or making coordinated changes across all their DCloud investment scam sites.<\/p>\n<h3>From RainbowEx to a Much Larger Ecosystem<\/h3>\n<p>The RainbowEx exchange that swept San Pedro was hosted primarily on just one website (rainbowex[.]cc). Investigators who looked at its code in late 2024 quickly realized it had been built on the DCloud Uni-App framework, and this detail made its way into early news reports and then eventually into the huge New York Times article \u201c<a href=\"https:\/\/www.nytimes.com\/2025\/03\/28\/business\/rainbowex-crypto-ponzi-scheme.html\" target=\"_blank\">How a Crypto Craze Swept An Argentine Town<\/a>.\u201d <\/p>\n<p>Infoblox Threat Intel undertook a research process to use technical fingerprints common to sites built on the DCloud framework. We identified a large population of domains\u2014hundreds of thousands of them\u2014that are both using DCloud and conducting a wide range of scams. Use of DCloud itself is not, on its own, evidence of malicious intent. Legitimate developers ship sites with it too. What separates the malicious population from the legitimate one is what gets layered on top of the framework: fake brokerage interfaces, cryptocurrency wallet-drainer prompts, gambling interfaces with rigged outcomes, brand-impersonation storefronts, and the rest of the modern online-fraud playbook.<\/p>\n<p>We were able to develop additional technical fingerprints to filter out the known malicious DCloud websites from the generic sites. The scam website found using DCloud also had a small portion that attempted to remove DCloud fingerprints, and our data showed these evasive websites were hosted on more bulletproof hosting (BPH) providers than the vanilla scam sites, indicating greater sophistication by some of the actors using this framework. <\/p>\n<p>After filtering out legitimate enterprise customers of the DCloud framework (large platforms, multi-tenant SaaS, established Chinese businesses) we identified <strong>over 236,000 distinct second-level domains<\/strong> (SLDs) that appear to have been operated for fraudulent purposes since 2022. These domains span every continent, target speakers of at least eight languages, and impersonate brands ranging from major stock exchanges to retail giants to messaging platforms.<\/p>\n<p>And when we look at the broad scope of this data, there are trends that indicate centralized operators behind many of the investment scam websites.<\/p>\n<h3>The Scale of the Investment Scam Population<\/h3>\n<p>Across the focused investment scam collection (the population shown in Figure 1 below), Infoblox has analyzed:<\/p>\n<ul class=\"list-spacing\">\n<li>More than 236,000 distinct SLDs with DCloud-built investment scams have been launched since mid 2022, hosted across numerous providers.<\/li>\n<li>From 2022 to the present, hundreds of thousands of scam websites were built with DCloud but we see the steepest growth following the late-2024 public attention around RainbowEx. <\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image1.jpeg\"><\/p>\n<p class=\"image-caption\">Figure 1. Distinct DCloud-built investment scam second-level domains observed over time, broken down by hosting operator: 236,493 total second level domains across from 2022-2026. The red dashed line marks October 2024, when the RainbowEx\u2013DCloud connection became public.<\/p>\n<p>Before October 2024, when the RainbowEx story broke internationally, there were a few thousand DCloud-fingerprinted scam sites observed per month, with steady growth from a small base. After October 2024, that figure jumped to roughly 15,000 newly observed sites per month at peak. The framework appears to have become a known platform within the scam-operator ecosystem due to the coverage it received by major news outlets.<\/p>\n<p>We are currently tracking two related but distinct populations of DCloud-fingerprinted sites. First is the broader population: sites carrying the DCloud Uni-App framework\u2019s basic fingerprints. This group goes back to 2021 and includes both legitimate Chinese businesses and malicious operations. The second group is an investment scam-specific subset and is what we\u2019re showing in Figure 1. We identified these domains using additional fingerprints tied to the DCloud investment scam templates themselves (which appear to be sold privately between operators rather than distributed through any public DCloud channel). The actors started using these domains in mid-2022. <\/p>\n<p>Counterintuitively, the investment scam population is <em>larger<\/em> than what the simple DCloud framework fingerprint alone reveals, because more sophisticated operators have stripped the default DCloud scaffolding to evade fingerprint-based identification. However, we still caught them using additional scam-specific fingerprints. The shapes of both curves are very similar over time, which is itself a finding: the overwhelming majority of DCloud-fingerprinted sites we observe are some form of investment scam or related fraud. The rest of this report focuses on the investment scam subset specifically.<\/p>\n<h3>A Taxonomy of DCloud-Built Scams<\/h3>\n<p>The most important thing to understand about the DCloud-built scam websites is that there is not a single threat actor behind them all, although there are patterns that point to significant swaths of the sites being centrally controlled. We know there are multiple unrelated operators running DCloud scam websites\u2014quite possibly dozens, even hundreds. But when these sites are further analyzed, specific technical fingerprints, communication methods to victims, hosting decisions, and other details indicate that there is some centralized control of a large portion of the scam sites using DCloud.<\/p>\n<p>We have clustered the scams into roughly the following families, based on visual and technical examinations of a large sample of the population.<\/p>\n<p><strong>Fake crypto exchanges and &#8220;deposit-and-trade&#8221; platforms.<\/strong> This is the largest category of scam sites by a significant margin. These platforms impersonate well-known exchanges or invent fictional ones, present a registration flow typically with an \u201cinvite code\u201d to limit signups, accept deposits in Tether or other stablecoins (some even accept Zelle or other traditional payment methods) and display fictional trading activity until the victim attempts to withdraw funds. RainbowEx is the most prominent example of these fake investment sites. Sites in this category often impersonate genuine financial brands: HKEX (Hong Kong Exchanges), Nasdaq, Tesla-themed crypto programs, or generic names like &#8220;DawnEX&#8221; or &#8220;CoinexPro&#8221; designed to evoke real exchanges without infringing on real brands. See Figures 2 and 3.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image2.jpg\"><\/p>\n<p class=\"image-caption\">Figure 2. Screenshot of a DCloud-built site (hkxiu[.]com) impersonating the Hong Kong Stock Exchange (&#8220;HKGX&#8221;), using the brand &#8220;Hong Kong Gold Exchange&#8221; to evade direct trademark identification <\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image3.jpg\"><\/p>\n<p class=\"image-caption\">Figure 3. Screenshot of a DCloud-built site impersonating Nasdaq (nasdaqpro[.]top), and using stock footage of the Nasdaq closing bell ceremony to project legitimacy <\/p>\n<p><strong>Crypto wallet drainers.<\/strong> These sites present a &#8220;verify your wallet&#8221; or &#8220;connect your wallet&#8221; prompt\u2014sometimes claiming to be official BNB Chain, Tether, or other crypto-platform verification flows\u2014and then drain any wallet that connects. See Figure 4.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image4.jpg\"><\/p>\n<p class=\"image-caption\">Figure 4. Screenshot from bepviews[.]com, a DCloud-built wallet drainer impersonating BNB Chain verification flows; the &#8220;Verify Asset&#8221; button initiates a wallet drain<\/p>\n<p><strong>Prediction-market and gambling impersonations.<\/strong> Clones of Polymarket-style prediction markets (Figure 5), or fake casinos and lottery platforms are becoming more common. An informal term for these websites is &#8220;scambling&#8221; (scam gambling), referring to gambling sites where the operator simply does not pay out winnings (Figure 6). There\u2019s been an increase in these since Brian Krebs published a <a href=\"https:\/\/krebsonsecurity.com\/2025\/07\/scammers-unleash-flood-of-slick-online-gaming-sites\/\" target=\"_blank\">prominent article<\/a> on scambling in July 2025. <\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image5.jpg\"><\/p>\n<p class=\"image-caption\">Figure 5. Screenshot of polymk[.]com, a DCloud-built clone of the prediction-market platform Polymarket<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image6.jpg\"><\/p>\n<p class=\"image-caption\">Figure 6. Screenshot of a DCloud-built Portuguese-language &#8220;scambling&#8221; site (mango-cleopatrapg[.]com), which is mobile-optimized and targets Portuguese and Spanish speakers<\/p>\n<p><strong>WhatsApp and messaging platform phishing.<\/strong> It is somewhat common to find templates across the DCloud ecosystem that are designed to extract credentials by impersonating WhatsApp\u2019s &#8220;Security Help Center&#8221; or similar trust-evoking interfaces. These seven WhatsApp-themed scam domains (&#8220;whats-zwp[.]vip&#8221;, &#8220;whats-zrs[.]vip&#8221;, &#8220;whats-zef[.]vip&#8221;, &#8220;whats-zea[.]vip&#8221;, &#8220;whats-zus[.]vip&#8221;, &#8220;whats-zei[.]vip&#8221;, &#8220;whats-zen[.]vip&#8221;) were used in attacks over the last year. We also saw faq-whatsapp-center[.]com, a slight variation we show in Figure 7. <\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image7.jpg\"><\/p>\n<p class=\"image-caption\">Figure 7. Screenshot of a DCloud-built WhatsApp phishing template (faq-whatsapp-center[.]com), presenting itself as a WhatsApp &#8220;Help Center&#8221; verification flow<\/p>\n<p><strong>Generic template phishing and credential collection.<\/strong> Many DCloud-built scam sites are not visually distinctive at all\u2014they include simple login and registration pages with a stock background photo, and a few contact or social media links on the pages. The site lsscol[.]com from Lightning Shared Scooter Co. (LSSC) is the single most accesed DCloud-fingerprinted scam in our visible population. Over 50 distinct Infoblox enterprise customers had devices that tried to reach this site, and it shows nothing more than a user login form.<\/p>\n<p>lsscol[.]com was one of the main domains used by the LSSC scam last year. Numerous sources including <a href=\"https:\/\/www.bbb.org\/article\/warnings\/32252-bbb-warning-pyramid-scheme-masquerading-as-scooter-investment\" target=\"_blank\">The Better Business Bureau<\/a>, the <a href=\"https:\/\/fcnb.ca\/en\/news-alerts\/caution-lightning-shared-scooter-co-lssc\" target=\"_blank\">Financial and Consumer Services Commission of New Brunswick<\/a>, and the <a href=\"https:\/\/www.ag.state.mn.us\/Office\/Communications\/2025\/07\/23_ElectricScooterScam.asp\" target=\"_blank\">Minnesota Attorney Generals office<\/a> confirmed that <a href=\"https:\/\/www.bbb.org\/scamtracker\/lookupscam\/1029523\" target=\"_blank\">lsscol[.]com<\/a> and <a href=\"https:\/\/www.bbb.org\/scamtracker\/lookupscam\/975469\" target=\"_blank\">lssc[.]ltd<\/a> were used by the LSSC scooter rental pyramid investment scam last year in the U.S., along with a domain used to target Canadian investors, lssc-canada[.]ca.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image8.jpeg\"><\/p>\n<p class=\"image-caption\">Figure 8. Screenshot of lsscol[.]com, a generic DCloud-built credential-collection page. It&#8217;s been visited by devices belonging to 50 distinct enterprise customers across multiple industries.<\/p>\n<h3>From Argentina to America: When Scam Sites using DCloud Impact Main Street<\/h3>\n<p>As detailed above, there are a wide range of scams that cybercriminals build using the DCloud framework. One such scam\u2014the &#8220;deposit a small amount, watch your money grow, recruit your friends&#8221; investment scam\u2014has been the most adaptable and the most successful at crossing languages and geographic boundaries. <\/p>\n<p>The Argentine RainbowEx case is an investment scam using DCloud that the international press has covered very thoroughly. In the United States, the same playbook has now manifested twice in publicly known operations: first in the LSSC scooter sharing investment scam that scaled into a major federal\u2013and\u2013state fraud investigation last year, and second in a bicycle sharing investment-themed scam that is actively recruiting victims right now under a U.K.-registered corporate front with a genuine U.S. federal money-services license.<\/p>\n<h4>Lightning Shared Scooter Co.: The Biggest Scooter Investment Scam in the U.S.<\/h4>\n<p>Between mid-2024 and August 2025, an operation called Lightning Shared Scooter Co. (LSSC) recruited investors across the United States with a pitch nearly identical to RainbowEx\u2019s, but localized for an American audience. Investors were told they could earn passive income by funding a high-tech scooter-sharing company &#8220;based in Hong Kong,&#8221; log into an app at night, hit a button to &#8220;run&#8221; their scooters, and watch the money in their accounts tick up. The promised returns were extraordinary. Unlike the Argentine version, LSSC had a physical-world legitimacy layer: it opened storefronts in <strong>at least eight U.S. cities<\/strong>, filled them with sleek black scooters that actually worked, and filed state-level incorporation paperwork.<\/p>\n<p>According to NBC News\u2019s <a href=\"https:\/\/www.nbcnews.com\/news\/us-news\/electric-scooter-scam-lightning-shared-scooter-co-investors-rcna226832\" target=\"_blank\">August 2025 investigation<\/a> of the scheme, the pitch attracted endorsements from small-town mayors, police officers, and a U.S. Army lieutenant colonel. Former White House Press Secretary Sean Spicer appeared to mention the company on Cameo. (Spicer told NBC his recording was intended for an individual, not for promotional use.) In Cleveland, Mississippi, their police department went so far as to give away four LSSC scooters as prizes to local schoolchildren, and a video circulated of a Cleveland officer inside the LSSC storefront declaring, &#8220;LSSC is not a scam. This is actual proof that this is real.&#8221; (<a href=\"https:\/\/www.facebook.com\/marie.joseph.5623\/videos\/for-the-doubters-for-those-who-said-lssc-is-a-scam\/1111983930732612\/\" target=\"_blank\">Facebook video of officer endorsement<\/a>, starts at ~8:20).<\/p>\n<p>But LSSC was not real. By August 2025, Salinas, California police had identified <strong>more than five dozen victims in their jurisdiction alone whose combined losses totaled over $370,700<\/strong>. Arlington County, Virginia officer Kyle Hoffman, working with the FBI\u2019s Richmond field office, estimated total U.S. losses to be &#8220;easily in the millions.&#8221; The Better Business Bureau, after receiving complaints from victims in 20 states, formally labeled LSSC a pyramid scheme. NBC News interviewed a dozen victims who collectively injected more than $190,000 into the operation. Individual losses ranged from smaller amounts all the way into the six figures.<\/p>\n<p>Victims interviewed by NBC described experiences that followed the broader investment scam template. Patricia Livingstone, a Philadelphia group-home manager who lost approximately $11,000, said the daily required trading routine her LSSC &#8220;manager&#8221; imposed left her feeling like she was &#8220;in a cult, like a zombie.&#8221; Tah-Ming Lee, who rented a Sandy Springs, Georgia office for LSSC meetings, said he and his recruits eventually suspected they were communicating with an automated chat handler: &#8220;We thought all these managers were AI.&#8221; Both observations match the broader scam site funnel: daily engagement requirements that gamify the experience, combined with scripted or increasingly automated off-platform chat handlers that scale recruiter-to-victim ratios well beyond what any human operation (even if they use slave labor) could sustain.<\/p>\n<p>The financial\u2013fraud mechanics of LSSC closely align with other known investment scams. Investors deposited around $2k each by Zelle or Cash App, watched the amount converted into &#8220;cryptocurrency&#8221; inside the LSSC app, observed fictional daily revenue accumulate, and were eventually unable to withdraw. When withdrawal failures became widespread, the operators asked members to pay a <strong>&#8220;$75 account verification fee&#8221;<\/strong> to release funds\u2014a last-ditch effort to scam their victims. After the scam collapsed, a successor pitch named &#8220;New LSSC&#8221; circulated, demanding that members invite <strong>30 new users<\/strong> to qualify for &#8220;priority refund processing.&#8221;<\/p>\n<p>The original LSSC frontends are now offline, but we are nonetheless able to confirm that LSSC was using DCloud frameworks on their website and apps. Yale Privacy Lab researcher Sean O&#8217;Brien, who reviewed the LSSC Android app for NBC News at the time the scam was still active, shared additional artifacts from his analysis with Infoblox researchers, including captured screenshots of the now-defunct lsscapp[.]com landing page (Figures 9 and 10) and a decompiled AndroidManifest.xml from the LSSC Android application (Figure 11). The manifest contains the DCloud Uni-App framework\u2019s characteristic package naming convention and application class.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image9.jpeg\"><\/p>\n<p class=\"image-caption\">Figure 9. Screenshot of the now offline lsscapp[.]com landing page, captured by Sean O\u2019Brien (Yale Privacy Lab) during the active period of the LSSC scam<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image10.jpeg\"><\/p>\n<p class=\"image-caption\">Figure 10. Screenshot of a second variant of the lsscapp[.]com landing page with the scooter-and-rider character imagery used to give the operation visual legitimacy<\/p>\n<p>&lt;?xml version=&#8221;1.0&#8243; encoding=&#8221;utf-8&#8243;?&gt;<br \/>\n&lt;manifest package=&#8221;uni.UNI37480E2&#8243;&gt;<br \/>\n &lt;application<br \/>\n     android:name=&#8221;io.DCloud.application.DCloudApplication&#8221;&gt;<br \/>\n   &lt;activity android:name=&#8221;io.DCloud.WebviewActivity&#8221;\/&gt;<br \/>\n   &lt;activity android:name=&#8221;io.DCloud.WebAppActivity&#8221;\/&gt;<br \/>\n   &lt;activity android:name=&#8221;io.DCloud.ProcessMediator&#8221;\/&gt;<br \/>\n   [&#8230;]<br \/>\n &lt;\/application&gt;<br \/>\n&lt;\/manifest&gt;<\/p>\n<p class=\"image-caption\">Figure 11. Excerpt from the AndroidManifest.xml of the LSSC Android app, shared by Sean O\u2019Brien. The package name (uni.UNI37480E2) follows DCloud\u2019s standard Uni-App build convention, and the Application class (io.DCloud.application.DCloudApplication) and Activity classes (io.DCloud.WebviewActivity, io.DCloud.WebAppActivity, io.DCloud.ProcessMediator) are DCloud framework components, i.e. LSSC\u2019s mobile app was built directly on the DCloud Uni-App stack.<\/p>\n<p>NBC News reported that when O\u2019Brien reviewed the LSSC app, he also found it laden with Chinese tech stack components (references to QQ, Taobao, Alibaba) and an Apple privacy policy whose title literally read <em>Untitled document<\/em> in Chinese. These features are consistent with a rapid-deployment template repurposed across operators.<\/p>\n<p>LSSC also promoted a related cryptocurrency platform called Lightning Exchange (&#8220;Lightning Coin&#8221; or LNC), traded through the site lightacer[.]com. <\/p>\n<p>The LSSC affiliate ecosystem published step-by-step tutorials walking new recruits through registration on the LNC trading platform: phone, password, invitation code, and graphic CAPTCHA (Figures 12 and 13). These tutorials and components form a registration shape that aligns precisely with the DCloud-built investment scam template we observe at scale. Unfortunately, there is limited historical data associated with the lightacer[.]com domain, so we cannot confirm the domain was setup with the DCloud framework.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image12.jpeg\"><\/p>\n<p class=\"image-caption\">Figure 12. A<em>n archived &#8220;How to Get Started with LNC Lightning Coin&#8221; tutorial from a now<\/em>-shuttered LSSC affiliate site (lssc-canada[.]ca), captured by <a href=\"https:\/\/web.archive.org\/web\/20250625173959\/https:\/lssc-canada.ca\/how-to-get-started-with-lnc-lightning-coin\/\" target=\"_blank\">the Wayback Machine<\/a>. The embedded mobile screenshot at the bottom of the page is the LNC trading platform (lightacer[.]com). <\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image13.jpeg\"><\/p>\n<p class=\"image-caption\">Figure 13. The standalone lightacer[.]com Create Account screen used by LSSC affiliates to onboard victims into the related &#8220;Lightning Coin&#8221; trading platform. The four-field invitation code, gated phone, and password registration with graphic CAPTCHA aligns precisely with the DCloud-built investment scam template observed across the broader population.<\/p>\n<h4>Yuechi Sharing Technology Ltd. (YST): Active 2026 Scooter Investment Scam<\/h4>\n<p>While LSSC was being investigated by the FBI and shut down across U.S. states, a structurally similar operation was being stood up under a different brand. Yuechi Sharing Technology Ltd. (YST) is <strong>currently live, <\/strong>primarily targeting Australia, New Zealand, and the United States, and has invested significant effort in establishing apparent regulatory legitimacy.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image14.jpeg\"><\/p>\n<p class=\"image-caption\"><em>Figure 14. Yuechi Sharing Technology Ltd. Branding with the acronym they use, \u201cYST\u201d<\/em><\/p>\n<p>We know of two domains that the Yuechi front appears to operate, though there could be more: ystl03106[.]top (the live recruitment platform, as of this writing) and ys904[.]top (its public-facing &#8220;anti-fraud notice&#8221; satellite). See Figures 15 and 16. Yuechi also runs a <a href=\"https:\/\/www.youtube.com\/@Yuechisharingtechnologyltd-l9v\" target=\"_blank\">YouTube channel<\/a>, <a href=\"https:\/\/x.com\/ystl63\" target=\"_blank\">an X (Twitter) account<\/a>, and a customer service chat backend (aqy.dot02ig[.]cfd). <\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image15.jpg\"><\/p>\n<p class=\"image-caption\">Figure 15. Screenshot of the ystl03106[.]top login landing page (geographically targeted: the default telephone country code in this capture is +64, New Zealand). Note the robot chat link, YouTube, and X\/Twitter link in the upper-right, alongside an anti-fraud badge that links to a defensive anti-fraud notice on a sister domain, ys904[.]top.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image16.jpeg\"><\/p>\n<p class=\"image-caption\">Figure 16. Screenshot of the ys904[.]top &#8220;Important Anti-Fraud Notice (Must Read)&#8221; landing page. The notice defends YS as a legitimate pyramid investment business and investment opportunity in the \u201cshared bicycle\u201d industry.<\/p>\n<p>We confirmed that the Yuechi frontend is built on the DCloud Uni-App framework and found connections between this investment scam and a network of other investment scam websites.<\/p>\n<p>What is novel about Yuechi, compared to most investment scams, is that their registration paperwork is real. The operators behind Yuechi obtained and prominently display two genuine government registrations:<\/p>\n<ul class=\"list-spacing\">\n<li><strong>A Hong Kong Certificate of Incorporation<\/strong> (Registration No. 77975280, issued 8 April 2025) for &#8220;\u8e8d\u99b3\u5171\u4eab\u79d1\u6280\u6709\u9650\u516c\u53f8&#8221;\/Yuechi Shared Technology Co., Ltd. a legitimate corporate registration with the <a href=\"https:\/\/www.cr.gov.hk\/docs\/wrpt\/RNC063_2025.04.07-2025.04.13.pdf\" target=\"_blank\">Hong Kong Companies Registry<\/a>. See Figure 17.<\/li>\n<li><strong>A U.S. FinCEN Money Services Business (MSB) registration<\/strong> (Registration No. 31000300306222, initial registration filed 15 May 2025), listing an address in Manchester, UK (125 Deansgate, M3 2BY), an activity scope including all 50 U.S. states plus territories, and the business activities as money transmitter, money order, traveler\u2019s check, prepaid access, and check cashing activities. We confirmed the registration directly against the public <a href=\"https:\/\/www.fincen.gov\/resources\/msb-state-selector\" target=\"_blank\">FinCEN MSB Registrant Search, and show the result in Figure 18<\/a>.<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image17.jpeg\"><\/p>\n<p class=\"image-caption\">Figure 17. The Hong Kong Companies Registry Certificate of Incorporation that Yuechi\u2019s operators rely on as a second legitimacy prop, issued 8 April 2025. The certificate confers no operational license; it documents that a limited company by that name was filed with the Hong Kong registrar.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image18.jpeg\"><\/p>\n<p class=\"image-caption\">Figure 18. Yuechi\u2019s genuine FinCEN MSB registration record. The registration is real; the FinCEN page itself warns that registration is not an endorsement and &#8220;may be part of a scam or attempt to deceive consumers.&#8221;<\/p>\n<p>Neither registration confers any legitimacy on the underlying operation, and FinCEN is publicly aware that its registration process is sometimes being weaponized for exactly this purpose. Its own MSB Registrant Search page leads with an explicit warning: <em>&#8220;Fraudsters are using the Financial Crimes Enforcement Network\u2019s (FinCEN\u2019s) money services business (MSB) registration process to defraud the public. You should not trust a company only because it is listed on this Web page.&#8221;<\/em> FinCEN also published a <a href=\"https:\/\/www.fincen.gov\/sites\/default\/files\/2024-12\/Alert-FinCEN-Scams-FINAL508.pdf\" target=\"_blank\">December 2024 alert<\/a> on fraud schemes abusing the agency\u2019s name, insignia, and authorities for financial gain (Figure 19).<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image19.jpeg\"><\/p>\n<p class=\"image-caption\">Figure 19. The warning that opens <a href=\"https:\/\/www.fincen.gov\/resources\/msb-state-selector\" target=\"_blank\">the FinCEN MSB Registrant Search<\/a> page, explicitly stating that fraudsters are abusing the registration process. <\/p>\n<p>To a prospective victim being asked to give the operator money, a U.S. Treasury Department registration number with a corresponding entry in a federal database that anyone can look up is a strong signal of legitimacy. The YST site presents these credentials prominently, alongside text framing the operation as a &#8220;U.S.-authorized money services business \u2026 providing money remittance, currency exchange, check cashing, and cryptocurrency-related services.&#8221; The combination of real paperwork plus a publicly visible defensive &#8220;anti-fraud notice&#8221; is the operator\u2019s answer to the kind of skepticism LSSC ran into when investigations began.<\/p>\n<p>Yuechi is a convincing front, but fortunately, there are experts like independent investigator Danny De Hek, who was approached to join the Yuechi Sharing Technology Ltd (YST) investment scam in 2025. He went along with it and ended up documenting significant details about the scam lures and process in his report, \u201c<a href=\"https:\/\/www.dehek.com\/general\/how-i-got-approached-by-yuechi-sharing-technology-ltd-ys-and-uncovered-a-likely-ponzi-operation\/\" target=\"_blank\">How I Got Approached by Yuechi Sharing Technology Ltd (YST) and Uncovered a Likely Ponzi Operation<\/a>\u201d and corresponding YouTube video, \u201c<a href=\"https:\/\/www.youtube.com\/watch?v=0eOhtFQT9YU\" target=\"_blank\">Yuechi Sharing Technology Ltd (YST) Rideshare Job Scam Using Motorbike App &amp; Passive Income Claims<\/a>.\u201d See Figure 20<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image20.jpeg\"><\/p>\n<p class=\"image-caption\">Figure 20. Screenshot from Independent investigator Danny De Hek\u2019s YouTube expos\u00e9 &#8220;Yuechi Sharing Technology Ltd (YST) Rideshare Job Scam Using Motorbike App &amp; Passive Income Claims,&#8221; documenting being approached by YST recruiters and walking through the recruitment funnel<\/p>\n<h4>What the Current Yuechi Operation Looks Like to a Victim in 2026<\/h4>\n<p>The ystl03106[.]top frontend includes a phone number and password login with a separate registration requiring: a phone number, password, a graphic CAPTCHA, an SMS verification code, and an invitation code (Figure 21).<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image21.jpg\"><\/p>\n<p class=\"image-caption\"><em>Figure 21. Screenshot of the Register form for the Yuechi investment website at <\/em>ystl03106[.]top<\/p>\n<p>The invitation code gate is common across investment scam websites: a prospective victim cannot create an account or reach the deposit screen without first being recruited by an existing affiliate. This requirement aligns with the fact that most operators seek to convert each victim into a recruiter who will then try to recruit their own friends, family, and co-workers to bring in more investments and build out the pyramid. <\/p>\n<p>If someone has trouble logging into the Yuechi website and reaches out to the customer support chat, a simple graphic is shared. It looks suspiciously similar to other \u201csupport graphics\u201d shared by seemingly unrelated investment scam websites using the DCloud framework (Figure 22). <\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image22.jpeg\"><\/p>\n<p class=\"image-caption\">Figure 22. Screenshot of the Yuechi registration tutorial graphic distributed by the operator to onboard recruits, with a bicycle visual matching the &#8220;shared bike economy&#8221; cover story. The six field registration shape (phone, password, confirm password, picture code, SMS verification, invitation code) is identical to other brands in the same operator cluster.<\/p>\n<p>When a victim hits any kind of failure inside the app (e.g., a registration error, a deposit hold, or a withdrawal block), the customer service handler funnels them to an off-platform branded chat with an &#8220;online customer service&#8221; operator. The chat\u2019s behavior matches what RainbowEx victims described to Argentine journalists: the operator is conversational, reassuring, persistent, and ultimately points the victim back at their &#8220;recommender teacher&#8221; (the upline referrer who recruited them) to handle anything substantive. We engaged with the Yuechi chat operators to confirm this behavior, shown in the Figure 23\u2019s graphic below.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image23.jpeg\"><\/p>\n<p class=\"image-caption\">Figure 23. Screenshot of the &#8220;Online customer service&#8221; chat after a verification-code failure. The script \u201cHello, please contact your recommender teacher to verify and deal with it for you&#8221; is extremely similar to the customer service responses victims of related operations have described and funnels prospective victims back through the recruiter.<\/p>\n<h4>Yuechi Investment Site Aligns to Other Active Investment Scam Websites <\/h4>\n<p>Yuechi is just one of many investment scams online right now that are using the DCloud framework, but it has common technical fingerprints with other sites, indicating a centralized operator.<\/p>\n<p>Two additional websites that are hosting investment scams and using the DCloud framework, xaai3xj[.]com and xaaitbb[.]com, are marketed publicly as &#8220;XAEL-AI&#8221; and are not only nearly identical from a code perspective, but their operations share similar graphics when a user has a problem logging into their sites. <\/p>\n<p>Both brand websites contain hard-coded operator identifiers that act as a high confidence operator signature: a 29-language localization pack that includes unusual diaspora-targeted languages (Haitian Creole, Kinyarwanda, Albanian, Uzbek) alongside the more typical English, Spanish, and Mandarin set; and failure message strings throughout the application that funnel victims to an off-platform branded customer service chat whenever a withdrawal, deposit, or activation fails. The chat backend reachable from XAEL-AI is the same technical setup as the chat backend reachable from the Yuechi website.<\/p>\n<p>XAEL-AI dresses the same engine in different clothes: an &#8220;AI investment&#8221; narrative instead of futuristic bicycle investment platform. But the registration flow is identical to Yuechi. And if you have a problem and reach out to their chat, an image very similar to that seen previously on the Yuechi portal is shared (see Figure 24).<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image24.jpeg\"><\/p>\n<p class=\"image-caption\">Figure 24. Screenshot of the XAEL-AI brand registration tutorial with an identical six-field shape to YST (Figure 22).<\/p>\n<h3>The Hosting Layer<\/h3>\n<p>Most DCloud-built investment scam infrastructure runs on legitimate hosting providers. The four largest operators visible across the population are Cloudflare, Alibaba Cloud, Tencent Cloud, and Amazon Web Services, the same hyperscalers that host hundreds of thousands of legitimate businesses. Scam operators use them for the same reasons everyone else does: They\u2019re inexpensive, reliable, easy to spin up, and difficult for victims to distinguish from any other site.<\/p>\n<p>The pattern of legitimate-host abuse is the dominant signal in the dataset. Across the visible population, roughly 94% of identified investment scam SLDs resolve to ASNs that also host vast volumes of legitimate web traffic. Defenders cannot simply block these providers except at the domain level. Hosting alone is not a useful signal.<\/p>\n<p>The minority of the population that does not run on legitimate hosts is where things become much more interesting.<\/p>\n<p>Using the <a href=\"https:\/\/www.spamhaus.org\/drop\/\" target=\"_blank\">Spamhaus DROP ASN list<\/a>, which identifies autonomous systems with high concentrations of malicious activity and bulletproof-hosting characteristics, we flagged approximately <strong>6% of visible DCloud-built investment scam SLDs as bulletproof-hosted.<\/strong> These 1,024 sites collectively receive over 320,000 enterprise DNS queries since mid 2022 and reach roughly 265 distinct enterprise customers. The BPH segment is smaller in volume than the legitimately hosted majority, but this BPH segment is particularly interesting because it appears that the operators of these sites took efforts to hide other fingerprints.<\/p>\n<p>And within that 6%, one provider dominates completely: CTG Server.<\/p>\n<h3>CTG Server: a Name That Keeps Appearing in Threat Investigations<\/h3>\n<p>Within the bulletproof-hosted slice of the DCloud-built investment scam population, <strong>AS152194 CTG Server Limited (myctgs[.]com)<\/strong>, registered in Hong Kong, appears with overwhelming frequency. Of the top twenty bulletproof hosted SLDs ranked we\u2019ve seen in our cloud customers, nineteen are on CTG Server. <\/p>\n<p>CTG Server is well known to threat researchers and is listed in <a href=\"https:\/\/www.spamhaus.org\/drop\/asndrop.json\" target=\"_blank\">the ASN droplist<\/a> from SpamHaus, encouraging legitimate organizations not to peer or associate with the company. The provider has been <a href=\"https:\/\/www.securityweek.com\/triad-nexus-evades-sanctions-to-fuel-cybercrime\/\" target=\"_blank\">previously documented<\/a> hosting Chinese affiliated scam infrastructure across multiple unrelated campaigns for pig-butchering operations, cryptocurrency fraud, fake e-commerce platforms, fake casinos used for money laundering, and related categories that are increasingly the focus of international law enforcement scrutiny. <a href=\"https:\/\/www.greynoise.io\/blog\/christmas-scanning-campaign-fuel-2026-attacks\" target=\"_blank\">Multiple<\/a> <a href=\"https:\/\/assets.recordedfuture.com\/insikt-report-pdfs\/2026\/cta-2026-0319.pdf\" target=\"_blank\">distinct<\/a> <a href=\"https:\/\/siembiot.eu\/en\/cyber-security-news\/new-silver-fox-campaign-hides-valleyrat-inside-fake-telegram-chinese-language-pack-installer\/81338\" target=\"_blank\">threat<\/a> operators favor CTG Server as a backend, suggesting that whatever the provider offers, likely some combination of low cost, lax content policy, and resistance to abuse complaints, has become a de facto standard for Chinese-language and Chinese-affiliated fraud operations.<\/p>\n<h3>When DCloud Operators Try to Hide<\/h3>\n<p>Not every DCloud-built investment scam site carries the default DCloud framework fingerprint. Some operators have stripped or modified the code in what appears to be a deliberate attempt to evade fingerprint-based identification. Infoblox tracks two distinct tiers in the population: the <strong>vanilla<\/strong> tier, which consists of operators who left the DCloud framework\u2019s default scaffolding intact, and the <strong>evasive<\/strong> tier, which consists of operators who\u2019ve removed it. Both tiers behave identically as scams. The only difference is whether the operator made an effort to be harder to find.<\/p>\n<p>Their infrastructure, however, tells a different story. Sites in the evasive tier, where operators took the trouble to obscure the framework signature, run on bulletproof hosting at roughly <strong>double the rate<\/strong> of the vanilla tier. In a typical month, the vanilla tier shows a 5\u201310% bulletproof share, while the evasive tier sits at 14\u201317%, with occasional months spiking to 25\u201330%. See Figure 25.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image25.jpeg\"><\/p>\n<p class=\"image-caption\">Figure 25. Bulletproof hosting share over time for vanilla operators (default fingerprints intact) versus evasive operators (fingerprints stripped). The evasive tier sporadically runs at roughly twice the BPH share of vanilla.<\/p>\n<p>The interpretation is straightforward: Operators sophisticated enough to recognize and strip framework fingerprints are also operators sophisticated enough to seek out infrastructure providers that resist takedown requests. The two behaviors tend to go hand in hand. Conversely, the cheapest and least sophisticated operators, those who download a template and deploy it as-is, are also the most likely to be using mainstream hosting, where they are simultaneously easier to identify and easier to remove. <\/p>\n<p>This split matters for defenders. It means that the easy-to-track infrastructure of this DCloud ecosystem represents the cheap, replaceable layer. The harder-to-track tier is smaller, but materially more durable and likely to stay online longer.<\/p>\n<h3>Enterprise Exposure: Who is Reaching These Sites from Work?<\/h3>\n<p>The visible population, the subset of DCloud-built investment scam domains that one or more Infoblox enterprise customers have queried at least once since January 2024, comprises <strong>just over 18,000 SLDs.<\/strong> Across them, <strong>approximately 985 distinct enterprise customers<\/strong> had devices that tried to connect to DCloud-built investment scam infrastructure. These customers operate across <strong>25 industry verticals<\/strong>, ranging from the smallest measured exposure (Agriculture, with a single affected customer) to the largest by count (Government, with over 100).<\/p>\n<p>The volume per site is small, but as Figure 26 shows, the aggregate is not.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image26.jpeg\"><\/p>\n<p class=\"image-caption\">Figure 26. Aggregate enterprise DNS query volume to DCloud-built investment scam infrastructure, by industry vertical. Log scale; values have been rounded to indicate magnitude rather than precise counts.<\/p>\n<p>In total, the visible DCloud-built investment scam population is the destination of <strong>more than five million enterprise DNS queries.<\/strong> Roughly a quarter of that total volume comes from the top 500 highest-impact SLDs; the remaining three quarters comes from the long tail of over 17,500 SLDs, which individually generate only modest activity but collectively account for the bulk of exposure. Food and Beverage shows the largest aggregate query volume by a wide margin, driven primarily by a single high-volume site (the LSSC scam), followed by Banking, Government, IT Consulting, Education, and Financial Services (Figure 27).<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image27.jpeg\"><\/p>\n<p class=\"image-caption\">Figure 27. The same industry breakdown as Figure 25, split by hosting category. The BPH share (red) is small but consistently present, with Banking showing the largest absolute BPH hosted query volume.<\/p>\n<p>The distribution is most notable. <strong>No single DCloud-built investment scam domains received more than approximately 20,000 enterprise queries from any single customer.<\/strong> These are not high-volume websites for any one organization. They are individual employees, on personal devices brought to work, or on corporate networks during off-hours, trying to reach scam sites one or two times, most likely after receiving a link via WhatsApp, Telegram, social media, or messaging. The aggregate enterprise exposure is the sum of tens of thousands of these individual small volume contacts.<\/p>\n<p>The vertical pattern in the data closely matches the industries where employees commonly use mobile devices on corporate Wi-Fi, where bring-your-own-device policies are permissive, and where consumer-targeted scam content is most likely to be encountered during personal browsing. The exposure is likely not the result of enterprise targeting. It is the result of consumer targeting that happens to leak into corporate telemetry through the personal lives of corporate employees.<\/p>\n<h3>Disruptions and Recoveries Allude to a Centralized Operator<\/h3>\n<p>The longitudinal picture of DCloud-built investment scam infrastructure shows two pronounced declines during the past twelve months. In late July through September 2025, the visible monthly active SLD count dropped from approximately 14,000 to under 5,000, a decline of roughly two thirds over six weeks. After a partial recovery through autumn 2025, a second decline beginning in late January 2026 took the visible count from roughly 8,500 to under 5,000 again, before another partial recovery. See Figure 28.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-uni-app-image28.jpeg\"><\/p>\n<p class=\"image-caption\">Figure 28. Monthly active DCloud-built investment scam SLDs from January 2025 to the present, broken down by hosting operator. Two distinct declines are visible: a sharp drop from July to September 2025, and a second drop beginning in January 2026.<\/p>\n<p>These drops do not appear to be the result of any change in our detection methodology, nor any visible shift in DCloud framework adoption itself. The most consistent explanation is <strong>disruption of the operator base or its backend infrastructure<\/strong> during these windows.<\/p>\n<p>There were disruptions during this period against scam center compounds, and certain operators of pig butchering schemes, but we haven\u2019t been able to definitively tie any specific disruptions to these drops in active domains.<\/p>\n<h3>What DCloud Means for Defenders<\/h3>\n<p>DNS protection is well-suited to the shape of this threat: the operators are decentralized and short lived, the victims are individual users on personal or work devices, and the targets are domains that, by their nature, must be reachable from the open internet to function as scams at all. Blocking the scam hosts at the DNS layer interrupts the scam before the user reaches the page, regardless of which messaging platform, social network, or other social engineering scheme delivered them there.<\/p>\n<p>For defenders generally, the practical implications are these.<\/p>\n<p><strong>This is a consumer fraud problem with enterprise consequences. <\/strong>Employees are the victims, not the network. Detection focused on enterprise targeting will miss this entirely. The signature is in volume, many distinct domains, each with light per-employee touch, rather than concentration on any one indicator.<\/p>\n<p><strong>Awareness training should match the geography and the social context. <\/strong>Pig butchering, fake exchange, fake marketplace, and now physical storefront backed &#8220;passive income&#8221; scams are the dominant categories, with strong concentration in Mandarin, Spanish, Portuguese, and English-language variants. The LSSC case shows that scams in this family can recruit through churches, co-workers, family WhatsApp groups, and small-town civic figures, channels conventional employee phishing training does not address. Training that covers consumer-fraud patterns and pyramid-investment recruitment, not just enterprise-targeted phishing, will be materially more useful.<\/p>\n<p><strong>Government registration is not vetting or any sort of government approval. <\/strong>The Yuechi Sharing Technology Ltd. case demonstrates that operators are now willing to file paperwork with the U.S. Treasury Department and Hong Kong Companies Registry as part of the legitimacy construction effort. A FinCEN MSB registration number, by itself, says only that someone filed a form. The presence of registration paperwork in an investment pitch is not a defense and may in fact, if aggressively shown to users, be a red flag.<\/p>\n<p><strong>Law Enforcement needs to double down on tracking DCloud scam websites. <\/strong>For the last two years there\u2019s been a dramatic scaling up of scam websites using the DCloud framework, and operators of these sites continue to launch complex real-world schemes to trick victims. It\u2019s overdue to holistically track threat actors operating in this ecosystem and attempt to identify commonalities that indicate shared ownership of the sites. We also need more attention on the Bulletproof Hosting Provider CTG Server ASN, which continues to rent IPs to a wide range of Chinese threat actors. <\/p>\n<h3>Indicators<\/h3>\n<p>The following is a representative, not exhaustive, selection of SLDs from across the DCloud-built scam ecosystem covered in this report, grouped by category. The list of indicators is also available in our <a href=\"https:\/\/github.com\/infobloxopen\/threat-intelligence\" target=\"_blank\">open Github repository.<\/a><\/p>\n<table>\n<tr>\n<td>\n<p>Indicators<\/p>\n<\/td>\n<td>\n<p>Description<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>rainbowex[.]cc<\/p>\n<p>nasdaqpro[.]top<\/p>\n<p>futureblockchain[.]net<\/p>\n<p>kirbycoco[.]cc<\/p>\n<p>clintile[.]com<\/p>\n<p>datashareclub[.]com<\/p>\n<\/td>\n<td>\n<p>Fake crypto exchanges and &#8220;passive income&#8221; investment platforms<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>bepviews[.]com<\/p>\n<\/td>\n<td>\n<p>Crypto wallet drainers<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>lsscapp[.]com<\/p>\n<p>lssc-canada[.]ca<\/p>\n<p>lightacer[.]com<\/p>\n<p>lsscol[.]com<\/p>\n<\/td>\n<td>\n<p>LSSC investment scam domains<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>ystl03106[.]top<\/p>\n<p>ys904[.]top<\/p>\n<p>aqy.dot02ig[.]cfd<\/p>\n<\/td>\n<td>\n<p>Yuechi Sharing Technology Ltd. domains<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>xaai3xj[.]com<\/p>\n<p>xaaitbb[.]com<\/p>\n<\/td>\n<td>\n<p>XAEL-AI investment scam  <\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>polymk[.]com <\/p>\n<p>mango-cleopatrapg[.]com <\/p>\n<p>deepseekpg[.]bet <\/p>\n<p>jp7[.]com<\/p>\n<\/td>\n<td>\n<p>Prediction-market and gambling (&#8220;scambling&#8221;) impersonations<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>whats-zwp[.]vip<\/p>\n<p>whats-zrs[.]vip<\/p>\n<p>whats-zef[.]vip<\/p>\n<p>whats-zea[.]vip<\/p>\n<p>whats-zus[.]vip<\/p>\n<p>whats-zei[.]vip<\/p>\n<p>whats-zen[.]vip<\/p>\n<p>faq-whatsapp-center[.]com<\/p>\n<p>verify-what[.]com<\/p>\n<\/td>\n<td>\n<p>WhatsApp and messaging-platform phishing<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>allegro-stroe[.]com<\/p>\n<p>allegro-stroe[.]shop<\/p>\n<p>allegro-stroe[.]cc<\/p>\n<p>allegro-stroe[.]cyou<\/p>\n<p>allegrostroe[.]com<\/p>\n<p>allegrostroe[.]cc<\/p>\n<p>allegrostroe[.]shop<\/p>\n<p>allegrostroe[.]cyou<\/p>\n<p>allegroau[.]com<\/p>\n<p>allegroau[.]cc<\/p>\n<p>correoargentino-comarr[.]top<\/p>\n<p>k-usdt[.]com<\/p>\n<p>usdtflow[.]net<\/p>\n<p>energy5[.]cyou<\/p>\n<p>forwarsprite[.]com<\/p>\n<p>g3user[.]com<\/p>\n<p>mypal[.]pro<\/p>\n<p>inetcontrol[.]net<\/p>\n<p>m0vrsq6[.]top<\/p>\n<\/td>\n<td>\n<p>Other scam domains<\/p>\n<\/td>\n<\/tr>\n<\/table>\n<style>\n.savy-seahorse-table {\nfont-size:14px;word-break: keep-all;}.savy-seahorse-table td:last-child, .savy-seahorse-table th:last-child {padding-right:10px;}.code-format {\/*font-family: 'Courier New';*\/}.image-caption {    font-size: 12px;margin-top:auto;}.list-spacing li{margin-bottom:20px}.img-container, .img-container-3-col {display: flex;flex-wrap: wrap;justify-content: space-between;}.img-container img {width: 49%;margin-bottom: 10px;}.img-container-3-col img {width: 30%;margin-bottom: 10px;object-fit: contain;}@media (max-width: 767px) {.img-container, .img-container-3-col {display: block;}.img-container img, .img-container-3-col img {width: 100%;}.grid-container {    grid-template-columns: 1fr!important;  }}@media (min-width: 767px) {.img-50{width:50%;}}.grid-container {  display: grid;  grid-template-columns: repeat(2, 1fr);  gap: 40px;  max-width: 800px;  margin: 0 auto;  align-items: stretch;margin-bottom: 20px;}.grid-item {   display: flex;  flex-direction: column;  justify-content: flex-start;}.grid-item img {  max-width: 100%;  height: auto;width: auto;}\n.youtube-responsive {\n  position: relative;\n  width: 100%;\n  padding-bottom: 56.25%; \/* 16:9 aspect ratio *\/\n  height: 0;\n  overflow: hidden;\n  margin-bottom: 20px;\n}\n.youtube-responsive iframe {\n  position: absolute;\n  top: 0;\n  left: 0;\n  width: 100%;\n  height: 100%;\n}\n.img-400{\nmax-width: 400px; width: 100%;\n}\n<\/style>\n<p><script>\njQuery('.single h1').html('<span class=\"gradient\">From San Pedro to Salinas<\/span>: How a Chinese Framework \u201cDCloud Uni-App\u201d Powers a Global Scam Economy ');\n<\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In 2024, a small Argentine town called San Pedro became the focus of international press coverage after thousands of residents (approximately 20% of the total population), including the chief of police and members of the city council, discovered that a cryptocurrency platform they had invested in and been promoting was a coordinated scam. The platform, [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":13778,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[254],"tags":[1749,1750,1215,1222,1751,332,1752,1753,1754,1755,1756,307,1757,1758,1759],"class_list":{"0":"post-13776","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threat-intelligence","8":"tag-dcloud","9":"tag-uni-app","10":"tag-investment-scam","11":"tag-pig-butchering","12":"tag-crypto-fraud","13":"tag-china","14":"tag-rainbowex","15":"tag-lssc","16":"tag-scam-infrastructure","17":"tag-bulletproof-hosting","18":"tag-wallet-drainer","19":"tag-phishing","20":"tag-fraud-as-a-service","21":"tag-mobile-fraud","22":"tag-scam-template","23":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>DCloud Uni-App: One Framework, 236,000+ Scam Sites<\/title>\n<meta name=\"description\" content=\"How a Chinese open-source framework fuels 236,000+ scam sites across major cloud providers and bulletproof hosts, spread via social engineering.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"DCloud Uni-App: One Framework, 236,000+ Scam Sites\" \/>\n<meta property=\"og:description\" content=\"How a Chinese open-source framework fuels 236,000+ scam sites across major cloud providers and bulletproof hosts, spread via social engineering.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-25T12:58:34+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-25T15:26:16+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-blog-thumbnail.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"408\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"DCloud Uni-App: One Framework, 236,000+ Scam Sites\" \/>\n<meta name=\"twitter:description\" content=\"How a Chinese open-source framework fuels 236,000+ scam sites across major cloud providers and bulletproof hosts, spread via social engineering.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-blog-thumbnail.jpeg\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"34 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"From San Pedro to Salinas: How a Chinese Framework \u201cDCloud Uni-App\u201d Powers a Global Scam Economy\",\"datePublished\":\"2026-06-25T12:58:34+00:00\",\"dateModified\":\"2026-06-25T15:26:16+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\\\/\"},\"wordCount\":6441,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/dcloud-blog-thumbnail.jpeg\",\"keywords\":[\"dcloud\",\"uni-app\",\"investment scam\",\"pig butchering\",\"crypto fraud\",\"china\",\"rainbowex\",\"LSSC\",\"scam infrastructure\",\"bulletproof hosting\",\"wallet drainer\",\"Phishing\",\"fraud-as-a-service\",\"mobile fraud\",\"scam template\"],\"articleSection\":[\"Infoblox Threat Intel\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\\\/\",\"name\":\"DCloud Uni-App: One Framework, 236,000+ Scam Sites\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/dcloud-blog-thumbnail.jpeg\",\"datePublished\":\"2026-06-25T12:58:34+00:00\",\"dateModified\":\"2026-06-25T15:26:16+00:00\",\"description\":\"How a Chinese open-source framework fuels 236,000+ scam sites across major cloud providers and bulletproof hosts, spread via social engineering.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/dcloud-blog-thumbnail.jpeg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/dcloud-blog-thumbnail.jpeg\",\"width\":612,\"height\":408},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"From San Pedro to Salinas: How a Chinese Framework \u201cDCloud Uni-App\u201d Powers a Global Scam Economy\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"DCloud Uni-App: One Framework, 236,000+ Scam Sites","description":"How a Chinese open-source framework fuels 236,000+ scam sites across major cloud providers and bulletproof hosts, spread via social engineering.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\/","og_locale":"en_US","og_type":"article","og_title":"DCloud Uni-App: One Framework, 236,000+ Scam Sites","og_description":"How a Chinese open-source framework fuels 236,000+ scam sites across major cloud providers and bulletproof hosts, spread via social engineering.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\/","og_site_name":"Infoblox Blog","article_published_time":"2026-06-25T12:58:34+00:00","article_modified_time":"2026-06-25T15:26:16+00:00","og_image":[{"width":612,"height":408,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-blog-thumbnail.jpeg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_title":"DCloud Uni-App: One Framework, 236,000+ Scam Sites","twitter_description":"How a Chinese open-source framework fuels 236,000+ scam sites across major cloud providers and bulletproof hosts, spread via social engineering.","twitter_image":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-blog-thumbnail.jpeg","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"34 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"From San Pedro to Salinas: How a Chinese Framework \u201cDCloud Uni-App\u201d Powers a Global Scam Economy","datePublished":"2026-06-25T12:58:34+00:00","dateModified":"2026-06-25T15:26:16+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\/"},"wordCount":6441,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-blog-thumbnail.jpeg","keywords":["dcloud","uni-app","investment scam","pig butchering","crypto fraud","china","rainbowex","LSSC","scam infrastructure","bulletproof hosting","wallet drainer","Phishing","fraud-as-a-service","mobile fraud","scam template"],"articleSection":["Infoblox Threat Intel"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\/","name":"DCloud Uni-App: One Framework, 236,000+ Scam Sites","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-blog-thumbnail.jpeg","datePublished":"2026-06-25T12:58:34+00:00","dateModified":"2026-06-25T15:26:16+00:00","description":"How a Chinese open-source framework fuels 236,000+ scam sites across major cloud providers and bulletproof hosts, spread via social engineering.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-blog-thumbnail.jpeg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/dcloud-blog-thumbnail.jpeg","width":612,"height":408},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"From San Pedro to Salinas: How a Chinese Framework \u201cDCloud Uni-App\u201d Powers a Global Scam Economy"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/13776","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=13776"}],"version-history":[{"count":7,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/13776\/revisions"}],"predecessor-version":[{"id":13832,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/13776\/revisions\/13832"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/13778"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=13776"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=13776"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=13776"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}