236,000 DCloud Uni-App Sites Used in Crypto Scams, Phishing, and Wallet Drainers

New findings unearthed by Infoblox show that more than 236,000 websites are using investment scam templates built using a legitimate Chinese open-source, cross-platform application development framework called DCloud Uni-App. The templates power bogus cryptocurrency exchanges, multi-language pig-butchering operations, WhatsApp phishing networks, fake gambling platforms, brand-impersonation

Infoblox reports that threat actors are abusing the legitimate DCloud Uni-App cross‑platform development framework to mass‑produce more than 236,000 scam and phishing websites, including fake cryptocurrency exchanges, multi‑language pig‑butchering operations, WhatsApp phishing networks, gambling impersonation, brand‑impersonation, and crypto wallet drainers[1][3]. The framework itself is not malicious, but standardized scam templates built on it let criminals rapidly spin up highly convincing fraudulent sites across diverse hosting providers at global scale[2][4]. From a CyberSE.AI perspective, this illustrates how powerful developer and automation frameworks can be weaponized as "attack infrastructure" similar to how AI code-generation or low-code tools could be used to industrialize fraud and phishing, making it critical to monitor how such tooling appears in your supply chain and threat surface. Organizations should treat these template‑driven ecosystems as a persistent, adaptive adversary, using continuous red teaming and AI‑informed threat intelligence to detect template reuse, harden user‑facing flows against investment and crypto scams, and formalize policies for assessing a