New findings unearthed by Infoblox show that more than 236,000 websites are using investment scam templates built using a legitimate Chinese open-source, cross-platform application development framework called DCloud Uni-App.
The templates power bogus cryptocurrency exchanges, multi-language pig-butchering operations, WhatsApp phishing networks, fake gambling platforms, brand-impersonation sites, and crypto wallet drainers. A total of 236,493 distinct second-level domains have been identified by the DNS threat intelligence company.
“For the last two years, there’s been a dramatic scaling up of scam websites using the DCloud framework, and operators of these sites continue to launch complex real-world schemes to trick victims,” Infoblox said in an exhaustive report published last week.
It’s being assessed that unknown threat actors are selling DCloud investment scam templates, although there are indications of centralized ownership across a significant chunk of the DCloud-built investment scam websites.
This is based on drops in new domain registrations observed across scam websites on diverse hosts, raising the possibility that a centralized party is either facing disruption or making coordinated changes to their DCloud investment scam sites. Other signs include specific technical fingerprints, communication methods to victims, and hosting decisions.
Among the identified domains is the infamous RainbowEx platform, a bogus cryptocurrency exchange that made headlines in late 2024 for operating a Ponzi scheme that impacted tens of thousands of people living in San Pedro, Argentina. Later that year, seven people linked to the operation were arrested by law enforcement authorities.
While the use of DCloud itself is not an indicator of malicious intent, Infoblox said it has some common traits among them: fake brokerage interfaces, cryptocurrency wallet-drainer prompts, gambling interfaces with rigged outcomes, brand-impersonation storefronts, and bulletproof hosting (BPH).
The rogue domains span every continent, target speakers of at least eight languages, and masquerade as brands ranging from major stock exchanges to retail giants to messaging platforms, the company said. The fraudulent operations have been ongoing since mid-2022. From the DCloud-fingerprinted sites, two related but distinct populations have emerged –
- Sites carrying the DCloud Uni-App framework’s basic signatures that go back to 2021 and include both legitimate Chinese businesses and malicious operations
- An investment scam-specific subset that has been active since mid-2022
“Counterintuitively, the investment scam population is larger than what the simple DCloud framework fingerprint alone reveals, because more sophisticated operators have stripped the default DCloud scaffolding to evade fingerprint-based identification,” Infoblox noted.
The second set DCloud scam websites is run by multiple unrelated operators, comprising a wide variety of fraudulent schemes –
-
…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
