From San Pedro to Salinas: How a Chinese Framework “DCloud Uni-App” Powers a Global Scam Economy
A Chinese web-development framework called DCloud Uni-App has become the technical foundation for over 236,000 scam domains since 2022, powering fake cryptocurrency exchanges, pig-butchering operations, wallet drainers, gambling platforms, and brand-impersonation sites. The framework gained prominence after the 2024 RainbowEx cryptocurrency scam in Argentina, which defrauded residents of San Pedro. Similar operations include the Lightning Shared Scooter Co. (LSSC) scam in the United States, which caused millions in losses across multiple states, and the currently-active Yuechi Sharing Technology Ltd. bicycle-sharing investment scam. These operations use legitimate hosting providers, with approximately 6% utilizing bulletproof hosting, particularly CTG Server. The scams target victims globally through WhatsApp, Telegram, and social media, converting victims into recruiters for pyramid-style operations. Enterprise exposure reaches over 985 distinct organizations across 25 industry verticals, with over five m...
AI Analysis
Technical Summary
This campaign involves the widespread abuse of the DCloud Uni-App web-development framework to create and host a large volume of scam domains engaged in various fraudulent activities, including cryptocurrency and investment scams. The framework itself is not described as vulnerable; rather, it is leveraged by threat actors to build scam infrastructure. The campaign has a global reach, utilizing legitimate and bulletproof hosting services, and employs social engineering via WhatsApp, Telegram, and social media to propagate scams and recruit victims into pyramid schemes. There is no indication of a software vulnerability or exploit in the framework, but rather its misuse as a technical foundation for scams.
Potential Impact
The impact is primarily financial fraud and reputational damage affecting victims worldwide, including individuals and enterprises. The scams have caused millions in losses, notably in Argentina and the United States. Over 985 organizations across diverse industries have been exposed to these scams, potentially affecting business operations and trust. There is no direct technical compromise of the DCloud Uni-App framework reported, but its widespread misuse facilitates large-scale scam operations.
Mitigation Recommendations
No official patch or fix is applicable as this is not a software vulnerability but a campaign abusing a legitimate framework. Organizations and individuals should remain vigilant against scams leveraging DCloud Uni-App domains. Recommended actions include educating users about these scams, blocking known malicious domains, and monitoring communications on platforms like WhatsApp and Telegram for scam indicators. Since no patch or vendor advisory exists, follow threat intelligence updates from trusted sources for emerging indicators.
Indicators of Compromise
- domain: clintile.com
- domain: mypal.pro
- domain: lssc.ltd
- domain: forwarsprite.com
- domain: allegro-stroe.shop
- domain: allegrostroe.cc
- domain: allegro-stroe.cyou
- domain: allegro-stroe.cc
- domain: allegrostroe.shop
- domain: allegroau.com
- domain: g3user.com
- domain: usdtflow.net
- domain: allegrostroe.cyou
- domain: deepseekpg.bet
- domain: verify-what.com
- domain: lightacer.com
- domain: lssc-canada.ca
- domain: correoargentino-comarr.top
- domain: energy5.cyou
- domain: whats-zwp.vip
- domain: whats-zea.vip
- domain: whats-zei.vip
- domain: whats-zen.vip
- domain: whats-zef.vip
- domain: whats-zrs.vip
- domain: whats-zus.vip
- domain: m0vrsq6.top
- domain: polymk.com
- domain: bepviews.com
- domain: nasdaqpro.top
- domain: allegro-stroe.com
- domain: allegroau.cc
- domain: allegrostroe.com
- domain: datashareclub.com
- domain: faq-whatsapp-center.com
- domain: futureblockchain.net
- domain: hkxiu.com
- domain: inetcontrol.net
- domain: k-usdt.com
- domain: kirbycoco.cc
- domain: lsscapp.com
- domain: lsscol.com
- domain: mango-cleopatrapg.com
- domain: rainbowex.cc
- domain: xaai3xj.com
- domain: xaaitbb.com
- domain: ys904.top
- domain: ystl03106.top
- domain: aqy.dot02ig.cfd
From San Pedro to Salinas: How a Chinese Framework “DCloud Uni-App” Powers a Global Scam Economy
Description
A Chinese web-development framework called DCloud Uni-App has become the technical foundation for over 236,000 scam domains since 2022, powering fake cryptocurrency exchanges, pig-butchering operations, wallet drainers, gambling platforms, and brand-impersonation sites. The framework gained prominence after the 2024 RainbowEx cryptocurrency scam in Argentina, which defrauded residents of San Pedro. Similar operations include the Lightning Shared Scooter Co. (LSSC) scam in the United States, which caused millions in losses across multiple states, and the currently-active Yuechi Sharing Technology Ltd. bicycle-sharing investment scam. These operations use legitimate hosting providers, with approximately 6% utilizing bulletproof hosting, particularly CTG Server. The scams target victims globally through WhatsApp, Telegram, and social media, converting victims into recruiters for pyramid-style operations. Enterprise exposure reaches over 985 distinct organizations across 25 industry verticals, with over five m...
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This campaign involves the widespread abuse of the DCloud Uni-App web-development framework to create and host a large volume of scam domains engaged in various fraudulent activities, including cryptocurrency and investment scams. The framework itself is not described as vulnerable; rather, it is leveraged by threat actors to build scam infrastructure. The campaign has a global reach, utilizing legitimate and bulletproof hosting services, and employs social engineering via WhatsApp, Telegram, and social media to propagate scams and recruit victims into pyramid schemes. There is no indication of a software vulnerability or exploit in the framework, but rather its misuse as a technical foundation for scams.
Potential Impact
The impact is primarily financial fraud and reputational damage affecting victims worldwide, including individuals and enterprises. The scams have caused millions in losses, notably in Argentina and the United States. Over 985 organizations across diverse industries have been exposed to these scams, potentially affecting business operations and trust. There is no direct technical compromise of the DCloud Uni-App framework reported, but its widespread misuse facilitates large-scale scam operations.
Mitigation Recommendations
No official patch or fix is applicable as this is not a software vulnerability but a campaign abusing a legitimate framework. Organizations and individuals should remain vigilant against scams leveraging DCloud Uni-App domains. Recommended actions include educating users about these scams, blocking known malicious domains, and monitoring communications on platforms like WhatsApp and Telegram for scam indicators. Since no patch or vendor advisory exists, follow threat intelligence updates from trusted sources for emerging indicators.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.infoblox.com/blog/threat-intelligence/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy/"]
- Adversary
- null
- Pulse Id
- 6a3d76e5578987f6ddf8979f
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainclintile.com | — | |
domainmypal.pro | — | |
domainlssc.ltd | — | |
domainforwarsprite.com | — | |
domainallegro-stroe.shop | — | |
domainallegrostroe.cc | — | |
domainallegro-stroe.cyou | — | |
domainallegro-stroe.cc | — | |
domainallegrostroe.shop | — | |
domainallegroau.com | — | |
domaing3user.com | — | |
domainusdtflow.net | — | |
domainallegrostroe.cyou | — | |
domaindeepseekpg.bet | — | |
domainverify-what.com | — | |
domainlightacer.com | — | |
domainlssc-canada.ca | — | |
domaincorreoargentino-comarr.top | — | |
domainenergy5.cyou | — | |
domainwhats-zwp.vip | — | |
domainwhats-zea.vip | — | |
domainwhats-zei.vip | — | |
domainwhats-zen.vip | — | |
domainwhats-zef.vip | — | |
domainwhats-zrs.vip | — | |
domainwhats-zus.vip | — | |
domainm0vrsq6.top | — | |
domainpolymk.com | — | |
domainbepviews.com | — | |
domainnasdaqpro.top | — | |
domainallegro-stroe.com | — | |
domainallegroau.cc | — | |
domainallegrostroe.com | — | |
domaindatashareclub.com | — | |
domainfaq-whatsapp-center.com | — | |
domainfutureblockchain.net | — | |
domainhkxiu.com | — | |
domaininetcontrol.net | — | |
domaink-usdt.com | — | |
domainkirbycoco.cc | — | |
domainlsscapp.com | — | |
domainlsscol.com | — | |
domainmango-cleopatrapg.com | — | |
domainrainbowex.cc | — | |
domainxaai3xj.com | — | |
domainxaaitbb.com | — | |
domainys904.top | — | |
domainystl03106.top | — | |
domainaqy.dot02ig.cfd | — |
Threat ID: 6a3e38cb4853345fc184bab3
Added to database: 06/26/2026, 08:31:07 UTC
Last enriched: 06/26/2026, 08:46:01 UTC
Last updated: 06/26/2026, 12:42:47 UTC
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.