Infoblox links DCloud app to vast scam website network

Infoblox has linked the Chinese app framework DCloud Uni-App to a large network of scam websites spanning at least 236,493 distinct second-level domains.

Researchers said the framework sits behind a wide range of fraudulent operations, including fake crypto exchanges, pig-butchering schemes, WhatsApp phishing networks, fake gambling sites, brand impersonation pages, and crypto wallet drainers. They also identified a live operation called Yuechi Sharing Technology, aimed mainly at Australia, New Zealand, and the United States.

The findings point to significant overlap between consumer scams and corporate networks. Infoblox logged more than five million attempted connections to the scam infrastructure from 985 organisations across 25 industries.

Those attempts were not concentrated among a few large victims. Instead, the traffic came from many small visits by employees, often after links were shared through WhatsApp, Telegram, or social media platforms.

Business spillover

The research suggests scam networks once seen largely as a consumer issue are appearing more often in workplaces through personal devices and office internet connections. That creates a different set of risks for employers, including possible data exposure and internal questions about how staff are being drawn into fraudulent schemes outside conventional email phishing channels.

Infoblox linked DCloud to repeatable scam templates rather than isolated campaigns. One example was RainbowEx, a fake crypto platform that drew attention after residents of San Pedro in Argentina discovered they had backed a scam.

According to the researchers, RainbowEx was not an isolated case but part of a wider pattern built on the same technical base. The framework, they said, has long been used for fraud at scale and can support different scam brands and formats while keeping a common underlying structure.

The report also drew a connection between online scam systems and real-world operations, saying the schemes can support businesses that present themselves as legitimate ventures while relying on infrastructure seen across broader fraud networks.

One example involved Lightning Shared Scooter Co, which researchers said had been investigated by the FBI and shut down across US states. A structurally similar operation then appeared under a different brand.

That new brand, Yuechi Sharing Technology, remains active and focuses mainly on English-speaking markets in Australia, New Zealand, and the United States. Infoblox said the group behind it had put substantial effort into creating the appearance of regulatory legitimacy.

Scam framework

DCloud Uni-App is an open-source development framework originating in China. In Infoblox's analysis, the software gave scammers a way to build and reproduce sites and apps quickly across many domains, helping them launch new brands, replace disrupted operations, and adapt content for different regions and languages.

The scale of the activity is reflected in the number of domains alone. More than 236,000 distinct second-level domains linked to one framework suggests a highly organised ecosystem rather than a loose collection of unrelated websites.

Network data also showed scam traffic reaching companies through routine employee browsing rather than a single major breach or targeted intrusion. Small numbers of clicks across many organisations can still add up to substantial exposure, especially when staff use the same messaging and social apps for personal and professional communication.

That pattern may also make the problem harder for corporate security teams to contain. Standard awareness programmes often focus on suspicious emails, malware attachments, and direct impersonation attempts against the business, while these schemes can begin with consumer-facing messages and move indirectly into work environments.

Zach Edwards, Staff Threat Researcher at Infoblox, warned that the issue had moved beyond retail fraud. "This is no longer just a consumer fraud problem," Edwards said. "When scam traffic reaches work devices and work networks, companies inherit the fallout, from employee losses to possible data exposure and tougher scrutiny from leadership."

The figures did not point to one sector as the main driver of activity. Instead, the 985 organisations were spread across 25 industries, indicating that exposure was broad and tied more to general employee behaviour than to the profile of any one line of business.

For security teams, that raises the prospect that consumer scam monitoring may need to sit closer to corporate risk management. The concern is not only whether employees lose money personally, but whether their interactions with scam sites from company networks or work-linked devices create a path to wider compromise or reputational damage.

The findings also show how difficult it can be to judge legitimacy from branding alone when scam operators invest in the appearance of regulation, business registration, and physical-world services. In that setting, fraudulent platforms can look less like crude phishing pages and more like ordinary digital businesses.

Overall, the cost of consumer fraud is increasingly appearing inside businesses as well as households, with more scam traffic passing through corporate environments via everyday messaging apps and social platforms rather than traditional email attacks.