A new investigation just put a number on something every crypto user should be worried about.
Threat intel firm Infoblox identified 236,493 distinct second-level domains that are all built on the same Chinese open-source app framework, DCloud Uni-App, and a huge portion of them exist for one purpose, which is to drain crypto wallets and run fake exchanges. The framework itself is perfectly legitimate, used by real developers around the world to ship apps to iOS, Android, and the web from a single codebase. That same convenience is what makes it so attractive to fraud crews. They get a polished, mobile-friendly fake exchange or fake investment dashboard in days instead of months, and the underlying code looks indistinguishable from a thousand actual startups.
Why This Is Worse Than the Usual Scam Site Sprawl
The numbers tell their own story about how quickly this got out of hand. Before October 2024, Infoblox was seeing a few thousand new DCloud-fingerprinted scam sites appear each month, which already would be a lot. After the RainbowEx scandal broke into international headlines that fall, the rate ballooned to roughly 15,000 newly observed sites per month at peak. Scammers apparently looked at the press coverage and decided the playbook was worth copying at scale, not abandoning. The sites target speakers of at least eight languages and span every continent, posing as everything from major stock exchanges to retail giants to messaging platforms. Most of them are hosted on Cloudflare, AWS, Alibaba Cloud, and Tencent Cloud, which lets them blend in with real businesses and makes simple IP blocklists basically useless.
Few RainbowEx and the Argentine Town That Got Wiped Out
If you want a sense of what victims actually experience, the RainbowEx case is the textbook example. In 2024, residents of San Pedro, Argentina poured money into what looked like a slick cryptocurrency exchange. The dashboard showed live trades, balances climbed steadily, and stablecoin deposits flowed in without issue. Then withdrawals stopped working. Thousands of people in a single small town discovered the trades had been fabricated, the balances were synthetic, and the operators were gone. Argentine authorities later arrested seven people allegedly tied to the operation, but most of the money is gone, and the exact same template, with cosmetic branding changes, is now running on a measurable percentage of those 236,000 domains.
What an Average Trader Should Actually Do About It
There is no clean solution here, because the underlying framework is legitimate software and the hosts are mainstream cloud providers who cannot deplatform their entire customer base. About 6% of confirmed scam domains were found running on bulletproof hosts like CTG Server Limited, which has been flagged for malicious activity before, so at least those have a clear villain. The rest hide in normal traffic. Anyone evaluating a new exchange, airdrop site, or investment opportunity found through a Telegram group, WhatsApp chat, or Twitter DM should treat the polish of the website as evidence of nothing at all. Check whether the company is registered anywhere real, whether withdrawals actually work for small amounts before sending large ones, and whether the domain was registered in the last few months. If the answer to any of those raises a flag, walk away. The Hacker News has additional technical detail for anyone who wants to dig deeper.
The takeaway from this count is uncomfortable but useful. The crypto scam economy is no longer a scattered collection of one-off sites built by individual scammers working in their basements. It is an industrial production line running on shared tooling, mainstream hosting, and proven playbooks, and 236,000 storefronts is just what was visible enough to count. Treat every unfamiliar exchange link the way you would treat an unsolicited email asking for your password, because at this scale, the odds are not in your favor.
---------------
Author: Ren Nakamura
Asia Newsroom
Breaking Crypto News
No comments
Post a Comment