Infoblox Threat Intel links more than 236,000 scam sites to one framework and logs five million enterprise attempts to reach them.
In 2024, a small Argentine town called San Pedro made international headlines when thousands of residents discovered a crypto platform they backed was a scam. This platform, RainbowEx, was the core focus of the story; but the true story went unreported. RainbowEx was not a one-off, but rather a repeatable template built on a Chinese app framework now linked to more than 236,000 scam sites worldwide, many of them touching business networks.
New research by Infoblox Threat Intel shows that scammers have used the framework, called DCloud Uni-App (DCloud), to perpetrate fraud at scale for some time now. According to the research, DCloud is the technical foundation underneath at least 236,493 distinct second-level domains identified as scam infrastructure: from RainbowEx-style fake crypto exchanges to multi-language pig-butchering operations, WhatsApp phishing networks, fake gambling platforms, brand-impersonation sites and crypto wallet drainers.
These scams now anchor physical-world fraud operations like Lightning Shared Scooter Co. (LSSC). While LSSC was being investigated by the FBI and shut down across U.S. states, a structurally similar operation was being stood up under a different brand. Yuechi Sharing Technology Ltd. (YST) is currently live, primarily targeting Australia, New Zealand, and the United States, and has invested significant effort in establishing apparent regulatory legitimacy.
The business spillover is already visible. Infoblox recorded more than five million attempted connections from 985 organisations in 25 industries. No single company drove the volume. It came from many small visits by employees, often after links sent through WhatsApp, Telegram or social media.
Consumer scams are increasingly crossing into the workplace through personal devices and office networks, creating fraud risk, data exposure and board-level questions that standard phishing training does not fully address.
“This is no longer just a consumer fraud problem,” said Zach Edwards, Staff Threat Researcher at Infoblox. “When scam traffic reaches work devices and work networks, companies inherit the fallout, from employee losses to possible data exposure and tougher scrutiny from leadership.”
If companies ignore the consumer side of fraud, more of that cost will keep showing up inside the enterprise. To learn more about this topic, read the full blog post here: https://www.infoblox.com/blog/threat-intelligence/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy/
About Infoblox Threat Intel
Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet’s inner workings allows us to track down threat actors that others can’t see. We’re proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.
About Infoblox
Infoblox is a leading platform for preemptive security and hybrid, multi-cloud networking that delivers enterprise resilience and agility. Trusted by over 5,700 customers, including the majority of Fortune 100 companies as well as emerging innovators, we seamlessly integrate, secure and automate critical network services so businesses can move fast without compromise. Visit Infoblox.com, or follow us on LinkedIn.
PR Archives: Latest, By Company, By Date