A Chinese open-source application framework is powering one of the world’s largest scam ecosystems, with more than 236,000 malicious websites linked to a single platform and millions of attempted connections originating from enterprise networks, according to new research released by Infoblox Threat Intel.
The research traces the infrastructure behind the widely publicized RainbowEx cryptocurrency scam, which devastated thousands of investors in the Argentine town of San Pedro, to DCloud Uni-App, an open-source application development framework that has evolved into a preferred foundation for large-scale cyber fraud operations.
“This is no longer just a consumer fraud problem,” said Zach Edwards, Staff Threat Researcher at Infoblox. “When scam traffic reaches work devices and work networks, companies inherit the fallout from employee losses to possible data exposure and increased scrutiny from leadership.”
Rather than being an isolated incident, RainbowEx represents a repeatable scam template that cybercriminals are replicating globally. Infoblox researchers identified 236,493 unique second-level domains built using the DCloud framework, supporting a broad range of fraudulent operations including fake cryptocurrency exchanges, pig-butchering scams, phishing campaigns, counterfeit gambling platforms, brand impersonation sites, and cryptocurrency wallet drainers.
The report also highlights the growing impact of these scams on enterprises. Infoblox observed more than five million connection attempts to DCloud-linked scam infrastructure originating from 985 organizations across 25 industries. Researchers found that the traffic was distributed across numerous businesses, often triggered by employees clicking malicious links received through messaging platforms such as WhatsApp, Telegram, or social media.
The findings suggest that consumer-targeted scams are increasingly becoming an enterprise security challenge as employees inadvertently expose corporate environments to malicious infrastructure through personal online activities.
According to Infoblox, traditional phishing awareness programmes alone are no longer sufficient to address the evolving threat landscape. As cybercriminals increasingly leverage trusted messaging platforms and sophisticated scam frameworks, organizations need greater visibility into outbound connections and stronger DNS-layer security to detect malicious activity before it reaches endpoints.
“When scam traffic reaches work devices and work networks, companies inherit the fallout from employee losses to possible data exposure.”
— Zach Edwards, Staff Threat Researcher, Infoblox
The company warns that the financial and operational impact of consumer fraud is steadily spilling into enterprise environments, exposing organizations to potential data breaches, reputational damage, and regulatory concerns.
Infoblox recommends that enterprises strengthen proactive threat intelligence capabilities, deploy protective DNS security, and educate employees about emerging social engineering techniques targeting both personal and corporate devices.
The full research detailing the DCloud scam ecosystem and its impact on enterprises is available on the Infoblox Threat Intelligence blog.
