Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

DCloud Uni-App scam website campaign

Campaign
First reported
Last updated
Happening score
H score 70
1 unique sources, 1 articles

Summary

Hide ▲

The DCloud Uni-App scam-site campaign has grown into a 236,493-domain fraud network that steals credentials, drains crypto wallets, and impersonates major brands. The sites run bogus exchanges, WhatsApp phishing pages, fake gambling platforms, and other victim-facing lures, with activity ongoing since mid-2022. Some operators appear to reuse the same playbook across regions and languages, while others strip template fingerprints to evade detection. The scale and persistence make the network harder to take down and expand the pool of exposed victims.

Related Happenings

AccountDumpling Google AppSheet Facebook phishing campaign

Campaign
H score31 First: 01.05.2026 21:09 Last: 01.05.2026 21:09 Sources 1

About this happening: A **Vietnamese-linked** operation dubbed **AccountDumpling** is using **Google AppSheet** as a phishing relay to steal **Facebook** credentials, enabling account takeover at scale...

Open Happening

Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions

Threat Actor Meta
H score43 First: 14.04.2026 15:00 Last: 14.04.2026 15:00 Sources 1

About this happening: **Triad Nexus** expanded its fraud ecosystem after **US Treasury sanctions in 2025**, increasing operational scale and shifting into **emerging markets**. The network’s use of **U...

Open Happening

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
H score43 First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Open Happening

Meta rolls out anti-scam protections and AI scam detection across WhatsApp, Facebook, and Messenger

Security Tool/Service
H score43 First: 11.03.2026 15:29 Last: 11.03.2026 15:29 Sources 1

About this happening: Meta is rolling out **anti-scam protections** across **WhatsApp, Facebook, and Messenger**, using warnings and AI detection to block scams before users engage. The updates target...

Open Happening

Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations

Threat Actor Meta
H score82 First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....

Latest development: 17.05.2026 17:43

eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.

Open Happening

Timeline

  1. 29.06.2026 14:57 2 articles · 3h ago

    Infoblox identifies 236,493 DCloud Uni-App scam domains

    Initial Disclosure

    Infoblox identifies 236,493 distinct second-level domains using DCloud Uni-App investment-scam templates to run bogus cryptocurrency exchanges, multi-language pig-butchering operations, WhatsApp phishing, fake gambling platforms, brand-impersonation sites, and crypto wallet drainers. The infrastructure spans at least eight languages, appears to rely mostly on mainstream cloud hosting with a smaller bulletproof-hosting segment, and shows signs that some operators may be reselling templates or coordinating changes across part of the network.

    Show sources
    Open in new tab