Latest forensic findings suggest that the Ponzi scam in 2024 was based on a repeatable template in use since mid-2022.

An open-source framework has been used by cybercriminals to power more than 236,000 scam websites worldwide, including a fake cryptocurrency exchange that tricked thousands of residents in San Pedro, Argentina.

According to researchers, the cryptocurrency investment scam known as RainbowEx that occurred in late 2024, where roughly one-fifth of the population in the small town of San Pedro had lost money in a coordinated scam. Victims had been baited with promises of quick profits and then trapped in a Ponzi-style operation that blocked withdrawals once the scheme was exposed.

Since then, forensic efforts have shown that RainbowEx was not a unique fraud. It had been a repeatable template built on a legitimate Chinese web-developer toolkit called DCloud Uni-App. The same framework had actually been widely used since mid-2022 to create scam sites that impersonate crypto exchanges, run multi-language “pig-butchering” campaigns, deliver social media phishing messages, operate fake gambling platforms, and drain digital wallets.

The full scale of the operation is now clearer. Researchers from Infoblox have identified at least 236,493 distinct second-level domains tied to this framework, spanning fake trading sites, brand-impersonation pages and other fraud operations hosted on various cloud providers. The criminal activity is not new but has scaled dramatically, with domain creation accelerating after the RainbowEx scandal. The scam has rippled outwards to reach workplaces.

According to researchers, more than five million connections have been attempted from 985 organizations across 25 industries, including many small employee visits triggered by links shared through WhatsApp, Telegram and social media. This means such scams have increasingly crossed into office networks, creating risks of data exposure and financial loss that standard employee training may not fully address.

Said Zach Edwards, Staff Threat Researcher, Infoblox: “This is no longer just a consumer fraud problem. When scam traffic reaches work devices and work networks, companies inherit the fallout, from employee losses to possible data exposure and tougher scrutiny from leadership.”