Full Report
The Treasury said FUNNULL was involved in providing infrastructure for pig butchering crypto scams.
Analysis Summary
Based on the provided article, here is the threat actor summary structured as requested. Note that the information is limited to the details present in the source text.
# Threat Actor: FUNNULL (Infrastructure Provider)
## Attribution & Identity
* **Entity:** FUNNULL (A technology company)
* **Attribution:** Imposed sanctions by the U.S. Treasury's Office of Foreign Assets Control (OFAC).
* **Leadership/Key Individual:** Liu Lizhi (Chinese national, runs FUNNULL).
* **Known Aliases/Associations:** Linked to the majority of virtual currency investment scam websites reported to the FBI.
## Activity Summary
The company FUNNULL is accused of providing critical infrastructure services that facilitate large-scale "pig butchering" crypto scams. Sanctions were imposed due to enabling cybercriminals resulting in approximately **\$200 million in losses** for American victims (average loss of \$150,000 per victim, though believed to be underestimated). The activity described falls under the category of investment fraud leveraging romantic deception.
## Tactics, Techniques & Procedures
* Generating and registering domain names for scam websites on IP addresses owned by FUNNULL.
* Providing web design templates to cybercriminals to easily impersonate trusted brands when creating scam websites.
* Enabling cybercriminals to rapidly change domain names and IP addresses to evade takedown attempts by legitimate providers.
* **Associated Scam Type:** Pig butchering scams (romantic lures leading to investment fraud).
## Targeting
* **Sectors:** Financial/Investment sector (specifically cryptocurrency investment scams).
* **Geography:** FUNNULL itself is based in the Philippines. Victims targeted are implied to be U.S. persons given the Treasury action and reported losses.
* **Victims:** Victims of "pig butchering" crypto scams; reported losses of \$200 million to American victims.
## Tools & Infrastructure
* **Malware Families Used:** Not specified.
* **Infrastructure:** Owns and utilizes specific IP addresses for hosting scam websites, generates domain names, and distributes web design templates.
* **C2/URLs:** N/A (Specific C2 domains/IPs were not defanged or listed in the provided text, only the general mechanism of operation).
## Implications
FUNNULL represents a significant piece of the supply chain for sophisticated, financially motivated cybercrime operations, specifically targeting individuals through social engineering built upon compromised investment platforms. Sanctioning the infrastructure provider aims to disrupt the scalability and resilience of these international scam rings.
## Mitigations
* Increased vigilance against social engineering tactics combined with cryptocurrency investment opportunities (pig butchering).
* Monitor for website templates or infrastructure deployed by entities linked to FUNNULL or Liu Lizhi.
* Review FBI alerts concerning these activities for specific indicators (FBI released an alert including more information about these activities).