Full Report
The U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) has levied sanctions against a Philippines-based company named Funnull Technology Inc. and its administrator Liu Lizhi for providing infrastructure to conduct romance baiting scams that led to massive cryptocurrency losses. The Treasury accused the Taguig-headquartered company of enabling thousands of websites involved in
Analysis Summary
# Threat Actor: Funnull Technology Inc. (and Administrator Liu Lizhi)
## Attribution & Identity
**Identified Entity:** Funnull Technology Inc., a Philippines-based company headquartered in Taguig.
**Key Individual:** Liu Lizhi (Chinese national), identified as the administrator.
**Known Aliases/Associated Names:** Fang Neng CDN.
**Associated Infrastructure Codename:** Triad Nexus.
## Activity Summary
Funnull has been sanctioned by the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) for providing critical infrastructure used in large-scale virtual currency investment scams ("romance baiting scams") targeting Americans. The activity is reported to have resulted in over **$200 million in U.S. victim-reported losses**, with an average loss per individual exceeding $150,000.
Prior activities implicated this infrastructure in:
* Promoting investment scams and fake trading applications.
* Operating suspect gambling networks.
* Involvement in the supply chain attack of the Polyfill.io JavaScript library (June 2024), where they purchased the service potentially to redirect legitimate website visitors to scam/gambling sites.
## Tactics, Techniques & Procedures
Funnull's role is primarily as an infrastructure enabler for various cybercriminal operations.
- **Infrastructure Laundering:** Renting IP addresses in bulk from major cloud service providers (AWS, Microsoft Azure) and reselling them to cybercriminals to host malicious content.
- **Website Generation:** Generating domain names for scam websites using **Domain Generation Algorithms (DGAs)**.
- **Impersonation/Camouflage:** Providing web design templates that allow criminals to easily impersonate trusted brands.
- **Evasion:** Enabling rapid migration to new domain names and IP addresses when legitimate providers attempt to take malicious sites down.
- **Phishing:** Assigning domain names to criminal actors specifically for virtual currency investment fraud and phishing operations.
## Targeting
- **Sectors:** Financial services (through investment scams), general public engaged in online platforms potentially leading to 'romance baiting' scams.
- **Geography:** Victims are predominantly Americans. The company itself is based in the Philippines.
- **Victims:** Thousands of individuals; specific organizations are not named, but the victims suffered cryptocurrency losses.
## Tools & Infrastructure
- **Infrastructure Focus:** Providing bulk IP addresses sourced from major cloud providers.
- **Domain Management:** Utilizing Domain Generation Algorithms (DGA).
- **Malware/Software Influence:** Implicated in the compromise/abuse of the Polyfill.io JavaScript library.
- **Defanged URLs/Domains:**
- funnull[.]io
- funnull[.]com
- funnull[.]app
- funnull[.]buzz
## Implications
Funnull represents a significant component of the cybercriminal ecosystem dedicated to financial harm, specifically facilitating large-scale investment fraud through sophisticated infrastructure management. Their use of legitimate cloud providers for infrastructure laundering highlights the difficulty security teams have in distinguishing legitimate business activities from state-sponsored or organized criminal infrastructure utilization. The connection to Chinese criminal money laundering operations suggests potential transnational organized crime links.
## Mitigations
- **Cloud Security Posture:** Organizations utilizing major cloud providers (AWS, Azure) should enhance monitoring to detect bulk IP address leasing being resold or rapidly provisioned for hosting suspicious or newly registered domains, especially if tied to known DGA patterns.
- **Supply Chain Vetting:** Increased scrutiny regarding third-party dependencies, such as JavaScript libraries (like Polyfill.io), to ensure infrastructure providers haven't been compromised or co-opted for malicious redirection.
- **Financial Monitoring:** Enhanced monitoring for high-value, crypto-related phishing/impersonation campaigns that feature rapid domain cycling.