Full Report
In May 2025, the U.S. government sanctioned a Chinese national for operating a cloud provider linked to the majority of virtual currency investment scam websites reported to the FBI. But more than a month later, the accused continues to openly operate accounts at a slew of American tech companies, including Facebook, Github, LinkedIn, PayPal and Twitter/X.
Analysis Summary
# Regulation/Compliance: U.S. Economic Sanctions Against Financially Harmful Entities
## Overview
This summary outlines the regulatory environment stemming from the U.S. Department of the Treasury's decision to impose economic sanctions on Funnull Technology Inc. and its alleged operator, Liu "Steve" Lizhi, due to their role in facilitating massive cyber-enabled financial fraud, specifically "pig butchering" investment scams. The key compliance implication is the legal requirement for U.S. persons and entities (including major technology companies) to cease all transactions and interactions with sanctioned individuals and entities.
## Key Details
- Issuing Authority: U.S. Department of the Treasury (specifically the Office of Foreign Assets Control - OFAC)
- Effective Date: May 29, 2025 (Date of announced sanctions)
- Jurisdiction: United States (applies to U.S. persons and entities globally)
- Status: In Effect (Sanctions are imposed)
## Requirements
### Mandatory Requirements (In relation to Sanctions Compliance)
1. **Cease Transactions:** U.S. companies and individuals are legally prohibited from transacting with the sanctioned entity (Funnull Technology Inc.) and the sanctioned individual (Liu "Steve" Lizhi, also known by nicknames such as "XXL4," "Nice Lizhi," and known professional identities).
2. **Account Suspension/Termination:** Technology platforms (e.g., cloud providers, social media, payment processors) must suspend or terminate services, accounts, and paid subscriptions associated with the sanctioned party.
3. **Due Diligence:** Entities must implement processes to screen new and existing customers, users, and account holders against U.S. government sanctions lists (e.g., the SDN List, if applicable, or specific designations mentioned in the Treasury announcement).
### Recommended Practices
1. **Proactive Monitoring:** Continuously monitor online presence and associated identifiers (usernames, associated domains, and listed nicknames) for sanctioned parties, especially given the potential complexity of digital identity separation (e.g., free vs. paid accounts).
2. **Rapid Response Protocols:** Establish clear, prompt procedures for immediate review and action upon notification or discovery of a sanctioned individual utilizing services, moving beyond standard policy enforcement timelines.
3. **Transparency in Action:** While Meta suggested sanctions can be "targeted," it is recommended that companies document the specific facts leading to the determination that an activity *is* restricted by sanctions law or internal policy.
## Affected Organizations
- Industries: Technology (Cloud Providers - Amazon, Microsoft; Social Media/Platforms - Facebook/Meta, Twitter/X, LinkedIn, YouTube; Payment Processors - PayPal; Code Hosting - Github).
- Organization Size: All U.S. companies and individuals transacting globally.
- Geographic Scope: Global operations of U.S.-based companies, as the prohibition derives from U.S. law.
## Compliance Timeline
- **May 29, 2025:** Sanctions announced, making direct transactions immediately illegal.
- **Immediate:** Tech companies engaging with the sanctioned party should have suspended services upon learning or being notified.
- **Ongoing:** Continuous compliance monitoring required, as sanctioned entities adapt their infrastructure (e.g., morphing business practices, complex DGA utilization).
## Implementation Guidance
### Assessment Phase
- **Identity Mapping:** Identify all accounts, services, and financial instruments utilized by the sanctioned individual/entity (including known aliases like "XXL4," "@nicelizhi," and corporate names like Funnull Technology Inc.).
- **Service Layer Review:** Assess which specific services (free tiers, premium accounts, cloud infrastructure, payment processing) are being utilized by the sanctioned party across the organizational structure.
### Implementation Phase
- **Service Cessation:** Immediately cease providing any service defined as a "transaction" under OFAC rules.
- **Policy Review:** Ensure internal terms of service and compliance policies explicitly cover mandatory compliance with OFAC sanctions, regardless of the account status (free or paid).
### Validation Phase
- **Audit Trail:** Document the date and time of account suspension/termination and the rationale (e.g., linkage to a sanctioned entity).
- **External Confirmation:** Use third-party security assessments (similar to Silent Push) or internal threat intelligence to confirm the sanctioned party has been effectively cut off from all relevant services.
## Technical Requirements
- **Sanctions Screening Integration:** Integrate sanctions list matching into account creation and ongoing user/IP/domain monitoring processes (though this requires effective identification of sanctioned entities beyond simple direct name matching).
- **Infrastructure Disruption:** For cloud providers, this may involve terminating underlying IP addresses or domain registrations associated with the sanctioned infrastructure provider (Funnull).
## Penalties & Enforcement
- Fines: While specific fines for the listed tech companies are not detailed in the context, general OFAC violations carry significant civil and criminal penalties, often structured on a per-violation basis.
- Other Consequences: Reputational damage, regulatory scrutiny, and potential business disruption resulting from failure to swiftly comply with federal mandates.
- Enforcement: Enforcement action taken or threatened by the U.S. Department of the Treasury (OFAC). Enforcement appears responsive to external reporting (e.g., platform actions following media inquiry).
## Related Standards
- **OFAC Regulations:** Treasury sanctions are governed by various OFAC regulations concerning Specially Designated Nationals (SDN) or blocked persons (though the specifics of this designation are not provided).
- **General Compliance Frameworks (Indirect):** While not directly mandated by the incident, comprehensive frameworks like **NIST CSF** (Security Management/Identify Functions) or **ISO 27001/27002** imply robust third-party risk management and compliance, which should cover sanctions adherence.
## Resources
- Official Documentation: U.S. Department of the Treasury Sanctions Announcement (May 29, 2025 regarding Funnull Technology Inc. and Liu Lizhi).
- Guidance Documents: General OFAC guidance relating to compliance programs for non-financial institutions.
- Tools: Security firms like Silent Push track and report on such non-compliance.
## Practical Recommendations
1. **Establish Strict Financial/Service Controls:** Where banks have established screening methods, tech companies must develop comparable, non-negotiable controls for sanctions lists, especially concerning critical infrastructure provision.
2. **Review Free Account Liability:** Explicitly determine the organizational risk appetite and legal posture regarding providing free services to sanctioned parties, as these were noted as areas where enforcement may lag.
3. **Address Adjacent Risks:** Be aware that infrastructure used for illicit activity (like Funnull's historical use of domain generation algorithms or domain hijacking) may present cascading supply-chain risks to compliant clients.