Full Report
Funnull Technology supports “hundreds of thousands of websites” dedicated to the scams, otherwise known as pig butchering, according to the sanctions announcement by the Treasury Department’s Office of Foreign Assets Control.
Analysis Summary
# Threat Actor: Funnull Technology Inc. (and associated actors/infrastructure)
## Attribution & Identity
Funnull Technology Inc., a web infrastructure provider based in the Philippines (headquarters listed in the Manila area), has been sanctioned by the U.S. Treasury Department's Office of Foreign Assets Control (OFAC). An administrator associated with the company, Liu Lizhi (a Chinese national cited with an address in Ganzhou, China), was also sanctioned. Funnull is described as facilitating cybercrime by acting as a provider of "infrastructure laundering."
## Activity Summary
Funnull Technology Inc. is linked to the majority of virtual currency investment scam websites reported to the FBI. They support "hundreds of thousands of websites" dedicated to "pig butchering" scams. U.S. victims linked to Funnull infrastructure have reported over \$200 million in losses. The activity is part of a broader Southeast Asian cybercrime ecosystem involving organized crime, gambling operations, and scam compounds. Furthermore, a domain acquired by Funnull (polyfill) was found injecting malware onto visitors' devices.
## Tactics, Techniques & Procedures
- **Infrastructure Facilitation/Laundering:** Purchasing IP addresses from legitimate U.S. providers (like Amazon and Microsoft) and reselling them to cybercriminals for hosting fraudulent infrastructure.
- **Domain Management:** Assigning domain names to cybercriminals for various fraudulent activities, including investment fraud, phishing scams, and online gambling sites.
- **Malware Delivery:** Injecting malware onto the devices of visitors accessing infrastructure they control (as seen with the polyfill domain acquisition).
## Targeting
- **Sectors:** Financial sector (specifically targeting virtual currency investors). E-commerce/Software (via supply chain/domain compromise).
- **Geography:** Victims are cited in the U.S. The operational hub appears to be Southeast Asia (Philippines/China involvement).
- **Victims:** U.S.-based individuals who have lost an average of over \$150,000 per incident in investment scams.
## Tools & Infrastructure
- **Malware Families Used:** Malware was injected via the polyfill domain acquisition.
- **Infrastructure (C2, domains, IPs - defang URLs):**
- Utilizes IP addresses and hosting services acquired from legitimate providers in the United States.
- Specific domains associated with investment fraud, phishing, and online gambling sites were managed or assigned by the actor.
- Headquarters listed at an address in the **Manila area**, Philippines.
## Implications
Funnull represents a critical chokepoint and enabler for Southeast Asian investment fraud (pig butchering) operations, effectively laundering illicit infrastructure and connecting legitimate cloud services to criminal enterprises. The significant financial losses reported underscore the large scale and high profitability of the scams Funnull supports. The actor's ability to acquire infrastructure from major U.S. cloud providers highlights a sophisticated supply chain risk within the hosting sector.
## Mitigations
- **Enhanced Vetting:** U.S. IP and hosting providers must enhance scrutiny of infrastructure sales, particularly in relation to high-risk geographic areas, to prevent infrastructure resale to known cybercriminal facilitators.
- **Domain Monitoring:** Increased vigilance on newly provisioned or acquired domains that quickly pivot to hosting investment fraud or phishing content.
- **Supply Chain Security:** Organizations providing infrastructure or software libraries must monitor their assets for unauthorized usage or injection of malicious code.