Full Report
The Philippines-based company Funnull operated a large cybercrime platform encompassing more than 332,000 domains, the FBI said. The post Treasury sanctions crypto scam facilitator that allegedly stole $200M from US victims appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Funnull Technology (State-Agnostic Cybercrime Facilitator)
## Attribution & Identity
* **Attribution/Location:** Philippines-based company.
* **Known Aliases and Associated Groups:** Administered by Liu Lizhi. Identified as a facilitator for thousands of cryptocurrency investment scams ("pig butchering"). Allegedly linked to Chinese criminal money laundering operations through shared infrastructure/code modification.
## Activity Summary
Funnull Technology operated a large cybercrime platform providing infrastructure services specifically for cryptocurrency investment scams (pig butchering).
* **Scale:** Operated more than 332,000 unique domains linked to 548 CNAME records identified since January 2025.
* **Impact:** Directly aided the majority of virtual currency investment scam sites reported to the FBI, resulting in losses exceeding $200 million for U.S.-based victims. Reported average individual losses surpassed $150,000.
* **Timeline:** Observed IP address activity patterns between October 2023 and April 2025. Purchased and maliciously altered a repository of web developer code in 2024.
## Tactics, Techniques & Procedures
* **Infrastructure Provisioning:** Purchases IP addresses, hosting services, and other internet infrastructure from legitimate U.S. providers to sell to cybercriminals.
* **Domain Generation:** Uses Domain Generation Algorithms (DGA) to create domain names for scam sites hosted on their IP addresses.
* **Impersonation/Evasion:** Provides web design templates that help cybercriminals impersonate trusted brands using similar domain names, allowing rapid relocation across different domains and IPs (observed simultaneous migration of hundreds of domains to new IPs).
* **Code Malicious Use (T1587.002 - Develop Capabilities/Supply Chain Compromise):** Purchased a repository of legitimate web developer code in 2024 and maliciously altered it to redirect legitimate site visitors to scam sites and online gambling platforms.
## Targeting
* **Sectors:** Not explicitly sector-based, but financial/individual victims targeted through investment fraud.
* **Geography:** Primarily victims were U.S.-based individuals. The operation itself is based in the Philippines.
* **Victims:** Individuals targeted via "pig butchering" scams, posed as romantic partners or friends to gain trust before convincing them to invest fraudulently.
## Tools & Infrastructure
* **Malware Families Used:** None explicitly named, but the focus is on infrastructure setup for scams.
* **Infrastructure (C2, domains, IPs):** Infrastructure included 332,000+ unique domains, associated IP addresses, hosting services, and web design templates provided to associated criminal operators.
## Implications
Funnull operated at a massive scale, significantly lowering the technical barrier for "pig butchering" scammers by providing readily available, complex infrastructure. The sanctions targeting Funnull and its administrator are a measure to disrupt the enabling criminal enterprise rather than the individual scammers themselves. The ongoing reliance on similar criminal enterprise infrastructure remains a threat.
## Mitigations
* Increased scrutiny of requests for hosting or IP address services that mask or rapidly cycle through domains, especially those employing DGA or mass template deployment.
* Heightened awareness regarding cryptocurrency investment scams involving supposed romantic partners ("pig butchering").
* Security teams should monitor for unusual traffic redirection originating from purchased code repositories or third-party web template sources.