Full Report
The Philippines-based company Funnull operated a large cybercrime platform encompassing more than 332,000 domains, the FBI said. The post Treasury sanctions crypto scam facilitator that allegedly stole $200M from US victims appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Funnull Technology (Sanctioned Entity)
## Attribution & Identity
The entity identified is **Funnull Technology**, a Philippines-based company. Its administrator is named **Liu Lizhi**. Although not explicitly labeled as a traditional APT, this entity functions as a facilitating crime platform.
## Activity Summary
Funnull Technology has been sanctioned by the US Treasury Department for allegedly providing critical infrastructure supporting thousands of cryptocurrency investment scams, commonly known as "pig butchering." This operation resulted in over **$200 million in losses** for U.S.-based victims, with average individual losses exceeding $150,000. The company's infrastructure supported the majority of virtual currency investment scam sites reported to the FBI. Activity was observed from at least October 2023 through April 2025.
## Tactics, Techniques & Procedures
- **Infrastructure Provisioning:** Purchasing and reselling internet infrastructure (IP addresses, hosting services) to cybercriminals.
- **Domain Generation:** Using Domain Generation Algorithms (DGA) to create domain names for scam sites hosted on their IP addresses.
- **Impersonation/Brand Spoofing:** Providing web design templates that allow scammers to impersonate legitimate brands using similar domain names.
- **Code Repository Weaponization:** Purchasing a code repository used by web developers and maliciously altering it to redirect legitimate site visitors to scam sites or online gambling platforms.
- **Operational Mobility:** Enabling scammers to quickly move operations across different domains and IP addresses.
- **Massive Scale Deployment:** Utilizing an exceptionally large number of domains, with the FBI identifying 548 CNAME records linked to **more than 332,000 unique domains** since January 2025.
- **Infrastructure Migration:** Observed patterns included the simultaneous migration of hundreds of domains to new IP addresses.
## Targeting
- **Sectors:** Financial/Cryptocurrency sector (facilitating investment fraud).
- **Geography:** Victims are explicitly stated to be **U.S.-based victims**. The platform operator is based in the Philippines.
- **Victims:** Individuals targeted by "pig butchering" cryptocurrency investment scams. Some redirected traffic allegedly linked to Chinese criminal money laundering operations.
## Tools & Infrastructure
- **Malware Families Used:** Not specified, but the entity facilitates scams using website templates and domain generation.
- **Infrastructure (C2, domains, IPs - defang URLs):**
- Operated a large cybercrime platform encompassing **more than 332,000 domains** linked to at least 548 CNAME records.
- Used infrastructure sourced from legitimate providers in the United States.
- Infrastructure was linked to redirecting traffic toward online gambling sites.
## Implications
Funnull represents a significant enabler of large-scale financial cybercrime, specifically sophisticated romance/investment fraud ("pig butchering"). Its ability to rapidly provision and manage hundreds of thousands of operational domains showcases a highly scalable criminal service layer that lowers the technical barrier for scammers and complicates takedown efforts. The sanctions aim to disrupt the foundational services supporting these multi-million dollar theft operations.
## Mitigations
- Vigilance against cryptocurrency investment scams, particularly those initiated by unknown romantic interests or friends (pig butchering schemes).
- Organizations should monitor for malicious code injection that redirects legitimate traffic, especially if using third-party code repositories.
- Continuous monitoring of DNS/IP reputation and rapid response protocols for domain/IP blocklisting associated with known infrastructure providers.