Full Report
The U.S. government today imposed economic sanctions on Funnull Technology Inc., a Philippines-based company that provides computer infrastructure for hundreds of thousands of websites involved in virtual currency investment scams, commonly known as “pig butchering." In January 2025, KrebsOnSecurity detailed how Funnull was being used as a content delivery network that catered to cybercriminals seeking to route their traffic through U.S.-based cloud providers.
Analysis Summary
# Threat Actor: Funnull Technology Inc. (Operating as a Cybercriminal Infrastructure Provider)
## Attribution & Identity
**Primary Entity:** Funnull Technology Inc. (Philippines-based company).
**Key Individual:** Liu Lizhi (40-year-old Chinese administrator).
**Association:** Facilitates computer infrastructure for virtual currency investment scams ("pig butchering"). Linked to domains promoting gambling sites bearing the Suncity Group logo.
## Activity Summary
Funnull operates as a criminal Content Delivery Network (CDN) providing infrastructure services for cybercriminals.
Primarily facilitating "pig butchering" scams, which resulted in over \$200 million in U.S. victim-reported losses.
The activity was detailed in research by Silent Push (October 2024) and revisited in January 2025. Funnull funnels traffic through numerous auto-generated domains and U.S.-based cloud providers.
Funnull's operations are reportedly linked to the majority of virtual currency investment scam websites reported to the FBI.
## Tactics, Techniques & Procedures
- **Infrastructure Laundering:** Routing malicious traffic through a dizzying chain of auto-generated domain names and U.S.-based cloud providers (Amazon, Microsoft).
- **Domain Generation:** Regularly generating a slew of new domains mapped to Internet addresses on U.S. cloud platforms.
- **Evasion:** Using U.S. cloud IP addresses to appear geographically closer to targets, helping sidestep location-based security controls (e.g., bank geo-restrictions).
- **Abuse of Legitimate Providers:** Exploiting the reluctance of organizations to block U.S.-based cloud networks for fear of blocking legitimate destinations sharing the same network segments.
## Targeting
- **Sectors:** Financial services (specifically cryptocurrency investment platforms/scams).
- **Geography:** Victims appear primarily U.S.-based (resulting in over \$200 million in U.S. victim losses). The infrastructure is hosted globally, leveraging U.S. cloud providers.
- **Victims:** Individuals lured into fraudulent cryptocurrency trading platforms via romance/flirtation scams ("pig butchering").
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly named, but the infrastructure supports virtual currency investment scams.
- **Infrastructure:** Provides Content Delivery Network (CDN) services. Heavily utilized **Amazon AWS** and **Microsoft** cloud Internet addresses for hosting and traffic routing (though Microsoft has reportedly cleaned up its reported addresses better than Amazon).
## Implications
Funnull represents a significant enabler of high-yield financial fraud, specifically sophisticated pig butchering operations. The use of major U.S. cloud infrastructure highlights the dependency of cybercriminals on the trust and infrastructure of legitimate technology providers. The prolonged use of the same malicious cloud IPs, even after public claims of clean-up, indicates potential blind spots or slower enforcement responses from certain cloud providers.
## Mitigations
- **Cloud Provider Vetting:** Cloud Service Providers (CSPs) must aggressively enforce abuse policies, especially concerning persistent abuse traced via automated domain mapping and infrastructure laundering techniques.
- **Abuse Reporting:** Utilizing forms like the AWS Report Abuse form to notify CSPs promptly of suspected malicious activity.
- **Geographic Security Controls:** Implement security measures capable of determining true origin beyond simple IP geolocation, especially against traffic purporting to originate from trusted U.S. cloud segments.