Full Report
The U.S. Treasury Department has sanctioned Funnull Technology, a Philippines-based company that supports hundreds of thousands of malicious websites behind cyber scams linked to over $200 million in losses for Americans. [...]
Analysis Summary
# Threat Actor: Funnull (Sanctioned Entity / Cyber Scam Operation)
## Attribution & Identity
The entity identified is **Funnull**, a company sanctioned by the US Treasury's Office of Foreign Assets Control (OFAC) for its role in cyber scams.
* **Associated Individual:** **Liu Lizhi**, a Chinese national who acted as Funnull's administrator, managing employees and monitoring task progress.
## Activity Summary
Funnull is linked to extensive cyber scams responsible for billions of dollars in losses, including:
* Being behind cyber scams totaling **$200 million in losses** according to the article's headline.
* The FBI identified significant scam infrastructure associated with Funnull between January 2025 and April 2025.
* The overall context notes that in 2024, cybercriminals stole a record $16.6 billion from Americans, with over $6.5 billion lost to investment scams. Funnull is clearly associated with this broader scam ecosystem.
## Tactics, Techniques & Procedures
The focus of the provided details relates heavily to infrastructure management and scalability rather than end-user exploitation TTPs:
* **Infrastructure Scaling:** Analysis between Jan 2025 and Apr 2025 identified **548 unique Funnull Canonical Names (CNAME)** linked to over **332,000 unique domains**.
* **Infrastructure Migration:** Between Oct 2023 and Apr 2025, observable IP address activity showed patterns where hundreds of domains using Funnull infrastructure simultaneously migrated IPs, sometimes on the same exact day or within the same timeframe.
* **CNAME Analysis:** Specific analysis of a sample of eight domains showed CNAME activity resolving to four CNAMEs tied to Funnull infrastructure across three different patterns between Feb 2023 and Apr 2025.
* *Note: Specific TTPs related to exploitation, lateral movement, or payload delivery (standard for traditional malware/ransomware actors) were not detailed in this summary.*
## Targeting
* **Sectors:** While the specific organizational sectors targeted by the investment scams are not explicitly listed, the vast financial losses suggest targeting general consumers or investors globally.
* **Geography:** Targeting appears primarily focused on victims in the **United States**, given the sanctions announcement referencing victims and the FBI alert originating from US agencies.
* **Victims:** General victims of **cyber scams and investment fraud**. No specific named organizations were mentioned.
## Tools & Infrastructure
* **Malware Families Used:** None explicitly mentioned, as the focus is on the infrastructure supporting mass scamming operations.
* **Infrastructure (C2, domains, IPs):**
* **Canonical Names (CNAMEs):** 548 unique Funnull CNAMEs identified.
* **Domains:** Over 332,000 unique domains linked to the infrastructure.
* **IP Addresses:** Multiple patterns of simultaneous IP migrations observed across hundreds of associated domains.
## Implications
The sanctions against Funnull and its administrator, Liu Lizhi, indicate a direct governmental action against entities facilitating large-scale financially motivated cybercrime, particularly investment scams that represent a massive and growing threat to US citizens. Disrupting the foundational infrastructure (the sheer volume of domains and CNAMEs) is key to degrading the actor's ability to perpetuate scams.
## Mitigations
* **Financial Institutions/US Persons:** Prohibited from conducting any transactions with Funnull and Liu Lizhi.
* **Asset Freezing:** U.S. assets controlled by Funnull and Lizhi are frozen.
* **Supply Chain Risk:** Financial institutions and foreign entities engaging with Funnull or Lizhi face potential secondary sanctions penalties.
* **Infrastructure Monitoring:** Utilize technical indicators (CNAMEs, IPs) provided by the FBI flash alert to detect and block malicious domains associated with this infrastructure.