Philippines-based Funnull Technology, along with one of its administrators, has been hit with Office of Foreign Assets Control (OFAC) sanctions for its role as a knowing infrastructure provider for hundreds of thousands of malicious sites engaging in cyber scams.
The move is accompanied by an FBI cybersecurity advisory that warns the rogue infrastructure provider is a central player in supporting cryptocurrency and romance scams and that it purchases legitimate US IP addresses so as to be able to provide seemingly trustworthy sites backed by “https” URLs that display as being secure in web browsers. While many of the malicious URLs linked to the provider are essentially gibberish, some plausibly imitate legitimate brands such as Coinbase and BTCC.
Cyber scams service provider facilitated over $200 million in fraud
Funnull has served as a rogue infrastructure provider dating back to at least October 2023. The outfit focuses on supporting “pig butchering” schemes that involve fake crypto investment opportunities or romance scams, with victims usually strung along over an extended period and convinced to make increasingly large payments to the scammer.
The FBI security advisory maps out over 332,000 unique domain names managed by Funnull. While many of these would appear to be scam domains at a glance, there are some in the mix that use a “.com” extension with plausible implementations of brand names like Coinbase and BTCC. That combined with the seeming safety of URLs displaying a secure HTTPS link likely contributed to the total take of at least $200 million that sites hosted by the infrastructure provider generated over about a year and a half.
“Pig butchering” cyber scams will generally string victims along for as long as they can be convinced to continue making payments. Once they start asking questions and stop sending money, the threat actor breaks communication abruptly and absconds with the so-called investment. The FBI advises that most of these scams are organized by crime rings based throughout Southeast Asia that sometimes use trafficked and forced labor to communicate with their targets. The infrastructure provider’s role in these scams is to purchase bulk IP addresses from legitimate US cloud service providers, generate domain names for their scammer customers and provide them with web design templates that impersonate major brand names. Funnull took things a step further in 2024 by purchasing a code repository commonly used by web developers, Polyfill.io, and altering it so that visitors accessing legitimate site URLs would be redirected to some sort of scam or gambling site controlled by threat actors.
Key administrator of infrastructure provider also sanctioned
Administrator Liu Lizhi, a Chinese national, was also individually sanctioned for possessing documentation of company and employee progress on assigning domain names to known criminals for cyber scams. Reuters reports that he is 40 years old and has residences listed in Shanghai and Ganzhou. As a whole the infrastructure provider was sanctioned for providing material and technological support to cyber criminals based outside the US and engaged in targeting the country’s residents.
The sanctions were likely spurred by an October 2024 report issued by researchers with Silent Push that mapped out the extent of the rogue infrastructure provider’s criminal dealings. Though not explicitly mentioned in the OFAC or FBI releases, the Silent Push team found ties to the North Korean state-sponsored “Lazarus” hacking group and retail scam campaigns that included popular brands such as Chanel, Neiman Marcus and Saks Fifth Avenue. The cyber scams also reportedly heavily targeted a robust underground Southeast Asian gambling market that is primarily funded by Tether cryptocurrency.
Cryptocurrency scams took in about $10 billion in 2024, a record annual amount, and much of that was driven by a surge in similar “pig butchering” attacks. Since 2020 the losses to these cyber scams have grown 40% year over year, according to a February 2025 report from Chainalysis, and artificial intelligence is definitely assisting criminals in more quickly approaching larger numbers of targets and polishing their communications. The “romance scam” is often used as a lead-in to eventually convince a target to invest in a fake cryptocurrency scheme of some sort, with the attacker first building trust and then eventually presenting the scam as some sort of legitimate investment opportunity.
Though third-party security research often drives attention to threat actors, the FBI encourages the public to report any knowledge of cyber scams or other online criminal activity to the Internet Crime Complaint Center (IC3). Gabrielle Hempel, Security Operations Strategist and Threat Intelligence Researcher for the Exabeam TEN18 Team, notes that incidents like these will eventually prompt cloud service providers to step up their customer verification processes: “The sanctions against Funnull and Liu Lizhi are an interesting move for OFAC. It points to how deeply IaaS abuse has scaled and evolved to support cyber fraud. This is intentional, active facilitation of large-scale financial crimes using this technology. From a cybersecurity perspective, the use of DGAs, fast-flux IP rotation, and spoofed brand templates isn’t novel—but the operational scale is what is alarming. Tying 332,000 domains to a single provider with coordinated CNAME infrastructure shifts and templated phishing kits reflects a level of orchestration we typically associate with state-backed APTs, not financially-motivated romance scams. This is also going to spur changes (hopefully) in the next phase of hosting—the fact that they purchased cloud IP blocks in bulk highlights a critical vulnerability in the cloud ecosystem: the lack of Know-Your-Customer (KYC) enforcement at scale among cloud service providers. The most exciting part of OFAC’s move is that it sends a clear message that the infrastructure layer is now fair game for sanctions when it directly facilitates harm to U.S. persons. This means that companies that knowingly or negligently support these operations—whether by renting infrastructure, enabling rapid domain propagation, or turning a blind eye to abuse reports—are going to find themselves in regulatory crosshairs.”
