One of the leading rogue internet infrastructure providers has been sanctioned by the Office of Foreign Assets Control (OFAC), but the news serves more as a warning of technical capability than as an announcement that the internet is now substantially safer from this threat. While the sanctions do limit Funnull Technology’s ability to purchase US IP addresses, a key component of the business, it and similar services will continue to roll along providing a helping hand to the purveyors of cyber scams and organizations must be aware of their capability.
Actual impact on scam infrastructure provider remains to be seen
Funnull Technology is based in the Philippines, but appears to be operated by Chinese nationals and caters to an organized crime clientele largely located throughout Southeast Asia. OFAC says that the rogue infrastructure provider is the backbone of hundreds of thousands of sites devoted to cyber scams, and that its primary business as a “bulletproof host” was providing and rotating domain names and US-based IP addresses to its clients.
Funnull focuses on clients that run “pig butchering” cryptocurrency scams that rely on social engineering, sometimes with an added “romance scam” component as the lead-in to walking victims into making payments. Its primary role as an infrastructure provider is to purchase US IP addresses in bulk from legitimate cloud services, and then assign and rotate them for its clients as they gradually are reported to known scam site lists and blocked by assorted security software. The US IPs help scammers slip past automated security detection and provide a URL that is backed by an SSL/TLS certificate that gives it a valid “https” header (and the green “secure” symbol in web browsers) to lend legitimacy to the cyber scams.
At least in theory, the sanctions should make it tougher for the rogue infrastructure provider to buy these IP addresses. Anyone in the US knowingly doing business with Funnull can now be fined, and assets used in cyber scams can be legally seized. How much trouble it will actually cause remains to be seen, given that purchase of these items has little in the way of identity verification components. Just one of its administrators, Liu Lizhi, was also individually sanctioned; however, this person appears to be a Chinese national who resides in either Shanghai or Ganzhou.
332,000 domain names used to support cyber scams
The illicit infrastructure provider has been in business since at least late 2023 and is one of the bigger ones of its type, but far from the only one. The FBI says that it has located over 332,000 unique domain names owned by the group and that the cyber scams it facilitates have taken in at least $200 million altogether over this time. Its central focus is on providing URLs that appear to belong to legitimate crypto brands, like Coinbase and BTCC. The list of URLs has a lot of obvious garbage in the mix, but also has domain names of this sort that would look legitimate to someone inexperienced or not taking the time to carefully vet links. Many victims are likely on phones with poor to no URL visibility and reliant entirely on background security software that waves the URLs through.
Funnull is particularly dangerous among these infrastructure providers as it has the resources to make aggressive moves. Most notably, it purchased the widely-used legitimate web development site “polyfill.io” and its code repository in 2024 and injected malicious links all through it. The original owner of the site is now advising that it is a cyber threat and should no longer be used.
Prior security research on Funnull indicates that it may also be an infrastructure provider for North Korea’s “Lazarus” group and that it is additionally supporting numerous cyber scams involving brand name retail fraud and fake mobile apps. AI has provided a major general boost to “pig butchering” schemes as crime rings can more easily maintain contact with a larger amount of victims and polish up their communications in non-native languages to expand their reach.
In terms of responding to these threats, awareness of these capabilities is important. Primarily that a “security” symbol in a web browser only guarantees that traffic is encrypted in transit, not that the site has been vetted by anyone. Also that URLs used in cyber scams must generally approach or strike at least one victim before being flagged and reported, and that criminals can easily rotate their attack URLs and continue to operate even when these sites are identified. Ultimately this may be another area that requires increased regulatory intervention, as the tools that these criminals purchase generally do not have “know your customer” elements in place.
