- Cyber Syrup
- Posts
- OFAC Sanctions Philippines-Based Funnull Technology for Enabling Cryptocurrency Investment Scams
OFAC Sanctions Philippines-Based Funnull Technology for Enabling Cryptocurrency Investment Scams
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has issued sanctions against Funnull Technology Inc
In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Learn AI in 5 minutes a day
This is the easiest way for a busy person wanting to learn AI in as little time as possible:
Sign up for The Rundown AI newsletter
They send you 5-minute email updates on the latest AI news and how to use it
You learn how to become 2x more productive by leveraging AI
OFAC Sanctions Philippines-Based Funnull Technology for Enabling Cryptocurrency Investment Scams
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has issued sanctions against Funnull Technology Inc., a Philippines-based company, and its administrator Liu Lizhi, for their role in supporting romance baiting scams and cryptocurrency fraud that have collectively led to massive financial losses among U.S. citizens.
Funnull is accused of providing the technical infrastructure necessary for virtual currency investment scams, resulting in over $200 million in victim-reported losses in the United States alone. The average loss per victim is estimated to be over $150,000, highlighting the scale and severity of the fraudulent activity.
Company Background and Role in Cybercrime
Funnull Technology Inc., headquartered in Taguig City, Philippines, operates under multiple domain names, including:
funnull[.]iofunnull[.]comfunnull[.]appfunnull[.]buzz
The company, also referred to as Fang Neng CDN, came under the radar of the cybersecurity community in June 2024 after it was linked to a supply chain attack involving the popular Polyfill[.]io JavaScript library. Cybersecurity firm Silent Push previously revealed that Funnull’s infrastructure—codenamed Triad Nexus—had been used to support investment scams, fake trading apps, and illegal gambling sites.
In a February 2025 analysis, Silent Push further attributed to Funnull a practice termed infrastructure laundering. This involves renting IP addresses from reputable providers like Amazon Web Services (AWS) and Microsoft Azure, then reselling that infrastructure to criminal groups who use it to host malicious content.
Treasury Department Findings
According to OFAC, Funnull:
Acquired IP addresses in bulk from global cloud providers
Leased them to cybercriminals to host fraudulent investment and phishing websites
Used Domain Generation Algorithms (DGAs) to create large volumes of unique but related domain names, aiding evasion from takedown efforts
Supplied web design templates to scammers to help impersonate trusted brands
Rapidly rotated domain names and IP addresses to avoid detection and shutdowns
These tactics enabled cybercriminals to build convincing, scalable scam operations, often under the guise of reputable investment platforms or romance-based relationship-building tools.
The Treasury also accused Funnull of purchasing Polyfill[.]io for the explicit purpose of redirecting visitors from legitimate websites to scam or gambling pages, some of which are reportedly connected to Chinese criminal money laundering networks.
Involvement of Administrator Liu Lizhi
The administrator of Funnull, Liu Lizhi, a Chinese national, has also been sanctioned. The U.S. government alleges Liu possessed detailed operational documents, including employee performance spreadsheets and domain assignment logs.
These records reportedly outlined tasked employees with:
Assigning domains for fraudulent cryptocurrency schemes
Supporting phishing scams
Managing online gambling infrastructure
Liu’s direct involvement in orchestrating and overseeing these operations strengthens the case for his inclusion on OFAC’s sanctions list.
FBI Findings and Infrastructure Scale
In a separate flash alert, the Federal Bureau of Investigation (FBI) disclosed that it had identified 548 Funnull Canonical Name (CNAME) records, linked to more than 332,000 unique domains since January 2025.
Between October 2023 and April 2025, the FBI observed coordinated IP migrations among these domains, further confirming the systematic nature of the infrastructure laundering operation.
“Hundreds of domains using Funnull infrastructure simultaneously migrated from one IP address to another either on the same exact day or within the same timeframe,” the FBI noted.
Implications and Recommendations
For Individuals and Businesses
Be cautious of unsolicited investment offers, especially those that promise quick cryptocurrency gains.
Verify the legitimacy of AI tools, trading platforms, or romantic connections before engaging.
Use browser extensions or tools that can identify suspicious domains or detect redirections.
For Hosting Providers and Registrars
Implement more rigorous vetting and monitoring of clients purchasing IP address blocks or registering mass domain names.
Cooperate with law enforcement in identifying infrastructure patterns associated with criminal activity.
Conclusion
The sanctions against Funnull Technology Inc. and its administrator Liu Lizhi highlight a growing trend in infrastructure-as-a-service models being used to fuel online fraud and cybercrime. By leveraging legitimate cloud platforms to host scam websites and phishing content, criminals are making it harder for users and authorities to distinguish between real and malicious services.
As cybercriminals continue to exploit infrastructure loopholes and social engineering techniques, coordinated action between governments, cybersecurity firms, and hosting providers will be crucial in mitigating the growing threat of crypto-enabled scams.