US Sanctions Cloud Provider Funnull as Top Source of Pig Butchering Scams Krebs on Security
pImage Shutterstock ArtHeadppThe US government today imposed economic sanctions on Funnull Technology Inc a Philippinesbased company that provides computer infrastructure for hundreds of thousands of websites involved in virtual currency investment scams known as pig butchering In January 2025 KrebsOnSecurity detailed how Funnull was being used as a content delivery network that catered to cybercriminals seeking to route their traffic through USbased cloud providersppAmericans lose billions of dollars annually to these cyber scams with revenues generated from these crimes rising to record levels in 2024 reads a statement from the US Department of the Treasury which sanctioned Funnull and its 40yearold Chinese administrator Liu Lizhi Funnull has directly facilitated several of these schemes resulting in over 200 million in US victimreported lossesppThe Treasury Department said Funnulls operations are linked to the majority of virtual currency investment scam websites reported to the FBI The agency said Funnull directly facilitated pig butchering and other schemes that resulted in more than 200 million in financial losses by AmericansppPig butchering is a rampant form of fraud wherein people are lured by flirtatious strangers online into investing in fraudulent cryptocurrency trading platforms Victims are coached to invest more and more money into what appears to be an extremely profitable trading platform only to find their money is gone when they wish to cash outppThe scammers often insist that investors pay additional taxes on their crypto earnings before they can see their invested funds again spoiler they never do and a shocking number of people have lost six figures or more through these pig butchering scamsppKrebsOnSecuritys January story on Funnull was based on research from the security firm Silent Push which discovered in October 2024 that a vast number of domains hosted via Funnull were promoting gambling sites that bore the logo of the Suncity Group a Chinese entity named in a 2024 UN report PDF for laundering millions of dollars for the North Korean statesponsored hacking group LazarusppSilent Push found Funnull was a criminal content delivery network CDN that carried a great deal of traffic tied to scam websites funneling the traffic through a dizzying chain of autogenerated domain names and USbased cloud providers before redirecting to malicious or phishous websites The FBI has released a technical writeup PDF of the infrastructure used to manage the malicious Funnull domains between October 2023 and April 2025ppA graphic from the FBI explaining how Funnull generated a slew of new domains on a regular basis and mapped them to Internet addresses on US cloud providersppSilent Push revisited Funnulls infrastructure in January 2025 and found Funnull was still using many of the same Amazon and Microsoft cloud Internet addresses identified as malicious in its October report Both Amazon and Microsoft pledged to rid their networks of Funnulls presence following that story but according to Silent Pushs Zach Edwards only one of those companies has followed throughppEdwards said Silent Push no longer sees Microsoft Internet addresses showing up in Funnulls infrastructure while Amazon continues to struggle with removing Funnull servers including one that appears to have first materialized in 2023ppAmazon is doing a terrible job every day since they made those claims to you and us in our public blog they have had IPs still mapped to Funnull including some that have stayed mapped for inexplicable periods of time Edwards saidppAmazon said its Amazon Web Services AWS hosting platform actively counters abuse attemptsppWe have stopped hundreds of attempts this year related to this group and we are looking into the information you shared earlier today reads a statement shared by Amazon If anyone suspects that AWS resources are being used for abusive activity they can report it to AWS Trust Safety using the report abuse form hereppppUS based cloud providers remain an attractive home base for cybercriminal organizations because many organizations will not be overly aggressive in blocking traffic from USbased cloud networks as doing so can result in blocking access to many legitimate web destinations that are also on that same shared network segment or hostppWhats more funneling their bad traffic so that it appears to be coming out of US cloud Internet providers allows cybercriminals to connect to websites from web addresses that are geographically closer to their targets and victims to sidestep locationbased security controls by your bank for exampleppFunnull is not the only cybercriminal infrastructureasaservice provider that was sanctioned this month On May 20 2025 the European Union imposed sanctions on Stark Industries Solutions an ISP that materialized at the start of Russias invasion of Ukraine and has been used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of RussiappIn May 2024 KrebsOnSecurity published a deep dive on Stark Industries Solutions that found much of the malicious traffic traversing Starks network eg vulnerability scanning and password brute force attacks was being bounced through USbased cloud providers My reporting showed how deeply Stark had penetrated US ISPs and that its cofounder for many years sold bulletproof hosting services that told Russian cybercrime forum customers they would proudly ignore any abuse complaints or police inquiriesppThe homepage of Stark Industries SolutionsppThat story examined the history of Starks cofounders Moldovan brothers Ivan and Yuri Neculiti who each denied past involvement in cybercrime or any current involvement in assisting Russian disinformation efforts or cyberattacks Nevertheless the EU sanctioned both brothers as wellppThe EU said Stark and the Neculti brothers enabled various Russian statesponsored and stateaffiliated actors to conduct destabilising activities including coordinated information manipulation and interference and cyberattacks against the Union and third countries by providing services intended to hide these activities from European law enforcement and security agenciespp
This entry was posted on Thursday 29th of May 2025 0955 PM
ppThis is a stark reminder of how deeply embedded cybercrime infrastructure has become The fact that Funnull operated through major cloud providers like AWS and Microsoft Azure facilitating scams that led to over 200 million in US victim losses is alarming It underscores the need for cloud services to implement stricter monitoring and verification processes to prevent such abuseppThis is an interesting account to be commenting on a post about pig butchering scams An obviously AI generated comment and linking to a poorly attempted imitation of a highclass escorts information page Naturally the images there are computer generated as well One can only assume this is a clumsy attempt to draw some poor sap into forwarding a deposit as I believe SEO no longer benefits from links in user submitted areas such as comments But I may be mistaken on that partppwowzersppIts quite a good site alsoppWho will buy cloud servers from a company that monitors their traffic like thatppthats crazyppthats crazy1ppthats crazyppWhen I hear imposed economic sanctions I think of countries I wonder what kinds of sanctions are being imposed on the company and how effective they will beppSanctions can and are quite often imposed on individuals and individual companies Travel is restricted assets seized business transactions or contracting prohibited and anyone found to be dealing with them can be fined If the host country is shielding the target theyre much less effective and can operate with some impunity RussiaChinaNKoreaIranetc but in the Philippines Id assume they want to preserve their relationship with the western powers for basic reasons China in particular has been branching out and setting up operations like this in various other countries where theyre semiautonomous and can fly under the radar via bribes Its completely whackamole Every once in a while these individuals will decide they arent afraid to visit UKUSAEU states or merely layover or even flyover and they find out what its all about As a deterrent well they dont seem particularly deterred do theyppAnd sanctions for people a case that I know of and is in progress is against the Brazilian minister Alexandre de Moraes who is using the Magnitsky lawppStark Industries I laugh when they place contact information for complaints on their Whois entry For me most of Stark is blocked at the IP level LOL Proton66 OOO is another one in the same genre After getting a few years of Apache log entries into a MySQL database its obvious that a lot of the governmental seizing activity is absolutely futile All that happens is the threat actors just move to other IP addresses based on GET statements And thats just IPv4 I dont event try to open IPv6ppThanks for the article This knowledge on US sanctions seem great for my own digital marketing companies in dubaippWhy would this be useful for you in Dubai I ran a small digital marketing company out of Oman for about 12 years and never had any sort of reason to even consider something like thatppif you click on the bots name there is a linkppYour email address will not be published Required fields are marked ppComment ppName ppEmail ppWebsite pp
ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
This entry was posted on Thursday 29th of May 2025 0955 PM
ppThis is a stark reminder of how deeply embedded cybercrime infrastructure has become The fact that Funnull operated through major cloud providers like AWS and Microsoft Azure facilitating scams that led to over 200 million in US victim losses is alarming It underscores the need for cloud services to implement stricter monitoring and verification processes to prevent such abuseppThis is an interesting account to be commenting on a post about pig butchering scams An obviously AI generated comment and linking to a poorly attempted imitation of a highclass escorts information page Naturally the images there are computer generated as well One can only assume this is a clumsy attempt to draw some poor sap into forwarding a deposit as I believe SEO no longer benefits from links in user submitted areas such as comments But I may be mistaken on that partppwowzersppIts quite a good site alsoppWho will buy cloud servers from a company that monitors their traffic like thatppthats crazyppthats crazy1ppthats crazyppWhen I hear imposed economic sanctions I think of countries I wonder what kinds of sanctions are being imposed on the company and how effective they will beppSanctions can and are quite often imposed on individuals and individual companies Travel is restricted assets seized business transactions or contracting prohibited and anyone found to be dealing with them can be fined If the host country is shielding the target theyre much less effective and can operate with some impunity RussiaChinaNKoreaIranetc but in the Philippines Id assume they want to preserve their relationship with the western powers for basic reasons China in particular has been branching out and setting up operations like this in various other countries where theyre semiautonomous and can fly under the radar via bribes Its completely whackamole Every once in a while these individuals will decide they arent afraid to visit UKUSAEU states or merely layover or even flyover and they find out what its all about As a deterrent well they dont seem particularly deterred do theyppAnd sanctions for people a case that I know of and is in progress is against the Brazilian minister Alexandre de Moraes who is using the Magnitsky lawppStark Industries I laugh when they place contact information for complaints on their Whois entry For me most of Stark is blocked at the IP level LOL Proton66 OOO is another one in the same genre After getting a few years of Apache log entries into a MySQL database its obvious that a lot of the governmental seizing activity is absolutely futile All that happens is the threat actors just move to other IP addresses based on GET statements And thats just IPv4 I dont event try to open IPv6ppThanks for the article This knowledge on US sanctions seem great for my own digital marketing companies in dubaippWhy would this be useful for you in Dubai I ran a small digital marketing company out of Oman for about 12 years and never had any sort of reason to even consider something like thatppif you click on the bots name there is a linkppYour email address will not be published Required fields are marked ppComment ppName ppEmail ppWebsite pp
ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
