The U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) has levied sanctions against a Philippines-based company named Funnull Technology Inc. and its administrator Liu Lizhi for providing infrastructure to conduct romance baiting scams that led to massive cryptocurrency losses.
The Treasury accused the Taguig-headquartered company of enabling thousands of websites involved in virtual currency investment scams that caused Americans to lose billions of dollars annually.
“Funnull has directly facilitated several of these schemes, resulting in over $200 million in U.S. victim-reported losses,” the agency said in a press release. The average loss is estimated to be over $150,000 per individual.
Funnull, also called Fang Neng CDN (funnull[.]io, funnull[.]com, funnull[.]app, and funnull[.]buzz), first attracted the attention of the cybersecurity community in June 2024 after it was implicated in the supply chain attack of the widely-used Polyfill[.]io JavaScript library.
Last year, an analysis by Silent Push revealed that the infrastructure associated with Funnull has been used to promote investment scams, fake trading applications, and suspect gambling networks. The infrastructure has been codenamed Triad Nexus.
Then earlier this February, the cybersecurity company attributed Funnull to a practice dubbed infrastructure laundering wherein the company rented IP addresses from mainstream hosting providers such as Amazon Web Services (AWS) and Microsoft Azure to host criminal websites.
Highlighting this aspect, the Treasury said Funnull enables virtual currency investment scams by acquiring IP addresses in bulk from major cloud services companies across the world and selling them to cybercriminals to host scam platforms and other malicious web content.
“Funnull generates domain names for websites on its purchased IP addresses using domain generation algorithms (DGAs) – programs that generate large numbers of similar but unique names for websites – and provides web design templates to cybercriminals,” the agency pointed out.
“These services not only make it easier for cybercriminals to impersonate trusted brands when creating scam websites but also allow them to quickly change to different domain names and IP addresses when legitimate providers attempt to take the websites down.”
The Treasury also accused Funnull of purchasing Polyfill[.]io with the intent to redirect visitors of legitimate websites to scam websites and online gambling sites, some of which it said are linked to Chinese criminal money laundering operations.
Furthermore, the department alleged that its administrator Liu, a Chinese national, was in possession of spreadsheets and other documents that contained information about the company’s employees, their performance, and their work progress.
The tasks assigned to them included assigning domain names to criminal actors for virtual currency investment fraud, phishing scams, and online gambling sites.
In a standalone flash alert, the U.S. Federal Bureau of Investigation (FBI) said it identified 548 unique Funnull Canonical Names (CNAME) linked to over 332,000 unique domains since January 2025.
“Between October 2023 and April 2025, multiple patterns of IP address activity were observed from several domains using Funnull infrastructure,” the FBI said. “During this time frame, hundreds of domains using Funnull infrastructure simultaneously migrated from one IP address to another either on the same exact day or within the same timeframe.”
