The U.S. OFAC has sanctioned Funnull Technology Inc. and its Chinese administrator Liu Lizhi for supplying the digital backbone—IP addresses, domains, and malicious code—that enabled hundreds of thousands of virtual-currency “pig-butchering” scams and at least $200 million in reported U.S. victim losses. The move, coordinated with the FBI and building on prior FinCEN warnings, disrupts a major cyber-crime supply chain and places global compliance teams on notice.
Key Points
- Designations: Funnull and Liu were added to the SDN list under E.O. 13694 (cyber-enabled activity) as amended by E.O. 14144.
- Scale of Abuse: Funnull infrastructure underpinned >332 000 scam domains and >USD 200 M in U.S. losses; average victim loss exceeded $150 k.
- Modus Operandi: The firm bulk-purchased cloud IPs, used domain-generation algorithms, and even back-doored open-source code to redirect legitimate traffic to fraud and gambling sites linked to Chinese laundering networks.
- Law-Enforcement Synergy: FBI released a FLASH advisory with IOCs for 548 Funnull CNAMEs spanning October 2023–April 2025.
- Regulatory Context: Follows FinCEN’s September 2023 alert on pig-butchering scams, reinforcing AML/CFT priorities for virtual-asset service providers (VASPs).
Short Narrative
On 29 May 2025, OFAC struck at the heart of a sprawling cyber-fraud ecosystem by designating Funnull Technology Inc., a Philippines-registered hosting broker, and its administrator Liu Lizhi. Funnull’s business model was deceptively simple: acquire massive blocks of U.S.-sourced cloud IP addresses, algorithmically spawn look-alike domains, and rent them to scam crews running high-yield crypto “investment” websites.
Victims—often groomed through romance-style communications—were lured onto these platforms, shown fabricated returns, and ultimately drained of funds. When takedowns loomed, Funnull’s automated domain-generation ensured the con continued elsewhere, frustrating regulators and platforms alike.
Extended Analysis
| Dimension | Implications |
|---|---|
| Legal & Sanctions Risk | All U.S. persons are now prohibited from dealings with Funnull or Liu. Secondary-sanctions exposure extends to foreign banks and VASPs facilitating related transactions. OFAC can impose strict-liability civil penalties (Source: home.treasury.gov). |
| Regulatory Expectations | FinCEN SARs should reference “FIN-2023-PIGBUTCHERING” and incorporate Funnull IOCs. VASPs must update sanctions-screening rules to catch Funnull-associated domains, CNAMEs, and wallet clusters (Source: fincen.gov). |
| Operational Threats | Funnull’s purchase of a legitimate code repository—later weaponised to redirect traffic—shows supply-chain compromise is now integral to scam infrastructure. Web developers should audit third-party code for silent redirects (Source: home.treasury.gov). |
| Cross-Border Complexity | Corporate registration in the Philippines, Chinese leadership, and hosting resold worldwide illustrate jurisdictional arbitrage. Regulators may need bilateral MLATs and cloud-provider cooperation to seize assets rapidly. |
Actionable Insight
Compliance teams should immediately:
- Import the FBI’s 548 Funnull CNAMEs and associated IP blocks into block-lists.
- Screen historical customer traffic for Funnull-linked domains to identify potential victim or mule activity.
- Trigger enhanced due diligence on any entity sourcing cloud IP space in bulk from resale markets.
Doing so can both prevent new fraud and serve as mitigating evidence in a future OFAC enforcement inquiry.
Call for Information
Have you encountered Funnull-branded infrastructure, unusual domain-generation patterns, or redirections to suspicious crypto-investment sites? Share information via our whistleblower platform, Whistle42.
