U.S. Imposes Sanctions on Funnull for $200 Million Romance Baiting Scams Linked to Cryptocurrency Fraud

By Ravie Lakshmanan
May 30, 2025
Cybersecurity / Cybercrime

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has announced sanctions against Funnull Technology Inc., a company based in the Philippines, along with its administrator, Liu Lizhi, for allegedly providing crucial infrastructure that facilitated scams related to romance baiting. These scams have reportedly resulted in significant cryptocurrency losses, with U.S. victims collectively reporting over $200 million in damages.

Allegations Against Funnull

According to the Treasury, the Taguig-headquartered company is implicated in enabling thousands of fraudulent websites that promote virtual currency investment scams, contributing to billions of dollars in losses annually for American individuals. Officials revealed that the average loss per victim is estimated at over $150,000, underscoring the scale and impact of these scams.

"The investigation has shown that Funnull has directly facilitated several of these schemes," the Treasury stated in a press release. The company operates under various domain names, including funnull[.]io, funnull[.]com, funnull[.]app, and funnull[.]buzz, and came into focus in the cybersecurity community through its involvement in a supply chain attack on the widely-used Polyfill[.]io JavaScript library in June 2024. ## Infrastructure Laundering and Cybercriminal Networks

A report from cybersecurity firm Silent Push last year indicated that Funnull’s infrastructure had been utilized to propagate investment scams, fake trading applications, and dubious gambling sites, encapsulated under the codename "Triad Nexus." In February 2025, additional findings linked Funnull’s operations to a practice known as infrastructure laundering, which involves the renting of IP addresses from major hosting providers like Amazon Web Services (AWS) and Microsoft Azure to host illicit web platforms.

The Treasury emphasized that Funnull’s business model involves acquiring large blocks of IP addresses from legitimate cloud service providers and subsequently selling them to cybercriminals. This infrastructure enables the rapid establishment of scam websites with ease of transition when legitimate hosting services attempt to shut them down.

Methods and Practices Employed by Funnull

Funnull reportedly utilizes domain generation algorithms (DGAs) to create numerous unique domain names for scam sites, allowing cybercriminals to effectively impersonate trusted brands. The agency elucidated how this methodology facilitates the seamless operation of fraudulent activities. "These services not only streamline the process for cybercriminals but also permit quick changes to different domains and IP addresses," it stated.

In addition, the Treasury charged Liu Lizhi with maintaining spreadsheets detailing employee assignments involved in the domain name allocation for various scams, including virtual currency fraud, phishing operations, and online gambling activities.

FBI’s Findings

The U.S. Federal Bureau of Investigation (FBI) corroborated the findings, disclosing that it had traced 548 unique Funnull Canonical Names (CNAME) linked to over 332,000 distinct domains since January 2025. The FBI noted a consistent pattern of rapid IP address migration for multiple domains utilizing Funnull’s infrastructure, which coincided with increased scam activity.

"Between October 2023 and April 2025, we observed multiple patterns of IP address activity from several domains leveraging Funnull’s infrastructure," the FBI reported. "During this timeframe, hundreds of domains simultaneously migrated from one IP address to another, either on the same day or within closely matched periods."

Conclusion

The sanctions against Funnull serve as a stark reminder of the ongoing battle against cybercrime, particularly involving the intersection of cryptocurrency fraud and online scam tactics. The regulatory actions signify a concerted effort by U.S. authorities to curtail the activities of organizations exploiting technological infrastructures for malicious purposes, aiming to protect potential victims from the pervasive threat of cyber scams.

As investigations continue, it remains critical for individuals to exercise caution when engaging with online platforms, particularly those offering investment opportunities that appear too good to be true.

Share this article: