The U.S. Treasury Department has sanctioned Funnull Technology, a Philippines-based company that supports hundreds of thousands of malicious websites behind cyber scams linked to over $200 million in losses for Americans.
Funnull facilitated virtual currency investment scams (also known as romance baiting and pig butchering) by buying IP addresses in bulk from various cloud service providers. The company sold these IP addresses and hosting services to cybercriminals, enabling them to host malicious websites.
Criminals behind pig butchering scams contact victims through dating sites, social media, and messaging apps, building trust and luring victims into fake investment schemes. However, instead of investing, the fraudsters divert it to accounts they control, stealing their money.
The company uses domain generation algorithms (DGAs) to generate numerous unique domain names and also provides cybercriminals with web design templates that impersonate trusted brands. It also helps them quickly switch IP addresses and domains to thwart takedown attempts.
“Funnull is linked to the majority of virtual currency investment scam websites reported to the FBI. U.S.-based victims of these scam websites have reported over $200 million in losses, with average losses of over $150,000 per individual,” OFAC said on Thursday.
The Treasury’s Office of Foreign Assets Control (OFAC) also imposed sanctions on Liu Lizhi, a Chinese national who acted as Funnull’s administrator and managed the company’s employees, monitoring their performance and task progress.
Following these sanctions, citizens and organizations in the United States are prohibited from conducting transactions with Funnull and Lizhi. All their U.S. assets will also be frozen, while financial institutions and foreign entities involved in transactions with them may also face penalties.
Funnull indicators of compromise
Today, the FBI has also published a flash alert with more information, including technical details about IP addresses and domains of part of Funnull’s cyber scam infrastructure.
“Since January 2025, the FBI has identified 548 unique Funnull Canonical Names (CNAME) linked to over 332,000 unique domains. In April 2025, a sample of eight domains were analyzed to depict a CNAME analysis that resolved to four CNAMEs tied to Funnull infrastructure. Between February 2023 and April 2025, the eight domains showed three different patterns of CNAME activity,” the FBI said.
“Between October 2023 and April 2025, multiple patterns of IP address activity were observed from several domains using Funnull infrastructure. During this time frame, hundreds of domains using Funnull infrastructure simultaneously migrated from one IP address to another either on the same exact day or within the same timeframe.”
As the FBI revealed last month, cybercriminals have stolen a record $16,6 billion from Americans in 2024, with over $6.5 billion lost to investment scams, marking a massive increase in losses of over 33% compared to the previous year.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
