![\"Romance](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigACljjkPh9tgGy7daLhqNN5xsZKLsFucGvLnKRUudbUBefNjLO96T2nWajSXeOg7c6ymDyRC_bgt_wNwefBh4tDRSK8LT163awNX157Pm41qQNWYJIjCGQf88Cui9KALoUyFafoySyTJ1OlipMBZTntVC68F7JgYScTCO7JYWVxFS7RgunHHwGmIje1zl/s728-rw-e365/bitcoin-scam.jpg\" "\\"Romance")
The U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on a Philippines-based company called Funnull Technology Inc. and its administrator Liu Lizhi for providing infrastructure for conducting romance baiting scams that resulted in significant cryptocurrency losses.
The Treasury accused the company, headquartered in Taguig, of enabling numerous websites engaged in virtual currency investment scams, leading to billions of dollars in annual losses for Americans.
“Funnull has directly supported several of these schemes, resulting in over $200 million in reported losses by U.S. victims,” the agency stated in a press release. The average loss per individual is estimated to be over $150,000.
![\"Cybersecurity\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd4R6jBpAsbjvz7uMpJsM1ijAxk3hbcMgDhSyb176_kFqikX_B5lsf-d9Z0rG8irI3zC7wRhpmPFkBOMxZqQA6Bph0yrFwceCfCvYOOZ4BHRD6hq0Ko4Akayf9dE3HrrRS02Z-xZaWtptWBOUgH_IFDFDQ4yDLyiIvbKQItHwzLlS9QqUyiL1m08LZVtzu/s728-e100/drata-d-1.png\")
Funnull, also known as Fang Neng CDN (funnull[.]io, funnull[.]com, funnull[.]app, and funnull[.]buzz), first came under scrutiny from the cybersecurity community in June 2024 when it was implicated in the supply chain attack on the widely-used Polyfill[.]io JavaScript library.
An analysis by Silent Push last year revealed that the Funnull infrastructure was being used to promote investment scams, fake trading apps, and suspicious gambling networks. This infrastructure was identified as Triad Nexus.
Earlier this February, the cybersecurity company linked Funnull to a practice known as infrastructure laundering, where the company rented IP addresses from major hosting providers like Amazon Web Services (AWS) and Microsoft Azure to host criminal websites.
Highlighting this, the Treasury stated that Funnull facilitates virtual currency investment scams by acquiring IP addresses in bulk from global cloud service providers and selling them to cybercriminals to host scam websites and other malicious content.
“Funnull generates domain names for websites on its acquired IP addresses using domain generation algorithms (DGAs) – programs that generate numerous unique names for websites – and provides web design templates to cybercriminals,” the agency highlighted.
![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOFVvmWKUFZqPx5zfUkpLMuIAMogjNLKALIz9dEsuI936B18y8EYJDx7CpmAn5yMjts72gjc_dMLKnyQx4QnLgTL_ua9hoD4eFLGb4DegD4u7y3X78i6-rSzmX6QPHM0NX0x1ulzMgwKnNDcSCxzP3d246VlJ2D6K6hMAQ8X4TfOR7YObFmjaLk_nBTfEb/s728-rw-e365/cname.jpg\")
“These services not only make it easier for cybercriminals to impersonate trusted brands when creating scam websites, but also enable them to quickly switch to different domain names and IP addresses when legitimate providers try to take down the websites.”
The Treasury also alleged that Liu, the administrator, a Chinese national, possessed spreadsheets and documents containing details about the company’s employees, their tasks, and work progress.
These tasks included assigning domain names to criminal actors for virtual currency investment fraud, phishing scams, and online gambling sites.
In a separate flash alert, the U.S. Federal Bureau of Investigation (FBI) reported identifying 548 unique Funnull Canonical Names (CNAME) linked to over 332,000 distinct domains since January 2025.
“Between October 2023 and April 2025, various patterns of IP address activities were observed from multiple domains using Funnull infrastructure,” the FBI noted. “During this period, several domains using Funnull infrastructure concurrently switched from one IP address to another on the same day or within a similar timeframe.”
