How Funnull Became the Backbone of U.S. Crypto Pig-Butchering Scams

what just happened

On May 29, the U.S. Treasury’s Office of Foreign Assets Control dropped the hammer on Funnull Technology Inc., a Manila-registered infrastructure provider that rents bulk IP space and turnkey web templates to crypto-scam crews. Treasury calls Funnull the backbone for “hundreds of thousands of pig-butchering sites” and links the company to at least $200 million in reported U.S. losses, an average hit of $150k per victim. The sanctions also name Funnull’s Chinese administrator Liu Lizhi, freezing any property they control within the U.S. reach and banning Americans from doing business with them. (U.S. Department of the Treasury)

how funnull feeds the scam economy

Pig-butchering outfits need three ingredients: fresh IP space, throwaway domains and a front end that looks like a legitimate trading portal. Funnull supplies all three.

It buys IP ranges from top-tier cloud providers, spins domain generation algorithms to crank out look-alike URLs and hands customers prefab UI packages so every scam site shows convincing real-time “portfolio” graphs. When hosts or registrars kill a domain, the criminals swap in the next out of the pool with zero downtime.

Funnull’s catalog even includes code-reuse kits. The Treasury states that the company acquired an open-source JavaScript repository in 2024 and covertly modified it, causing any website that linked to the script to redirect traffic to gambling pages and money-laundering portals associated with Chinese criminal syndicates.

That polyfill hijack turned tens of thousands of legitimate sites into drive-by funnelers for the scam network.

the supply-chain twist

Security researchers flagged Funnull last year after a polyfill supply-chain attack sprayed malicious redirects across the web. Funnull weaponized the hijacked codebase to reel users into casino and investment-fraud domains it also hosted.

Silent Push analysts mapped Funnull to “the largest pig-butchering and money-laundering network targeting the U.S. right now.” (TechCrunch)

what the sanctions actually do

OFAC’s designation dumps Funnull and Liu on the Specially Designated Nationals list. Any bank, registrar or hosting shop that continues processing their payments risks massive fines.

The FBI paired the move with an IC3 advisory listing the IP blocks and ASN funnull controls, giving providers a quick blocklist. Experience suggests that the company will spin up shell resellers, but the sanctions still squeeze payment channels and raise due diligence concerns for upstream providers.

For enterprise defenders, this is actionable intelligence. If your firewall logs show outbound traffic to Funnull IP space, users are almost certainly hitting scam content or a compromised third-party script. Block the ranges, review egress controls, and inspect marketing sites that embed random CDN links; a leftover polyfill tag could bleed visitors straight into the next con.

bigger lesson for security teams

Regulators are pivoting from a 'whack-a-mole' approach to domain seizures to targeting infrastructure middlemen, including bulletproof hosts, SMS blasters, and now cloud IP brokers. Cutting their payment flows hurts every downstream scam at once. Expect more of these ecosystem strikes, and keep an eye on OFAC updates, the way you already track CISA KEV.

Funnull’s rise also shows why supply-chain hygiene matters outside traditional software. A single trusted JavaScript include flipped thousands of benign sites into scam launchpads. If your public web stack still hotlinks third-party scripts, now is the time to self-host or deploy sub-resource integrity.

Pig-butchering will adapt, the margins are just too high, but losing a turnkey provider of Funnull’s scale buys defenders a rare window to reset filters and raise user awareness before the next infrastructure shop steps in.