Numerous Western Companies May Still Need to Ban FUNNULL Admin Accounts to Comply with U.S. Treasury Sanctions
Key Findings
- Silent Push Threat Analysts have been mapping the scope of the FUNNULL content delivery network (CDN) and its use of Infrastructure Laundering to hide its infrastructure among major Western cloud providers, such as Amazon and Microsoft, burdening defenders to remain constantly alert to respond and block its accounts. We labeled the threat actor network, “Triad Nexus.”
- FUNNULL CDN is a primary source for hosting fraudulent websites used against Americans, and the Treasury Department and FBI issued joint advisories on FUNNULL in May 2025, announcing the network and its administrator, Lizhi Liu, were added to the U.S. sanctions list due to their support of scam investment sites.
- We confirmed FUNNULL admin Lizhi Liu (also known as “Steve/Steven” Liu) maintains accounts on many major Western services. We’re providing this public report on potential accounts used by Liu in our support of U.S. organizations that may need to ban these accounts to ensure compliance with U.S. Treasury Sanctions frameworks.
- During the persona mapping process, we also discovered anti-American and anti-Japanese content written by Liu and have included a brief analysis from his blog.
- Our team notes that Liu is still actively using his Facebook account to update a group he manages about Ganzhou, China, making posts and content changes through June 2025, weeks after the sanctions were issued.
- Brian Krebs (Krebs on Security) published this research in collaboration with Silent Push in his piece “Big Tech’s Mixed Response to U.S. Treasury Sanctions,” confirming that enterprise companies are responding to the U.S. Treasury sanctions in unique ways, with not all companies immediately banning the accounts or taking significant actions.
Executive Summary
Silent Push has been tracking “Funnull Technology Inc.” (funnull[.]com) and the malicious websites hosted on this CDN since 2022. Our team has written extensive private and public reports, including the October 2024 report, “Unveiling Triad Nexus: How FUNNULL CDN Facilitates Widespread Cyber Threats,” and its January 2025 follow-up, “Infrastructure Laundering: Silent Push Exposes Cloudy Behavior Around FUNNULL CDN Renting IPs from Big Tech.”
In May 2025, when the Treasury and FBI announced U.S. sanctions against FUNNULL and its administrator, Lizhi Liu, we were pleased to see renewed attention on this ongoing threat from China.
As our data showed, the FUNNULL CDN was behind a huge portion of investment scam websites, we were unsurprised to see the Treasury Department announce, “Funnull is linked to the majority of virtual currency investment scam websites reported to the FBI.” The same announcement included a disclosure that FUNNULL CDN-hosted websites have caused over $200 million in losses to U.S. victims, with an average loss of $150,000 per individual from the finance schemes hosted on these websites. As a result, the FBI has ongoing efforts to connect with victims who the FUNNULL-hosted campaigns have impacted.
Chainalysis and other crypto tracking companies have since confirmed that FUNNULL had direct transactions with wallets connected to Huione Pay, the illicit marketplace and money laundering ecosystem recently flagged by FinCEN as part of a proposed rulemaking effort to classify the network as a “financial institution of primary money laundering concern,” to sever its connections with the U.S. financial system.
After the May 2025 U.S. Treasury OFAC Sanctions were issued against FUNNULL and its admin Liu, additional details were made public in the Specially Designated Nationals List Sanctions Update about Liu’s other names and usernames he has across the internet.
Silent Push Threat Analysts have taken those usernames and further pivoted into Liu’s older personas, public blogs, and websites (listed throughout this report as identified), to reveal Western services and infrastructure that have yet to ban his accounts.
Google appears to be one of the few companies that have tracked Liu’s accounts and taken action against them. Liu’s YouTube channel (youtube[.]com/@nicelizhi) was recently taken down with no indication that Liu did it himself, based on his other live accounts and websites.
The following list of enterprise software companies, publishers, and social networks were found still hosting accounts owned by Lizhi Liu:
- X/Twitter
- GitHub / Microsoft
- LinkedIn / Microsoft
- Facebook / Meta
- Google Code / Google Groups / Alphabet
- Medium
- PayPal
- WordPress
- HuggingFace
- Gravatar / WordPress
- Vercel
- Deviant Art / Wix
- Flickr / SmugMug
- About Me / Vendasta
- Tawk[.]to
Table of Contents
- Key Findings
- Executive Summary
- Sign Up for a Free Silent Push Community Edition Account
- Background on Funnull Admin Lizhi Liu
- FUNNULL Admin Lizhi Liu
- Liu Pivots from Open Source Research Shared with District 4 Labs for Further Pivots Using Breach Data
- “Focus on Open Source Liu Li Zhizhi” – His 2010 Personal Blog
- Second “Focus on Open Source Liu Li Zhizhi” Blog from 2010
- Liu’s Personal Website Models[.]net[.]cn Highlights Interests in Computers, Fashion, and Some Politics
- Zylinkus, aka Shanghai Zhiyancheng (上海志彦成) – Possibly Liu’s First Company, Founded 2012
- Mote001[.]com – Previous Effort to Recruit Models, Work in Fashion, Used “Jane Liu” Persona
- Liu’s Third “Focus on Open Source” Blog
- Google’s YouTube Potentially Banned Liu
- 2013 Google Code Archive for Zylinkus: Still Live
- 2011 Google Groups Post from “Lizhi” Connects to Numerous Liu Personas
- Liu’s About[.]Me Profile Connects to Active LinkedIn, Flickr Accounts
- Liu’s Personal Flickr Started in 2010, 1,000+ Images Publicly Available
- Liu’s “Model ZY” Flickr Account: Currently Private
- Liu’s GitHub Profile Shows Significant Open Source Collaboration, GunDNS Code
- Deviant Art Profile Includes Liu’s Real Birthdate
- Liu’s Gravatar Profile Uses the Name “Steven Lizhi”
- Let’s Encrypt Profile, Active Posting for 1 Month in 2018, Active Account Through 2024
- Hugging Face Comment & Metadata Indicate Liu Uses an Apple Laptop
- 2008 Ubuntu Forum Early Use of “[email protected]” Email Publicly
- Liu Lizhi’s Slideshare Connects to “ChinaWolfs” Persona and Personal Website
- Liu’s PayPal Profile
- Liu’s Facebook Profiles, Pages, and Groups
- PHP[.]net Post in 2010 from Liu Closed by Testy Member, Calling His Problem “Bogus”
- Continuing to Track FUNNULL and Triad Nexus
Sign Up for a Free Silent Push Community Edition Account
Register now for our free Community Edition to use all the tools and queries highlighted in this blog.
Background on Funnull Admin Lizhi Liu
Lizhi Liu, also known as Steve Liu (additional personas explained below), is a 41-year-old male from China who has been an active web developer with a visible presence since at least 2010. Liu is the administrator of the FUNNULL CDN and appears to be both the lead developer and owner. Liu is also a father, has a small family, and has a long-term interest in fashion and photography.
An expert developer, Liu has seemingly been the brains behind this CDN, which profits from “Infrastructure Laundering” techniques that consistently abuse Western cloud providers to illicitly acquire accounts and quickly map IPs into the FUNNULL infrastructure, essentially allowing threat actors to host their websites for free, primarily on Western providers.
Silent Push Threat Analysts believe it to be doubtful that Liu is the actual mastermind behind many of the investment schemes and money laundering networks hosted on FUNNULL. We dubbed this network “Triad Nexus,” since we believe various unnamed criminals are profiting from the scheme.
Historically a strong advocate of open-source software, Liu has written extensively on the topic, published open-source code repositories, and been actively engaged in a range of developer forums and communities.
Liu also has written statements that could be considered “anti-American” and “anti-Japanese” on his blogs, although he rarely wrote about politics, and these were outlier comments.
Silent Push threat analysts believe Liu is now attempting to conceal the infrastructure that FUNNULL hosts in the wake of the U.S. sanctions.
The remainder of this report contains a persona profile of FUNNULL admin Liu, along with links to some of his still-active profiles and websites. Many are hosted on Western providers who likely need to ban the accounts to comply with U.S. Treasury sanctions against him.
FUNNULL Admin Lizhi Liu
Names
- Lizhi Liu (Chinese Simplified: 刘理志)
- Steve Liu
- Steven Liu
- Steven Lizhi
- Jane Liu
Companies Associated with
- FUNNULL Technology Inc.
- Shanghai Zhiyancheng (上海志彦成) aka “Shanghai Zhiyan” aka “SHZY Inc.”
Location
- No. 2 Shaguo Group, Yangmei Village, Huangjin Ridge, Zhanggong District, Ganzhou, Jiangxi, China
- Lianhang Road, No. 1698, 5 Building, Pujiang Town, Minxing District, Shanghai, China; Lulian Road, 100 Alley, No. 5, Room 1202, Pujiang Town, Minxing District, Shanghai, China
- Puxinggong Road, 9688, Alley No. 5, Haiwan Town, Fengxian District, Shanghai, China
DOB
- November 13, 1984
Gender
- Male
China National ID Number
- 36070219841113373X
Phone Numbers
- 13524084051 (old)
- +86 18217614046 (old)
Usernames
- NICE LIZHI
- NICELIZHI
- XXL4
- kongfaceworld
- cdndns
- zylinkus
- phpedu
- cnphp
- modelsnetcn
- chinawolfs
- shanghaiopensource
- QQ: 3139319
- bmchaoshi (Used on his blog cnphp.wordpress[.]com but seemingly no where else)
Emails
- nice.lizhi@gmail[.]com
- lizhi.liu@ymail[.]com
- lizhi.liu@foxmail[.]com
- chinawolfs@hotmail[.]com
- chinawolfs@yahoo[.]com
- chinawolfs@aol[.]com
- steven@zylinkus[.]com
- steve@models[.]net[.]cn
- magentocommerce[.]com@gmail[.]com
- zylinkus[.]com@gmail[.]com
- liulizhi@liulizhi[.]info
GitHub and Public Repos
- github[.]com/xxl4
- github[.]com/nicelizhi
- github[.]com/shanghaiopensource
- github[.]com/zylinkus
- github[.]com/NexaMerchant – NexaMerchant is an e-commerce company owned by Liu
- NexaMerchant further promoted on models[.]net[.]cn (models[.]net[.]cn/nexa-merchant)
- packagist[.]org/packages/nicelizhi/
- pkg.go[.]dev/github.com/nicelizhi/easy-admin
- uihub.licode[.]ai/directory/laravel-admin
Websites
- zylinkus[.]com
- models[.]net[.]cn
- cnphp.wordpress[.]com
- cnblogs[.]com/cnphp
- mote001[.]com
- nexa-merchant[.]vercel[.]app
- liulizhi[.]info (Doesn’t appear to be currently owned by Liu) (Wayback Machine of the old blog shows it was active starting in 2010)
Social Profiles
- medium[.]com/@cdndns
- x[.]com/kongfaceworld
- x[.]com/phpedu
- youtube[.]com/@nicelizhi
- buymeacoffee[.]com/nicelizhi
- paypal[.]com/paypalme/nicelizhi
- linkedin[.]com/in/zylinkus
- linkedin[.]com/in/liulizhi
- facebook[.]com/shgnahaizhiyan
- facebook[.]com/webdesignshanghai
- facebook[.]com/lizhi.liu
- facebook[.]com/enjoyganzhou/
- huggingface[.]co/xxl4
- weibo[.]com/shzylinkus
- deviantart[.]com/nicelizhi
Photos Used by Lizhi Liu
The research included below contains significant amounts of screenshots and details, as we believe that many of these accounts will be banned and/or deleted in the coming days and weeks.
Liu Pivots from Open Source Research Shared with District 4 Labs for Further Pivots Using Breach Data
Silent Push Threat Analysts shared the accounts and details found via the pivots in this research with District 4 Labs, who provided additional data and insights about Liu’s accounts.
Despite many pivots being shared back with us, due to the common name of “Lizhi Liu” (and Steve/Steven Liu), it was impossible to confirm that Liu truly owned all of the potential accounts and infrastructure that we have been tracking.
However, Liu’s email address, “chinawolfs@hotmail[.]com,” has been in use for nearly two decades and is associated with a significant history of breaches.
The email address was used with two simple passwords that contained his name repeatedly on numerous services.
The first password was elementary, and we found it was associated with numerous people with the name “Lizhi Liu” – some of which were clear false positives – so we rejected that pivot, even though it likely generated a few true positives for niche legacy services.
However, Liu also reused a more complex password that included his birth year, month, and date, along with his name. We are not directly sharing the password he used because we don’t want to encourage password spraying efforts on his accounts. However, the email addresses associated with this unique password were used across multiple providers.
The first three emails use his persona “chinawolfs,” and we have strong confidence that these are directly controlled accounts.
The remaining accounts used some random email addresses. We believe it’s possible that some of these came from “Combo breach lists,” which contained bad data—essentially, a threat actor selling email/password lists may have stuffed their list with fake details to make it larger and potentially more profitable in a sale. As a result, we’re not making these other emails public and have shared them only with select organizations that can conduct private investigations into the accounts.
- chinawolfs@yahoo[.]com
- chinawolfs@hotmail[.]com
- chinawolfs@aol[.]com
“Focus on Open Source Liu Li Zhizhi” – His 2010 Personal Blog
In 2010, Liu launched one of his personal blogs at cnphp[.]wordpress[.]com, which is still live in 2025. The blog was created in Chinese, but the screenshots we captured have been translated into English via Google Translate.
The “About” page on the blog features a variety of contact information, including email addresses and social media links for Liu. The accounts connect to many other pieces of infrastructure from different sources, confirming that it’s the same Liu Li Zhizhi, also known as Steven Liu.
The username “bmchaoshi” is exclusive to this website, but it appears to be an early Liu persona.
In July 2010, Liu posted his first blog explaining his goals to write and study more English.
On September 22, 2010, Liu posted a rare political blog (cnphp.wordpress[.]com/2010/09/22/) during China’s Mid-Autumn Festival.
The section below, as translated by Google Translate, is rough. Still, other translation services confirmed this is essentially a post about grievances toward Japan, and also, to a lesser degree, the United States.
- The post includes the comment that “every Chinese citizen” has the idea to let “Japan disappear from the earth.”
- Liu further states that even if China has corruption, “it does not belong to any country including Japan [or] the United States.”
- Liu ends the piece with a bold statement about revenge: “The Chinese people have always been a nation that must repay grievances. Please let the world better understand the Chinese nation!”
Second “Focus on Open Source Liu Li Zhizhi” Blog from 2010
Liu published another personal blog around 2010 with a similar title to the one hosted on WordPress, with this one hosted at liulizhi[.]info.
The content on this blog focuses on business optimization, life hacks, and a limited amount on technology issues. Most of the “blog posts” were hyperlinks to third-party content, but there is potentially some light original content here.
The “About” page for this blog features the name “Liu Lizhi” and three email addresses that align with other sources our team has observed:
- chinawolfs@hotmail[.]com
- liulizhi@liulizhi[.]info
- nice.lizhi@gmail[.]com
Liu’s Personal Website Models[.]net[.]cn Highlights Interests in Computers, Fashion, and Some Politics
Liu has an active blog @ models[.]net[.]cn, which has seen over 900 posts since its launch in 2023 (models[.]net[.]cn/new-blog-start/).
![Screenshot of Liu's blog starting on his site Models[.]net[.]cn](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-9-models-net-new-blog.png)
The WHOIS details from Silent Push associated with models[.]net[.]cn, show the email “lizhi.liu@foxmail[.]com” was used to register the domain, with the first record seen on March 12, 2022.
DNS “A records” were first observed associated with this domain in March 2022, but it appears the blog wasn’t launched immediately.
The “name” used to register this domain was “上海志彦文化传播有限公司” which translates to “Shanghai Zhiyan Culture Communication Co., Ltd.” – the same name used on the Facebook page for “shgnahaizhiyan” (facebook[.]com/shgnahaizhiyan) which is connected to Liu through the zylinkus[.]com and mote001[.]com domains.
Liu seems to have edited some of the posts on Models[.]net[.]cn on May 25, 2025, so the original publication dates are not precise.
In the first and second posts on the site, which were backdated to the 1980s (models[.]net[.]cn/day/day-1984-11-13/), Liu explains the day he was born and the second day after his birth, providing some background on his family and name.
![Liu posted about his day of birth on his Models[.]net[.]cn site](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-12-models-net-1984.png)
On September 7, 2012, there was a post (models[.]net[.]cn/page/97/), “Today is the day when my company was established, please record it.” It’s unclear if this is the predecessor to FUNNULL or a separate tech company.
This appears to be another back-dated post, with a recent edit made on May 25, 2025.
![Screenshot of Liu's Models[.]net[.]cn page talking about "Sunny Shanghai" in 2012](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-13-models-net-sunny-shanghai.png)
In December 2023, Liu wrote a blog on Christmas (models.net[.]cn/weekendday-2023-12-24/) and the challenges he faced, hoping the next year would bring more prosperity.
Across the rest of the blog, there are a significant number of “photos of models” and various fashion magazine covers. This is interspersed with links to third-party news sites, including some that cover cybersecurity threats and others originating from China.
The “About” page (models.net[.]cn/about-me/) features a brief description under the heading
“Hi 👋,I’m Steve”:
“I’m a software engineer with a passion for building high-quality software products. I have experience in full-stack web development, mobile app development, and cloud computing. I enjoy working on challenging projects and solving complex problems. I’m always looking to learn new technologies and improve my skills.”
The “Tools” page of the website (models[.]net[.]cn/tools/) features hundreds of links to developer websites and repositories, further showing the amount of time Liu has spent engaging with developer communities on the internet.
Zylinkus, aka Shanghai Zhiyancheng (上海志彦成) – Possibly Liu’s First Company, Founded 2012
The domain zylinkus[.]com referenced on many of Liu’s social profiles features content from a “Steve Liu” and makes mention of a company founded in 2012 called “Shanghai Zhiyan,” which is described as:
- “Shanghai Zhiyan was founded in 2012 and is a network service agency focusing on high-end website construction and brand communication. Years of training have given us rich experience in creative design, marketing promotion and technology research and development. We are good at listening to corporate needs, exploring the core value of brands, integrating high-quality design and the latest technology to create a valuable creative design experience for you. The core team has a senior team with more than 8 years of industry experience, covering professionals in various fields such as creativity, strategy, and technology. We firmly believe that every successful project is the result of good teamwork and provide customers with professional and effective network solutions.”
![Screenshot of Zylinkus[.]com domain](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-15-domain-zylinkus-com.png)
On the zylinkus[.]com website the Chat widget brand “Tawk[.]to” provides chat services for visitors.
Tawk[.]to is a free website chat widget tool legally operating out of Nevada, with most of its employees based in the Philippines, according to LinkedIn company data.
![Screenshot of the Tawk[.]to website chat widget Liu used](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-16-tawk-to-example.png)
This same Zylinkus brand also has a LinkedIn page where they use the name “Shanghai zy web design co.lltd” with the phone number “86.18217614046” which is also seen on the Zylinkus contact page (zylinkus[.]com/contact-us/).
- linkedin[.]com/company/shanghai-zy-web-design-co-lltd/about/
Further searching of the phone number from the LinkedIn page yields two pages on the Zylinkus domain: one is their Contact Us page, which clarifies that Steve Liu is the founder of “SHZY Inc.” The page further clarifies that the business goals align with website development:
- “Shanghai Zhiyan was founded in 2012 and is a network service agency focusing on high-end website construction and brand communication. Years of training have given us rich experience in creative design, marketing promotion and technology research and development. We are good at listening to corporate needs, exploring the core value of brands, integrating high-quality design and the latest technology to create a valuable creative design experience for you.”
The phone number also connects to a unique product and “DNS” sales page on the Zylinkus domain: (zylinkus[.]com/dns/).
The “GUNDNS Smart DNS system” is briefly explained on this generic sales page, accompanied by stock images and some generic details. It seems this sales page was essentially left unfinished:
![Screenshot of Zylinkus[.]com/dns](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-19-zylinkus-gundns.png)
The “GunDNS Smart DNS System” from Zylinkus, with code originally from “PowerDNS,” may be associated with the FUNNULL infrastructure; our investigation is ongoing.
Zylinkus also has a Facebook page (facebook[.]com/webdesignshanghai).
Mote001[.]com – Previous Effort to Recruit Models, Work in Fashion, Used “Jane Liu” Persona
In March 2018, Liu’s “@phpedu” Twitter account posted a series of tweets for mote001[.]com
The mote001[.]com website had the same content in 2018 as it did until late 2024, as seen on the Wayback Machine. The footer of the website states, “Powered by SHZY,” and links to zylinkus[.]com, which we confirmed is owned by Liu.
This blog also had an ICP number, the Chinese Internet License of “沪ICP备13038830号-4”
We can search for this Chinese ICP number via the Silent Push ICP license field.
Web Scanner ICP license search query link
- datasource = [“webscan”] AND body_analysis.ICP_license = “*13038830*”
The ICP search further confirmed that the ICP number used in the footer of mote001[.]com is the same one used on Liu’s zylinkus[.]com.
In 2021, Liu posted on Weibo about mote001[.]com, which can be seen here (weibo[.]com/3042772513/CeljQk2Sa) in Chinese, that translates to, “Recruit model acting, please email us @Mote001.”
The website features some fashion details, which align with his personal blog. The only writers on the site (“Wayback Machine” link) are named “Admin” and “Jane Liu” – the “Jane” persona is likely a pseudonym used by Steve Liu for the project.
Liu’s Third “Focus on Open Source” Blog
Liu also owns another low-quality developer blog hosted at cnblogs[.]com/cnphp – a Chinese service for hosting blogs. The blog was live from September 2023 until December 2024.
The title of the blog, when translated to English, is “Focus on open source Liu Li Zhizhi,” with the content primarily consisting of simple tutorials.
Google’s YouTube Potentially Banned Liu
Liu had a YouTube account under the username “NiceLizhi” (youtube[.]com/@nicelizhi) until it was banned in mid-June 2025. The account was opened on October 27, 2011, and was essentially live for 14 years, featuring a series of developer demonstration videos for some of his projects.
The profile had the name “Steve” as the name, with the description, “Full stack,DevOPS,Cloud Develop,Kubernetes, CDN, DNS.”
Liu linked to his GitHub profile at github[.]com/nicelizhi which has since been renamed to github[.]com/xxl4 and a Twitter profile at twitter[.]com/kongfaceworld
The YouTube profile associated with this account features a model who is also showcased on a separate personal website, which includes numerous photos of models.
2013 Google Code Archive for Zylinkus: Still Live
Liu’s Zylinkus, also known as Shzy, had a Google Code Archive created on February 26, 2013.
2011 Google Groups Post from “Lizhi” Connects to Numerous Liu Personas
In November 2011, user “liulizhi” with the name “lizhi” posted a guide for “Performance Tuning Guidelines for Windows Server 2003,” that included contact details connecting to numerous Liu personas and accounts:
- Name: lizhi http://about[.]me/liulizhi
- Weibo: http://weibo[.]com/phpedu
- MSN: chinawolfs@hotmail[.]com
- Tel: 86.13524084051
- QQ: lizhi.liu@foxmail[.]com
- Services: http://www.liulizhi[.]info/services/
Liu’s About[.]Me Profile Connects to Active LinkedIn, Flickr Accounts
The About[.]me profile for Lizhi Liu (about[.]me/liulizhi), linked from his Google Groups signature, further links to his Flickr and LinkedIn accounts:
- linkedin[.]com/in/liulizhi/
- flickr[.]com/people/liulizhi/
![Screenshot of Liu's "About[.]me" page](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-30-lius-about-me.png)
Liu’s Personal Flickr Started in 2010, 1,000+ Images Publicly Available
Liu’s personal Flickr account (flickr[.]com/photos/liulizhi/) was created in 2010 and uses the name “Liu Lizhi” and a profile photo seen on some of his other social accounts.
The account currently has 34,000 views, 16 tags, and over 1,000 photos.
This personal account features hundreds of photos of models and various stock photography, along with a few pictures of Liu himself in multiple poses.
It appears all the images of Liu can be seen under the tag “刘理志”, which translates to “Liu Lizhi.”
Liu’s “Model ZY” Flickr Account: Currently Private
The “Model ZY” Flickr account, created in June 2013 with the email address “steven@zylinkus[.]com,” has over 120,000 views and 82 tags, but no images are currently public.
The account was made private at some point, but based on the views and tags, it is likely that private images are still uploaded in the account.
Liu’s GitHub Profile Shows Significant Open Source Collaboration, GunDNS Code
Liu’s GitHub profile is currently github[.]com/xxl4
- Original profile @ github[.]com/nicelizhi
The “@xxl4” Github profile features the name “Steve” and the bio, “I’m currently a full stack developer and SRE engineer.”
The GitHub profile promotes three domains:
- models[.]net[.]cn
- Liu’s profile on huggingface[.]com/xxl4
- Liu’s writing at medium.com/@cdndns
The profile photo for Liu’s “xxl4” profile on GitHub is odd – it’s not him. The original image was taken of someone in the “Tactical Air Control Party (TACP) Airmen with the New Jersey Air National Guard’s 227th Air Support Operations Squadron” – the original photo can be seen here. The GitHub profile photo is identical:
One of Liu’s repositories, called “GunDNS-Admin,” appears to be a clone of “PowerDNS-Admin” and has over 130 contributors to the code.
- github[.]com/xxl4/gundns-admin/graphs/contributors
The owner archived the repository, and it is now read-only:
The “GunDNS-admin” project has many of the same contributors as “PowerDNS-admin” which is a popular open source repository (github[.]com/PowerDNS-Admin/PowerDNS-Admin). Liu’s relationship to this community and code is unclear, but it appears to be one of his more engaged repos.
NexaMerchant GitHub Organization
NexaMerchant (github[.]com/NexaMerchant) appears to be an unpopular open-source service created by Liu and hosted on GitHub, which connects to several of his other GitHub profiles.
The project is described as a “Free laravel ecommerce” framework.
On the NexaMerchant “Followers” page (github[.]com/orgs/NexaMerchant/followers), there are unique “Suspended” notes visible next to four of the profiles, even though they are still visible and active on GitHub.
The four profiles with the “Suspended” note associated with NexaMerchant, are:
- github[.]com/shanghaiopensource – includes links to zylinkus[.]com in the profile and appears to be the original GitHub account used by Liu’s first company, “Shanghai Zhiyancheng”
- github[.]com/zylinkus – another official zylinkus[.]com profile
- github[.]com/xxl4 – Liu’s personal GitHub account, tied to numerous other details
- github[.]com/heomai – only connections to NexaMerchant and other Liu personas – started the xxl4 “Easy-admin” repo
NexaMerchant claims to be a payment gateway working with numerous financial corporations. Their list of claimed partners includes::
- Stripe, PayPal, Alipay, WeChat Pay, UnionPay, Apple Pay, Google Pay, Samsung Pay, Amazon Pay, Visa, Mastercard, Amex, Discover, JCB, Diners Club, Maestro, Elo, Hipercard, Aura, COD, Checkout, Subscription, CMS, Blog, Shopify, Shopline, Airwallex.
Deviant Art Profile Includes Liu’s Real Birthdate
The “NiceLizhi” profile on Deviant Art (deviantart[.]com/nicelizhi), created within the last six months, indicates it originated in 2025 or late 2024. The profile includes the name “Steve Liu” and has the birthdate set as November 13, the exact birthdate released by the U.S. Treasury Department.
The location was set as Hong Kong, and the pronouns used when signing up were “They/Them.”
![Liu's website "Deviantart[.]com"](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-41-deviantart-1.png)
Liu’s Gravatar Profile Uses the Name “Steven Lizhi”
Liu’s Gravatar profile (gravatar[.]com/nicelizhi) with the username “Nicelizhi” uses the name “Steven Lizhi” and a unique profile photo from a 2017 fashion shoot for “Shuba Magazine.”
Let’s Encrypt Profile, Active Posting for 1 Month in 2018, Active Account Through 2024
“Steven Liu” created his Let’s Encrypt account in 2018, and it remained active for a month (community[.]letsencrypt[.]org/u/nicelizhi/summary). However, it was last observed on December 18, 2024, indicating that he has maintained his account for six years.
Hugging Face Comment & Metadata Indicate Liu Uses an Apple Laptop
Liu has a Hugging Face profile (huggingface[.]co/xxl4) with the username “xxl4” and the first name Steve. The profile photo is for NexaMerchant, and features a link to his xxl4 GitHub along with the domain “models[.]net[.]cn.”
It appears that Liu loaded his “Hardware settings” via Hugging Face, which indicates he has an Apple M1 Pro with 16GB of RAM and a 32GB 13th Generation Intel Core (i7).
In a Google Gemma-7b discussion on Hugging Face, Liu was having trouble getting the model to run. A user at Google provided comments reminding him that 20GB of RAM was needed, and Liu responded, “Thank you, and now i don’t have GPU, i use CPU, my computer is 32G RAM memory, i want to change a smaller models to debug.”
2008 Ubuntu Forum Early Use of “[email protected]” Email Publicly
In March 2008, the Chinese Ubuntu forum featured a post from a user with the handle “chinawolfs@hotmail[.]com,” which was known to be used by Liu.
The Ubuntu user was from “Shanghai” and asked several beginner questions about getting started with developing projects in PHP on Ubuntu Linux.
Liu Lizhi’s Slideshare Connects to “ChinaWolfs” Persona and Personal Website
Liu Lizhi uses what appears to be a “South Park” profile photo on his Slideshare account, which promotes the domain “liulizhi[.]info” and uses the username “chinawolfs.”
The account features four developer presentations from 15 and 16 years ago, created by other individuals, as well as “likes” for several developer presentations. Additionally, it includes a document, “The Psychology of Selling” by Brian Tracy, and a document about Ubuntu Linux.
Liu’s location is listed as “ShangHai China”, his Occupation is “manager” and a “WEB Dev & Database DEV.”
- slideshare[.]net/chinawolfs
Liu’s PayPal Profile
Liu also has a PayPal profile @ paypal[.]com/paypalme/nicelizhi. He uses the name “Liu Lizhi” on the profile “nicelizhi,” and the location is set to Shanghai.
Liu’s Facebook Profiles, Pages, and Groups
Steven Liu (刘理志) has a Facebook profile (facebook[.]com/lizhi.liu) with 291 friends and a location set to Shanghai, China. Liu’s “Intro” text is “小白” which translates to “noob.”
All other details on the account have been locked down and made private.
Liu is still actively using his Facebook account even after the U.S. Treasury sanctions were issued, with edits to his Facebook Group (facebook[.]com/groups/ganzhou) occurring as recently as June 22, 2025, when he changed the group name from “赣州” (Ganzhou) to “赣州-客家摇篮” (Ganzhou – Cradle of Hakka).
There are two admins of this Ganzhou Facebook Group – Liu controls both accounts.
- Liu’s admin details (facebook[.]com/groups/1420660624900919/user/100001332810575)
- Ganzhou admin details (facebook[.]com/groups/1420660624900919/user/100064372734963)
Liu also controls another Ganzhou tourism page called “赣州” (facebook[.]com/enjoyganzhou/) with over 1,000 followers, where he promotes his email “nice.lizhi@gmail[.]com” along with the government domain “ganzhou[.]gov[.]cn.” The most recent post from this page was in August 2024.
In March 2017, Liu created a Facebook page (facebook[.]com/modelsnetcn) named “中国模特演艺人才网” which translates to “China Models and Performing Arts Talent Network.” This was renamed in March 2022 to the current name, “models[.]net[.]cn.”
This “models[.]net[.]cn” Facebook page uses the email address “steve@models[.]net[.]cn.”
![Liu's Models[.]net[.]cn main page on Facebook](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-56-fb-lee-hye-seung-1.png)
The “models[.]net[.]cn” Facebook page links to both the “models[.]net[.]cn” domain and the “mote001[.]com domain” – both have been observed as connected to Liu elsewhere.
![Liu's Models[.]net[.]cn page links to the domain Mote001[.]com, also connected to Liu](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-57-models-net-cn-pix.png)
Liu created a Facebook Group (facebook[.]com/groups/models.net.cn/) in April 2014, which is still live, promoting his Chinese modeling and photography efforts on the domain mote001[.]com and models[.]net[.]cn.
![Screenshot of Facebook groups page for Models[.]net[.]cn](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-58-models-fb-groups.png)
In 2018, Liu organized two Facebook events that are still live on Facebook.
The first event (facebook[.]com/events/1987558024892514/1987558044892512/) from August 16, 2025 was described as:
- “In order for our descendants to have more information about Ganzhou’s traditional culture, and to do something about the gradual loss of Ganzhou culture. I hope that all of our members can keep the pictures, texts, videos and other materials collected from various areas. We will review these materials and update them to the Wikipedia column. Information receiving address: nice.lizhi@gmail[.]com”
The second Facebook event, (facebook[.]com/events/shanghai-china/get-together/2139435819601167/), was hosted on September 30, 2018 and titled “Get Together” with a Chinese description translated to read, “Gather friends in Shanghai to get together during the National Day and see if there are more opportunities for collaboration.”
Liu also has another Facebook page for his “zylinkus[.]com” development company (facebook[.]com/webdesignshanghai/), which was created in August 2012.
![Another Facebook page Liu created was for his "Zylinkus[.]com" development company](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-61-zy-web-design.png)
PHP[.]net Post in 2010 from Liu Closed by Testy Member, Calling His Problem “Bogus”
The profile “chinawolfs at hotmail dot com,” seemingly controlled by Liu, posted a comment in 2010 on the PHP[.]net forums (bugs.php[.]net/bug.php?id=52684&edit=2) about a problem he was having. Two people responded to the thread, largely resolving his issue, with the final one calling it “bogus” due to the perceived simplicity of the problem.
Continuing to Track FUNNULL and Triad Nexus
Silent Push Threat Analysts released this research as a reminder to enterprise organizations that when the U.S. Treasury sanctions an individual, there are expectations to identify accounts owned by those individuals and potentially terminate service to them.
All defenders need to be aware of the “pig butchering” investment fraud schemes and money laundering websites that are hosted on the FUNNULL CDN and take actions to not only defend their users and networks from these websites, but also to ensure that services provided to this sanctioned entity and the admin running its network are reviewed and potentially terminated.
Our team continues to investigate the FUNNULL CDN and related Triad Nexus threat actors, who host their malicious scam websites via this CDN. Silent Push Enterprise customers enjoy customer-only reporting streams on this threat and many others. Where possible, we will share the details that can be made public here with our readers.
