U.S. Treasury Sanctions FUNNULL CDN, FBI Issues Advisory Warning Against Major Cyber Scam Facilitator
Key Findings
- The U.S. Department of the Treasury sanctioned Chinese-based content delivery network (CDN), FUNNULL, labeling it as a major distributor of online scams. The FBI concurrently released an advisory report to disseminate indicators of compromise (IOCs) associated with malicious cyber activities linked to FUNNULL.
- The Treasury Department reported, “Funnull is linked to the majority of virtual currency investment scam websites reported to the FBI. US-based victims of these scam websites have reported over $200 million in losses, with average losses of over $150,000 per individual.”
- These moves come just months after our threat analyst team’s findings were published and subsequently reported by “Krebs On Security” cybersecurity journalist Brian Krebs.
- Our team’s October 2024 research, dubbed “Triad Nexus,” exposed the sprawling cluster of domains routed through FUNNULL CDNs, revealing how it enables cybercriminals to leverage credible cloud providers for malicious activity through infrastructure laundering.
- Silent Push previously coined the phrase “Infrastructure Laundering,” based on how FUNNULL uses illicit accounts on major cloud providers.
Table of Contents
- Key Findings
- Executive Summary
- Sign Up for a Free Silent Push Community Edition Account
- Threat Mitigation
- Continuing to Track Infrastructure Laundering
Executive Summary
Silent Push Threat Analysts have been tracking FUNNULL CDN and its use of infrastructure laundering since 2022. Our reporting began in May 2022 with our report on “Fake Trading Apps,” followed by our October 2024 expose, “Unveiling Triad Nexus: How FUNNULL CDN Facilitates Widespread Cyber Threats,” and then our January 2025 blog explaining “Infrastructure Laundering: Silent Push Exposes Cloudy Behavior Around FUNNULL CDN Renting IPs from Big Tech.” We have also provided additional coverage and analysis of FUNNULL CDN in our detailed reports created exclusively for our enterprise clients.
We have also hosted a webinar on Infrastructure Laundering and presented our FUNNULL research in 2025 at FIRST Monaco, B-Sides San Francisco, B-Sides Dublin, and numerous private briefings.
Last year, our analysts uncovered and exposed a sprawling network of domains routed through a China-based CDN service called FUNNULL. Our research revealed how this infrastructure quietly enabled cybercriminals, including groups linked to China, to leverage U.S. and other credible cloud providers for malicious activity.
The U.S. Department of the Treasury and the Federal Bureau of Investigation (FBI) issued a press release, “Treasury Takes Action Against Major Cyber Scam Facilitator” and an an FBI advisory report, “Infrastructure Used to Manage Domains Related to Cryptocurrency Investment Fraud Scams between October 2023 and April 2025,” respectively, on May 29, 2025, warning that FUNNULL is a major distributor of online scams.
These reports included critical new details that are now public:
- FUNNULL is linked to the majority of virtual currency investment scam websites reported to the FBI.
- US-based victims of these scam websites have reported losses exceeding $200 million, with an average loss of over $150,000 per individual.
- FUNNULL enables virtual currency investment scams by purchasing IP addresses in bulk from major cloud services companies worldwide and selling them to cybercriminals to host scam platforms and other malicious web content.
- In 2024, FUNNULL purchased a repository of code used by web developers and maliciously altered the code to redirect visitors of legitimate websites to scam websites and online gambling sites, some of which are linked to Chinese criminal money laundering operations.
The actions come months after our findings were published and reported by Brian Krebs of Krebs On Security, regarding how FUNNULL, “A sprawling network tied to Chinese organized crime gangs and aptly named ‘Funnull’ — highlights a persistent whac-a-mole problem facing cloud services.”
Cybercrime infrastructure is evolving fast—the cybersecurity community must adopt a proactive approach to detection. We’re also encouraged by other companies like Chainalysis writing up research about FUNNULL and sharing details, including key facts about FUNNULL’s connection to money laundering networks, writing, “Funnull had direct exposure to Huione Pay, for which the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) recently issued a finding and notice of proposed rulemaking (NPRM) identifying it as a primary money laundering concern.”
Sign Up for a Free Silent Push Community Edition Account
Register now for our free Community Edition to use all of the tools and queries mentioned in this blog.
Threat Mitigation
Silent Push believes all domains associated with FUNNULL CDN and infrastructure laundering present some level of risk.
Our analysts construct Silent Push IOFA™ Feeds that provide a growing list of Indicators Of Future Attack™ data focusing on scams supported by this technique.
Silent Push Indicators Of Future Attack™ (IOFA™) Feeds are available as part of an Enterprise subscription. Enterprise users can ingest IOFA™ Feed data into their security stack to inform their detection protocols or use it to pivot across attacker infrastructure using the Silent Push Console and Feed Analytics screen.
Continuing to Track FUNNULL and Infrastructure Laundering
Our team continues to track FUNNULL CDN and threat actors utilizing infrastructure laundering in its ever-evolving forms. We will report our findings to the security community as we identify new developments and other threat actors that exploit this practice.
We will also continue to share our research on threats we discover with law enforcement. If you happen to have any tips about threat actors participating in infrastructure laundering or engaging in other types of crime obfuscation activities, our team would love to hear from you.
