Start detecting threats BEFORE they’re weaponized: Sign up for our free Community Edition today: https://www.silentpush.com/community
Release 4.3 has arrived! Learn how to utilize our expanded Brand Impersonation capabilities, and check out useful updates to Web Scanner, Live Scan and the UI!
Start detecting threats BEFORE they’re weaponized. Use our Web Scanner tool for free with Silent Push Community Edition: www.silentpush.com/community.
In this video, Director of Sales Engineering Maulik Limbachiya takes you through how to perform one-click pivots from within the Web Scanner results table, and how to customize your results table to best suit your use case.
On July 1, 2025, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated Aeza Group, two affiliated companies, and four individuals for providing bulletproof hosting services that enabled global cybercriminal activity — including ransomware operations, data theft, and darknet drug trafficking.
Bulletproof hosting (BPH) refers to resilient server infrastructure used by threat actors to operate outside the reach of law enforcement. In response to the sanctions, the U.S. government froze Aeza Group’s U.S.-based assets and prohibited U.S. persons from engaging in transactions with them.
Silent Push Threat Analysts identified Aeza Group (AS216246 and AS210644) as a bulletproof hosting provider in early 2025. On July 20, 2025, Silent Push’s IOFA (Indicators of Future Attack)™ feed automatically detected a significant infrastructure shift: IP ranges from Aeza’s AS210644 began migrating to AS211522, a new autonomous system operated by Hypercore LTD.
This shift suggests an attempt to evade sanctions enforcement and continue malicious operations under new infrastructure.
One such example is IP address 83.147.192[.]5, which was previously associated with AS210644. On July 20, this IP was automatically reclassified in the Bulletproof Hosting IOFA™ feed to reflect its new association with AS211522.
BGP data from bgp.tools confirms that the 83.147.192.0/24 subnet has been announced by both ASNs, supporting the attribution.
According to Silent Push data, ASN 211522 was allocated on July 10, 2025, as confirmed by a search within the Total View platform. The data also shows that the ASN already contains over 2,100 IP addresses, indicating an unusually rapid ramp-up for a newly allocated ASN — a pattern not typically observed.
Silent Push Threat Analysts will continue to investigate ASN 211522 and welcome any leads related to suspicious bulletproof hosting infrastructure or additional context surrounding the Aeza Group IP migration.
Through continuous infrastructure monitoring, Silent Push is able to detect and track emerging BPH providers before they’re widely used in active campaigns. The migration to AS211522 is likely either a rebrand by Aeza or a handoff to a closely aligned cybercriminal entity.
Silent Push IOFA™ feeds are designed to identify attacker infrastructure — before it’s operationalized. From bulletproof hosting to phishing domains, malware C2s, and more, Silent Push provides security teams with early, actionable visibility into the infrastructure behind tomorrow’s threats.
Missed our recent webinar on Bulletproof Hosting?
It’s now available on-demand. Access it here.
Want to explore Silent Push IOFA™ feeds?
Black Hat USA 2025 is just around the corner, and the cybersecurity community is gearing up for one of the most important events of the year. While many organizations will be showcasing their latest products and services on the expo floor, our team is taking a different approach — focusing on meaningful, one-on-one conversations about the future of cyber defense.
Preemptive cyber defense is no longer just a buzzword; leading security teams are actively shifting their strategies to stop threats before they happen, rather than reacting after the fact. At Black Hat this year, we’ll be holding short, focused 1:1 sessions designed to help security teams assess their readiness and explore how to build stronger, proactive defenses.
If your team is struggling with alert fatigue, difficulty measuring ROI on detection tools, or relying heavily on post-breach intelligence, these sessions are for you. We’ll guide you through practical steps to move beyond reactive tactics and embrace a proactive, data-driven approach to security.
Why meet with us at Black Hat 2025?
Spaces are limited, so we encourage teams attending Black Hat to book their session early. Make Black Hat 2025 the turning point for your proactive cyber defense strategy.
Book your session today and begin shifting from reactive to preemptive defense.
We’ll also compare traditional passive DNS (PDNS) data with Silent Push’s unique Passive Aggressive DNS (PADNS) data, which has enabled leading organizations across the world to detect threats earlier than ever before.
Bulletproof Hosting (BPH) providers offer IP infrastructure that ignores abuse complaints, enabling some of the web’s most dangerous malicious traffic. While the community broadly agrees on what makes a host “Bulletproof,” identifying specific ASN ranges or providers requires deep expertise and nuance. This session will equip you with the knowledge to identify and combat these shadowy enablers.
This session will equip you with the knowledge to identify and combat these shadowy enablers.
Ready to dive deeper into the world of preemptive threat intelligence? Begin your journey with the Silent Push free Community Edition today.
In this episode of CyberScoop’s podcast, our CEO Ken Bagnall joins Greg Otto to explore the evolving cybercrime ecosystem. Ken discusses how much of today’s infrastructure is run by affiliate networks leveraging existing technologies — and how this model is shaping threats globally.
Ken also highlights how these operations are increasingly fueled by actors from Africa and other developing regions, offering a unique look at lesser-known aspects of the global cybercrime economy. Also featured in this episode: Greg Otto and Matt Kapko discuss the growing issue of remote IT workers tied to North Korea.
Listen to the original episode on CyberScoop Radio: https://cyberscoop.com/radio/in-this-episode-greg-otto-talks-with-ken-bagnall-ceo-of-silent-push-ken-sheds-light-on-the-dynamics-of-the-current-cybercrime-ecosystem/
Read more: The North Korea worker problem is bigger than you think https://cyberscoop.com/north-korea-technical-workers-full-time-jobs/
Cyber defense data is only as useful as the context that surrounds it.
Threat actors shift tactics daily and infrastructure spins up and vanishes in days or even hours. Isolated Indicators of Compromise (IOCs) aren’t enough. Security teams need connected intelligence – insight that illuminates not just a single alert, but the full shape of the infrastructure behind it.
By linking Silent Push’s unrivalled visibility of global threat infrastructure with OpenCTI’s powerful threat intelligence framework, teams can enrich their existing datasets with high-fidelity context – helping to reveal 100% of an adversary’s digital footprint, including elements that go unnoticed by traditional toolsets.
OpenCTI (Open Cyber Threat Intelligence) is an open-source platform built to centralize, visualize, and correlate Cyber Threat Intelligence (CTI).
The platform supports structured intelligence sharing and collaboration using open standards such as STIX 2.1 and TAXII 2.1, and is used globally by SOCs, CERTs, and threat analysts to manage complex threat data in real time.
OpenCTI includes support for TAXII feeds, file-based imports, API integrations, and offers a flexible way for organizations to analyze threat intelligence at enterprise level.
Silent Push provides a uniquely preemptive view of attacker infrastructure, including unseen elements in the staging and early deployment phases
Instead of chasing post-breach IOCs, our platform exposes Indicators of Future Attack (IOFA)™ – early warning signals based on attacker behavioral patterns, observed across our proprietary DNS and web content database.
By integrating Silent Push with OpenCTI, organizations gain the ability to:
Our bi-directional integration enables analysts to move from reactive to proactive defense, and from juggling alerts to proactive action.
At the heart of the integration is support for STIX (Structured Threat Information Expression) and TAXII (Trusted Automated Exchange of Indicator Information).
Silent Push exposes TAXII endpoints that allow OpenCTI to pull in curated indicators, fully mapped to STIX 2.1 objects.
This ensures that indicators from Silent Push – domains, IPs, or URLs – arrive in a standardized format, automatically enriched with threat scoring, and metadata such as hosting details, DNS context, and campaign links.
Our integration enables correlation at scale. Indicators brought in through TAXII can be immediately cross-referenced with existing data inside OpenCTI, powering visualizations, alerts, and investigative timelines.
The Silent Push Enrichment Connector, officially part of the OpenCTI ecosystem, is designed to deliver contextual intelligence precisely when analysts need it – during investigations.
Once deployed, the connector monitors domains, IPs and URLs already present in OpenCTI and, on a scheduled or manual basis, retrieves matching enrichment from the Silent Push API.
Enrichment is delivered in the form of STIX 2.1 bundles, integrated into OpenCTI via its internal processes. This means analysts don’t need to leave the platform or perform manual queries – context flows directly into their workflows.
Enriched categories include:
The result is faster triage, better attribution, and higher confidence in decision-making.
In addition to structured indicators, Silent Push also supports RSS-based ingestion of threat reports, providing strategic context and narrative intelligence directly within OpenCTI.
These feeds enable organizations to:
This allows analysts to see the bigger picture: not just what indicators exist, but why they matter, how they relate to ongoing campaigns, and what tactics they support.
Once ingested, Silent Push data comes to life through OpenCTI’s powerful visualization features, allowing analysts to:
These views make it easier to spot trends, detect anomalies, prioritize threats, and make it easier to collaborate on threat investigations across internal security teams.
Deploying the Silent Push connector is straightforward, whether via Docker or manual setup. Once installed, the connector:
Ingested data is transformed into STIX 2.1, ensuring native compatibility from the get-go.
Whether you’re pulling indicators via TAXII or enriching observables in place, Silent Push fits directly into the OpenCTI data standards – no extra parsing, no manual translation.
Ready to transform your threat intelligence workflows? Get in touch to see how the Silent Push and OpenCTI integration brings attacker infrastructure into full view, before it becomes an incident.
We’ll show you how to enrich your existing threat data with IOFA™ insights, automate observable enrichment via STIX/TAXII, and visualize connected infrastructure inside OpenCTI.
Silent Push has been tracking “Funnull Technology Inc.” (funnull[.]com) and the malicious websites hosted on this CDN since 2022. Our team has written extensive private and public reports, including the October 2024 report, “Unveiling Triad Nexus: How FUNNULL CDN Facilitates Widespread Cyber Threats,” and its January 2025 follow-up, “Infrastructure Laundering: Silent Push Exposes Cloudy Behavior Around FUNNULL CDN Renting IPs from Big Tech.”
In May 2025, when the Treasury and FBI announced U.S. sanctions against FUNNULL and its administrator, Lizhi Liu, we were pleased to see renewed attention on this ongoing threat from China.
As our data showed, the FUNNULL CDN was behind a huge portion of investment scam websites, we were unsurprised to see the Treasury Department announce, “Funnull is linked to the majority of virtual currency investment scam websites reported to the FBI.” The same announcement included a disclosure that FUNNULL CDN-hosted websites have caused over $200 million in losses to U.S. victims, with an average loss of $150,000 per individual from the finance schemes hosted on these websites. As a result, the FBI has ongoing efforts to connect with victims who the FUNNULL-hosted campaigns have impacted.
Chainalysis and other crypto tracking companies have since confirmed that FUNNULL had direct transactions with wallets connected to Huione Pay, the illicit marketplace and money laundering ecosystem recently flagged by FinCEN as part of a proposed rulemaking effort to classify the network as a “financial institution of primary money laundering concern,” to sever its connections with the U.S. financial system.
After the May 2025 U.S. Treasury OFAC Sanctions were issued against FUNNULL and its admin Liu, additional details were made public in the Specially Designated Nationals List Sanctions Update about Liu’s other names and usernames he has across the internet.
Silent Push Threat Analysts have taken those usernames and further pivoted into Liu’s older personas, public blogs, and websites (listed throughout this report as identified), to reveal Western services and infrastructure that have yet to ban his accounts.
Google appears to be one of the few companies that have tracked Liu’s accounts and taken action against them. Liu’s YouTube channel (youtube[.]com/@nicelizhi) was recently taken down with no indication that Liu did it himself, based on his other live accounts and websites.
The following list of enterprise software companies, publishers, and social networks were found still hosting accounts owned by Lizhi Liu:
Register now for our free Community Edition to use all the tools and queries highlighted in this blog.
Lizhi Liu, also known as Steve Liu (additional personas explained below), is a 41-year-old male from China who has been an active web developer with a visible presence since at least 2010. Liu is the administrator of the FUNNULL CDN and appears to be both the lead developer and owner. Liu is also a father, has a small family, and has a long-term interest in fashion and photography.
An expert developer, Liu has seemingly been the brains behind this CDN, which profits from “Infrastructure Laundering” techniques that consistently abuse Western cloud providers to illicitly acquire accounts and quickly map IPs into the FUNNULL infrastructure, essentially allowing threat actors to host their websites for free, primarily on Western providers.
Silent Push Threat Analysts believe it to be doubtful that Liu is the actual mastermind behind many of the investment schemes and money laundering networks hosted on FUNNULL. We dubbed this network “Triad Nexus,” since we believe various unnamed criminals are profiting from the scheme.
Historically a strong advocate of open-source software, Liu has written extensively on the topic, published open-source code repositories, and been actively engaged in a range of developer forums and communities.
Liu also has written statements that could be considered “anti-American” and “anti-Japanese” on his blogs, although he rarely wrote about politics, and these were outlier comments.
Silent Push threat analysts believe Liu is now attempting to conceal the infrastructure that FUNNULL hosts in the wake of the U.S. sanctions.
The remainder of this report contains a persona profile of FUNNULL admin Liu, along with links to some of his still-active profiles and websites. Many are hosted on Western providers who likely need to ban the accounts to comply with U.S. Treasury sanctions against him.
The research included below contains significant amounts of screenshots and details, as we believe that many of these accounts will be banned and/or deleted in the coming days and weeks.
Silent Push Threat Analysts shared the accounts and details found via the pivots in this research with District 4 Labs, who provided additional data and insights about Liu’s accounts.
Despite many pivots being shared back with us, due to the common name of “Lizhi Liu” (and Steve/Steven Liu), it was impossible to confirm that Liu truly owned all of the potential accounts and infrastructure that we have been tracking.
However, Liu’s email address, “chinawolfs@hotmail[.]com,” has been in use for nearly two decades and is associated with a significant history of breaches.
The email address was used with two simple passwords that contained his name repeatedly on numerous services.
The first password was elementary, and we found it was associated with numerous people with the name “Lizhi Liu” – some of which were clear false positives – so we rejected that pivot, even though it likely generated a few true positives for niche legacy services.
However, Liu also reused a more complex password that included his birth year, month, and date, along with his name. We are not directly sharing the password he used because we don’t want to encourage password spraying efforts on his accounts. However, the email addresses associated with this unique password were used across multiple providers.
The first three emails use his persona “chinawolfs,” and we have strong confidence that these are directly controlled accounts.
The remaining accounts used some random email addresses. We believe it’s possible that some of these came from “Combo breach lists,” which contained bad data—essentially, a threat actor selling email/password lists may have stuffed their list with fake details to make it larger and potentially more profitable in a sale. As a result, we’re not making these other emails public and have shared them only with select organizations that can conduct private investigations into the accounts.
In 2010, Liu launched one of his personal blogs at cnphp[.]wordpress[.]com, which is still live in 2025. The blog was created in Chinese, but the screenshots we captured have been translated into English via Google Translate.
The “About” page on the blog features a variety of contact information, including email addresses and social media links for Liu. The accounts connect to many other pieces of infrastructure from different sources, confirming that it’s the same Liu Li Zhizhi, also known as Steven Liu.
The username “bmchaoshi” is exclusive to this website, but it appears to be an early Liu persona.
In July 2010, Liu posted his first blog explaining his goals to write and study more English.
On September 22, 2010, Liu posted a rare political blog (cnphp.wordpress[.]com/2010/09/22/) during China’s Mid-Autumn Festival.
The section below, as translated by Google Translate, is rough. Still, other translation services confirmed this is essentially a post about grievances toward Japan, and also, to a lesser degree, the United States.
Liu published another personal blog around 2010 with a similar title to the one hosted on WordPress, with this one hosted at liulizhi[.]info.
The content on this blog focuses on business optimization, life hacks, and a limited amount on technology issues. Most of the “blog posts” were hyperlinks to third-party content, but there is potentially some light original content here.
The “About” page for this blog features the name “Liu Lizhi” and three email addresses that align with other sources our team has observed:
Liu has an active blog @ models[.]net[.]cn, which has seen over 900 posts since its launch in 2023 (models[.]net[.]cn/new-blog-start/).
![Screenshot of Liu's blog starting on his site Models[.]net[.]cn](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-9-models-net-new-blog.png)
The WHOIS details from Silent Push associated with models[.]net[.]cn, show the email “lizhi.liu@foxmail[.]com” was used to register the domain, with the first record seen on March 12, 2022.
DNS “A records” were first observed associated with this domain in March 2022, but it appears the blog wasn’t launched immediately.
The “name” used to register this domain was “上海志彦文化传播有限公司” which translates to “Shanghai Zhiyan Culture Communication Co., Ltd.” – the same name used on the Facebook page for “shgnahaizhiyan” (facebook[.]com/shgnahaizhiyan) which is connected to Liu through the zylinkus[.]com and mote001[.]com domains.
Liu seems to have edited some of the posts on Models[.]net[.]cn on May 25, 2025, so the original publication dates are not precise.
In the first and second posts on the site, which were backdated to the 1980s (models[.]net[.]cn/day/day-1984-11-13/), Liu explains the day he was born and the second day after his birth, providing some background on his family and name.
![Liu posted about his day of birth on his Models[.]net[.]cn site](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-12-models-net-1984.png)
On September 7, 2012, there was a post (models[.]net[.]cn/page/97/), “Today is the day when my company was established, please record it.” It’s unclear if this is the predecessor to FUNNULL or a separate tech company.
This appears to be another back-dated post, with a recent edit made on May 25, 2025.
![Screenshot of Liu's Models[.]net[.]cn page talking about "Sunny Shanghai" in 2012](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-13-models-net-sunny-shanghai.png)
In December 2023, Liu wrote a blog on Christmas (models.net[.]cn/weekendday-2023-12-24/) and the challenges he faced, hoping the next year would bring more prosperity.
Across the rest of the blog, there are a significant number of “photos of models” and various fashion magazine covers. This is interspersed with links to third-party news sites, including some that cover cybersecurity threats and others originating from China.
The “About” page (models.net[.]cn/about-me/) features a brief description under the heading
“Hi 👋,I’m Steve”:
“I’m a software engineer with a passion for building high-quality software products. I have experience in full-stack web development, mobile app development, and cloud computing. I enjoy working on challenging projects and solving complex problems. I’m always looking to learn new technologies and improve my skills.”
The “Tools” page of the website (models[.]net[.]cn/tools/) features hundreds of links to developer websites and repositories, further showing the amount of time Liu has spent engaging with developer communities on the internet.
The domain zylinkus[.]com referenced on many of Liu’s social profiles features content from a “Steve Liu” and makes mention of a company founded in 2012 called “Shanghai Zhiyan,” which is described as:
![Screenshot of Zylinkus[.]com domain](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-15-domain-zylinkus-com.png)
On the zylinkus[.]com website the Chat widget brand “Tawk[.]to” provides chat services for visitors.
Tawk[.]to is a free website chat widget tool legally operating out of Nevada, with most of its employees based in the Philippines, according to LinkedIn company data.
![Screenshot of the Tawk[.]to website chat widget Liu used](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-16-tawk-to-example.png)
This same Zylinkus brand also has a LinkedIn page where they use the name “Shanghai zy web design co.lltd” with the phone number “86.18217614046” which is also seen on the Zylinkus contact page (zylinkus[.]com/contact-us/).
Further searching of the phone number from the LinkedIn page yields two pages on the Zylinkus domain: one is their Contact Us page, which clarifies that Steve Liu is the founder of “SHZY Inc.” The page further clarifies that the business goals align with website development:
The phone number also connects to a unique product and “DNS” sales page on the Zylinkus domain: (zylinkus[.]com/dns/).
The “GUNDNS Smart DNS system” is briefly explained on this generic sales page, accompanied by stock images and some generic details. It seems this sales page was essentially left unfinished:
![Screenshot of Zylinkus[.]com/dns](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-19-zylinkus-gundns.png)
The “GunDNS Smart DNS System” from Zylinkus, with code originally from “PowerDNS,” may be associated with the FUNNULL infrastructure; our investigation is ongoing.
Zylinkus also has a Facebook page (facebook[.]com/webdesignshanghai).
In March 2018, Liu’s “@phpedu” Twitter account posted a series of tweets for mote001[.]com
The mote001[.]com website had the same content in 2018 as it did until late 2024, as seen on the Wayback Machine. The footer of the website states, “Powered by SHZY,” and links to zylinkus[.]com, which we confirmed is owned by Liu.
This blog also had an ICP number, the Chinese Internet License of “沪ICP备13038830号-4”
We can search for this Chinese ICP number via the Silent Push ICP license field.
Web Scanner ICP license search query link
The ICP search further confirmed that the ICP number used in the footer of mote001[.]com is the same one used on Liu’s zylinkus[.]com.
In 2021, Liu posted on Weibo about mote001[.]com, which can be seen here (weibo[.]com/3042772513/CeljQk2Sa) in Chinese, that translates to, “Recruit model acting, please email us @Mote001.”
The website features some fashion details, which align with his personal blog. The only writers on the site (“Wayback Machine” link) are named “Admin” and “Jane Liu” – the “Jane” persona is likely a pseudonym used by Steve Liu for the project.
Liu also owns another low-quality developer blog hosted at cnblogs[.]com/cnphp – a Chinese service for hosting blogs. The blog was live from September 2023 until December 2024.
The title of the blog, when translated to English, is “Focus on open source Liu Li Zhizhi,” with the content primarily consisting of simple tutorials.
Liu had a YouTube account under the username “NiceLizhi” (youtube[.]com/@nicelizhi) until it was banned in mid-June 2025. The account was opened on October 27, 2011, and was essentially live for 14 years, featuring a series of developer demonstration videos for some of his projects.
The profile had the name “Steve” as the name, with the description, “Full stack,DevOPS,Cloud Develop,Kubernetes, CDN, DNS.”
Liu linked to his GitHub profile at github[.]com/nicelizhi which has since been renamed to github[.]com/xxl4 and a Twitter profile at twitter[.]com/kongfaceworld
The YouTube profile associated with this account features a model who is also showcased on a separate personal website, which includes numerous photos of models.
Liu’s Zylinkus, also known as Shzy, had a Google Code Archive created on February 26, 2013.
In November 2011, user “liulizhi” with the name “lizhi” posted a guide for “Performance Tuning Guidelines for Windows Server 2003,” that included contact details connecting to numerous Liu personas and accounts:
The About[.]me profile for Lizhi Liu (about[.]me/liulizhi), linked from his Google Groups signature, further links to his Flickr and LinkedIn accounts:
![Screenshot of Liu's "About[.]me" page](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-30-lius-about-me.png)
Liu’s personal Flickr account (flickr[.]com/photos/liulizhi/) was created in 2010 and uses the name “Liu Lizhi” and a profile photo seen on some of his other social accounts.
The account currently has 34,000 views, 16 tags, and over 1,000 photos.
This personal account features hundreds of photos of models and various stock photography, along with a few pictures of Liu himself in multiple poses.
It appears all the images of Liu can be seen under the tag “刘理志”, which translates to “Liu Lizhi.”
The “Model ZY” Flickr account, created in June 2013 with the email address “steven@zylinkus[.]com,” has over 120,000 views and 82 tags, but no images are currently public.
The account was made private at some point, but based on the views and tags, it is likely that private images are still uploaded in the account.
Liu’s GitHub profile is currently github[.]com/xxl4
The “@xxl4” Github profile features the name “Steve” and the bio, “I’m currently a full stack developer and SRE engineer.”
The GitHub profile promotes three domains:
The profile photo for Liu’s “xxl4” profile on GitHub is odd – it’s not him. The original image was taken of someone in the “Tactical Air Control Party (TACP) Airmen with the New Jersey Air National Guard’s 227th Air Support Operations Squadron” – the original photo can be seen here. The GitHub profile photo is identical:
One of Liu’s repositories, called “GunDNS-Admin,” appears to be a clone of “PowerDNS-Admin” and has over 130 contributors to the code.
The owner archived the repository, and it is now read-only:
The “GunDNS-admin” project has many of the same contributors as “PowerDNS-admin” which is a popular open source repository (github[.]com/PowerDNS-Admin/PowerDNS-Admin). Liu’s relationship to this community and code is unclear, but it appears to be one of his more engaged repos.
NexaMerchant (github[.]com/NexaMerchant) appears to be an unpopular open-source service created by Liu and hosted on GitHub, which connects to several of his other GitHub profiles.
The project is described as a “Free laravel ecommerce” framework.
On the NexaMerchant “Followers” page (github[.]com/orgs/NexaMerchant/followers), there are unique “Suspended” notes visible next to four of the profiles, even though they are still visible and active on GitHub.
The four profiles with the “Suspended” note associated with NexaMerchant, are:
NexaMerchant claims to be a payment gateway working with numerous financial corporations. Their list of claimed partners includes::
The “NiceLizhi” profile on Deviant Art (deviantart[.]com/nicelizhi), created within the last six months, indicates it originated in 2025 or late 2024. The profile includes the name “Steve Liu” and has the birthdate set as November 13, the exact birthdate released by the U.S. Treasury Department.
The location was set as Hong Kong, and the pronouns used when signing up were “They/Them.”
![Liu's website "Deviantart[.]com"](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-41-deviantart-1.png)
Liu’s Gravatar profile (gravatar[.]com/nicelizhi) with the username “Nicelizhi” uses the name “Steven Lizhi” and a unique profile photo from a 2017 fashion shoot for “Shuba Magazine.”
“Steven Liu” created his Let’s Encrypt account in 2018, and it remained active for a month (community[.]letsencrypt[.]org/u/nicelizhi/summary). However, it was last observed on December 18, 2024, indicating that he has maintained his account for six years.
Liu has a Hugging Face profile (huggingface[.]co/xxl4) with the username “xxl4” and the first name Steve. The profile photo is for NexaMerchant, and features a link to his xxl4 GitHub along with the domain “models[.]net[.]cn.”
It appears that Liu loaded his “Hardware settings” via Hugging Face, which indicates he has an Apple M1 Pro with 16GB of RAM and a 32GB 13th Generation Intel Core (i7).
In a Google Gemma-7b discussion on Hugging Face, Liu was having trouble getting the model to run. A user at Google provided comments reminding him that 20GB of RAM was needed, and Liu responded, “Thank you, and now i don’t have GPU, i use CPU, my computer is 32G RAM memory, i want to change a smaller models to debug.”
In March 2008, the Chinese Ubuntu forum featured a post from a user with the handle “chinawolfs@hotmail[.]com,” which was known to be used by Liu.
The Ubuntu user was from “Shanghai” and asked several beginner questions about getting started with developing projects in PHP on Ubuntu Linux.
Liu Lizhi uses what appears to be a “South Park” profile photo on his Slideshare account, which promotes the domain “liulizhi[.]info” and uses the username “chinawolfs.”
The account features four developer presentations from 15 and 16 years ago, created by other individuals, as well as “likes” for several developer presentations. Additionally, it includes a document, “The Psychology of Selling” by Brian Tracy, and a document about Ubuntu Linux.
Liu’s location is listed as “ShangHai China”, his Occupation is “manager” and a “WEB Dev & Database DEV.”
Liu also has a PayPal profile @ paypal[.]com/paypalme/nicelizhi. He uses the name “Liu Lizhi” on the profile “nicelizhi,” and the location is set to Shanghai.
Steven Liu (刘理志) has a Facebook profile (facebook[.]com/lizhi.liu) with 291 friends and a location set to Shanghai, China. Liu’s “Intro” text is “小白” which translates to “noob.”
All other details on the account have been locked down and made private.
Liu is still actively using his Facebook account even after the U.S. Treasury sanctions were issued, with edits to his Facebook Group (facebook[.]com/groups/ganzhou) occurring as recently as June 22, 2025, when he changed the group name from “赣州” (Ganzhou) to “赣州-客家摇篮” (Ganzhou – Cradle of Hakka).
There are two admins of this Ganzhou Facebook Group – Liu controls both accounts.
Liu also controls another Ganzhou tourism page called “赣州” (facebook[.]com/enjoyganzhou/) with over 1,000 followers, where he promotes his email “nice.lizhi@gmail[.]com” along with the government domain “ganzhou[.]gov[.]cn.” The most recent post from this page was in August 2024.
In March 2017, Liu created a Facebook page (facebook[.]com/modelsnetcn) named “中国模特演艺人才网” which translates to “China Models and Performing Arts Talent Network.” This was renamed in March 2022 to the current name, “models[.]net[.]cn.”
This “models[.]net[.]cn” Facebook page uses the email address “steve@models[.]net[.]cn.”
![Liu's Models[.]net[.]cn main page on Facebook](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-56-fb-lee-hye-seung-1.png)
The “models[.]net[.]cn” Facebook page links to both the “models[.]net[.]cn” domain and the “mote001[.]com domain” – both have been observed as connected to Liu elsewhere.
![Liu's Models[.]net[.]cn page links to the domain Mote001[.]com, also connected to Liu](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-57-models-net-cn-pix.png)
Liu created a Facebook Group (facebook[.]com/groups/models.net.cn/) in April 2014, which is still live, promoting his Chinese modeling and photography efforts on the domain mote001[.]com and models[.]net[.]cn.
![Screenshot of Facebook groups page for Models[.]net[.]cn](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-58-models-fb-groups.png)
In 2018, Liu organized two Facebook events that are still live on Facebook.
The first event (facebook[.]com/events/1987558024892514/1987558044892512/) from August 16, 2025 was described as:
The second Facebook event, (facebook[.]com/events/shanghai-china/get-together/2139435819601167/), was hosted on September 30, 2018 and titled “Get Together” with a Chinese description translated to read, “Gather friends in Shanghai to get together during the National Day and see if there are more opportunities for collaboration.”
Liu also has another Facebook page for his “zylinkus[.]com” development company (facebook[.]com/webdesignshanghai/), which was created in August 2012.
![Another Facebook page Liu created was for his "Zylinkus[.]com" development company](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-61-zy-web-design.png)
The profile “chinawolfs at hotmail dot com,” seemingly controlled by Liu, posted a comment in 2010 on the PHP[.]net forums (bugs.php[.]net/bug.php?id=52684&edit=2) about a problem he was having. Two people responded to the thread, largely resolving his issue, with the final one calling it “bogus” due to the perceived simplicity of the problem.
Silent Push Threat Analysts released this research as a reminder to enterprise organizations that when the U.S. Treasury sanctions an individual, there are expectations to identify accounts owned by those individuals and potentially terminate service to them.
All defenders need to be aware of the “pig butchering” investment fraud schemes and money laundering websites that are hosted on the FUNNULL CDN and take actions to not only defend their users and networks from these websites, but also to ensure that services provided to this sanctioned entity and the admin running its network are reviewed and potentially terminated.
Our team continues to investigate the FUNNULL CDN and related Triad Nexus threat actors, who host their malicious scam websites via this CDN. Silent Push Enterprise customers enjoy customer-only reporting streams on this threat and many others. Where possible, we will share the details that can be made public here with our readers.
From a lead gained through a recent X/Twitter post by Mexican journalist Ignacio Gómez Villaseñor, Silent Push Threat Analysts have been investigating a new phishing e-commerce website scam campaign.
The original campaign observed was targeting Spanish-language visitors shopping for the “Hot Sale 2025.” The research by Gómez Villaseñor focused on specific domains found on one IP address targeting Spanish-language audiences; however, it was but one slice of a much larger campaign.
As we began our deeper research, our team soon uncovered a much broader fake marketplace scheme targeting English and Spanish language audiences in many other countries outside of Mexico. After we found a private technical fingerprint associated with the threat actor’s infrastructure, which contained Chinese words and characters, we have high confidence that the developers of this network are from China.
Our team has uncovered thousands of domains spoofing various payment and retail brands in connection to this campaign including (but not limited to): PayPal, Apple, Wayfair, Lane Bryant, Brooks Brothers, Taylor Made, Hermes, REI, Duluth Trading, Omaha Steaks, Michael Kors, and many, many more peddling everything from luxury watches to garage doors.
Register now for our free Community Edition to use all the tools and queries highlighted in this blog.
Silent Push Threat Analysts have investigated a seemingly endless series of online retail campaigns involving threat actors employing various techniques to scam potential buyers out of their money.
From our blogs on Aggressive Inventory Zombies: A Retail & Crypto Phishing Network and Malvertising Campaigns Abusing Google Search Ads to the most recent GhostVendors Fake Marketplace Campaign that shares our findings on the abuse of a Facebook advertising policy loophole, we share how our technology uncovers thousands of malicious domains spoofing major brands and provides proactive mitigation solutions for our clients.
This latest scam campaign targets English and Spanish language shoppers with fake marketplace ads, which we began investigating following a tip we discovered on journalist Ignacio Gómez Villaseñor’s May 26, 2025, X/Twitter post.
The campaign’s timing took advantage of the recent “Hot Sale 2025,” an annual shopping event sponsored by Asociación Mexicana de Ventas Online (AMVO) (amvo[.]org[.]mx/), which ran from May 26 to June 3, 2025.
Websites in this network don’t appear to actually process transactions or purchases, but instead steal credit card information entered on the (fake) payment page. The write-up from Gómez Villaseñor on Publimetro included this important detail from their testing (translated into English):
“In tests carried out by Publimetro México, by entering false bank card data into these portals, the system reacts as if you were actually processing a payment. A “reserved cart ” timer and platform logos are displayed as Visa, MasterCard, PayPal, Oxxo, and SPEI. This simulation is done to gain user trust and steal your information without raising immediate suspicion.”
Our threat analysts observed that the threat actor had created multiple phishing websites with pages spoofing a wide array of retailers, many of which are well-known brands. The phishing pages feature products that appear to have been scraped from other sites and abuse online payment security techniques to orchestrate scam websites.
Additionally, as our team has continued to investigate this online scam, we have found multiple suspicious sites using Google Pay, which suggests that this threat actor group is also stealing payments (as Google Pay uses virtual credit card numbers) and then not actually delivering any of the supposedly “purchased” goods.
Some of the websites in this network, such as rizzingupcart[.]com, include genuine Google Pay purchase widgets.
These purchase widgets typically offer an extra layer of security protection to online shoppers, as Google Pay has a key security feature that uses virtual card numbers, which are randomly generated, instead of sharing buyers’ actual credit card details. Since credit card data is not accessible to merchants, threat actors behind fraudulent sites cannot typically steal it.
Despite the security of raw credit card information not being shared via this method, a threat actor can often circumvent the protection of virtual card numbers. Even when accepting payments made via this process, a threat actor can still successfully orchestrate its online scam by simply failing to deliver the ordered products after payment.
Our team found many sloppy deployments on sites such as “harborfrieght[.]shop” (note the misspelling of “freight”), which in theory would be promoting Harbor Freight Tools, yet the website instead featured a clone of the Wrangler jeans site:
The fake marketplace campaign has targeted numerous well-known brands. We are listing a few of the more popular organizations that have been targeted. We are also including screenshots when we were able to catch the phony sites still being viewable online:
The site “guitarcentersale[.]com” spoofing retailer Guitar Center appears to offer children’s accessories with no sign of any musical instruments for sale.
The site “omahasteaksbox[.]com tried to pattern its design on the actual Omaha Steaks’ website in its spoofing attempt by partially copying portions of legitimate content. The phony site appears somewhat convincing at first glance, but on closer inspection, it is a shoddy attempt at emulating the popular brand.
Another fake marketplace site, “nordstromltems[.]com” (note the URL has a lower-case “l” instead of an “i” for the word “items”), attempted to spoof the brand of retailer Nordstrom. This fake site only displayed casual kids’ accessories, rather than the breadth of high-end clothing, accessories, shoes, and cosmetics typically associated with the Nordstrom brand, which caters to women, men, and children.
Our team also noted the phony site builder merely cloned the entire site for “guitarcentersale[.]com” and used it for the “nordstromltems[.]com” site, which further confirmed it was the work of the same threat actor.
Another site, spoofing the well-known Brooks Brothers brand, scraped parts of the legitimate website but then listed selections of clothing at impossibly low prices—especially for the BB brand.
Our team found numerous additional sites abusing clothing brands, including one site “josbankofficial[.]com” that attempted to spoof the historic menswear merchant Jos. A. Bank.
Our team also found a website attempting to spoof the premium clothing brand Tommy Hilfiger. Unlike the typical designer clothing found on the legitimate Tommy Hilfiger site, the spoof site, “tommyilfigershop[.]com” (note the missing “h” for the Hilfiger name and multiple misspellings on the home page) displays a model promoting women’s casual wear advertised by the brand “Autumvwindsss.”
During the course of our research, we determined that many of the fake marketplace sites had been blocked by their hosts once they were discovered (a given site’s fake content was frequently replaced with red warning messages instructing users not to continue browsing on some suspicious domains). However, despite many sites being taken down by both hosts and defenders, thousands remain active as of June 2025. In the face of these types of scaled-up, persistent threats, traditional methods appear unable to hold back the tide.
This is why Silent Push focuses on the value created by our Indicators Of Future AttackTM (IOFATM) feeds—so our customers can act on preemptive threat intelligence, rather than traditional, reactive methods.
Silent Push Threat Analysts will continue to track this Fake Marketplace Chinese Phishing Campaign and update our findings with future posts and reports as we uncover new developments.
If you or your organization has any information on this threat actor, we would love to hear from you.
Silent Push believes that all websites associated with this campaign represent some level of risk. This fake marketplace campaign primarily targets consumers with a phishing threat that exploits major brands, well-known organizations, and the fame of some political figures.
Our analysts have developed a series of Silent Push IOFATM feeds in response to these types of phishing efforts to best protect our customers from global threats.
Silent Push IOFATM Feeds are available as part of an Enterprise subscription. Enterprise users can ingest IOFATM Feed data into their security stack to inform their detection protocols or use it to pivot across attacker infrastructure using the Silent Push Console and Feed Analytics screen.
Silent Push is sharing a small sample of our Indicators Of Future AttackTM (IOFATM) list, which we associate with the Mexican Hot Sale/Chinese fake marketplace phishing campaign to support ongoing efforts within the community. Our enterprise users have access to an IOFATM feed currently containing significantly more indicators from this campaign.
