Treasury sanctions crypto scam facilitator that allegedly stole $200M from US victims

The Treasury Department on Thursday sanctioned Philippines-based Funnull Technology and its administrator Liu Lizhi for allegedly providing infrastructure that supported thousands of cryptocurrency investment scams, also known as “pig butchering.” 

Funnull directly aided the majority of virtual currency investment scam sites reported to the FBI, resulting in more than $200 million in losses for U.S.-based victims, the Treasury Department said in a news release. Average losses reported to the FBI surpassed $150,000 per individual, officials said.

“During cryptocurrency investment fraud scams, perpetrators pose as potential romantic partners or friends to gain victims’ trust, who are then convinced to invest in virtual currency,” the FBI said in a cybersecurity advisory published Thursday. Scammers set up sites that appear to be legitimate investment platforms, and ultimately pocket that money for themselves. 

Funnull purchases IP addresses, hosting services and other internet infrastructure from legitimate providers in the United States and sells those tools to cybercriminals conducting these scams, the FBI said. The agency said it identified 548 Funnull CNAME records linked to more than 332,000 unique domains since January 2025.

That number of domains is “pretty insane,” said Aidan Holland, security researcher at Censys. Funnull’s operation alone rides on roughly three times as many domains as those linked to toll road scams, he said. 

“It’s kind of impressive that they were able to do that at that scale” in less than two years, Holland added.

Funnull uses domain generation algorithms to create domain names for sites on its IP addresses and provides web design templates to cybercriminals, officials said. This combination of services helps cybercriminals impersonate trusted brands with similar names for sites and enables scammers to quickly move operations to different domains and IP addresses. 

The FBI observed multiple patterns of IP address activity on Funnull infrastructure between October 2023 and April 2025, including the simultaneous migration of hundreds of domains to other IP addresses.

Funnull also in 2024 purchased a repository of code used by web developers, the Treasury Department said. The outfit maliciously altered the code to redirect legitimate site visitors to scam sites and online gambling sites, including some allegedly linked to Chinese criminal money laundering operations, officials said. 

“Today’s action underscores our focus on disrupting the criminal enterprises, like Funnull, that enable these cyber scams and deprive Americans of their hard-earned savings,” Michael Faulkender, deputy secretary of the Treasury Department, said in a statement.

The broad takeaway from the Treasury Department and FBI actions is positive, but the lasting impact of the sanctions is unclear, said Allan Liska, threat intelligence analyst at Recorded Future.

“You’re really cutting off one of the arms of the scam ecosystem, and that is a big deal because just having the call centers doesn’t work if you don’t have a way to process the money once you have somebody on the hook,” Liska said.

The Treasury Department’s Office of Foreign Assets Control sanctioned Funnull for supporting these alleged cybercrime activities. The agency also sanctioned Liu, a Chinese national, for acting on or behalf of Funnull.

Officials said Liu was in possession of spreadsheets and other documents containing information about Funnull’s employees, including details about their progress on tasks related to assigning domain names to cybercriminals, domains associated with virtual currency fraud, phishing scams and online gambling sites.