US Sanctions: Romance Scam Targeting Digital Infrastructure

The U.S. government has placed sanctions on a Philippine company, Funnull Technology, which is alleged to operate a majority of romance bait scam websites. These sites exploit trafficked individuals who manipulate victims into investing in fraudulent projects.

The Department of the Treasury officially sanctioned Funnull and its administrator Liu Lizhi, citing the firm’s role as a content delivery network for these scams. The sanctions cut Funnull off from access to the international financial system dominated by the U.S. Treasury. Officials disclosed that Funnull had acquired large blocks of IP addresses from major cloud service providers and offered web design templates and domain names tailored for illicit purposes.

Funnull utilizes domain generation algorithms, which enable the swift production of numerous unique domain names, thereby allowing scam operations to proliferate while complicating takedown efforts by authorities. Liu Lizhi was responsible for managing domain assignments and evaluating the performance of the operations through meticulous record-keeping.

The FBI also released a comprehensive report detailing more than 332,000 domains tied to Funnull’s infrastructure since January. Authorities estimate that the operations facilitated by Funnull have resulted in approximately $200 million in losses for U.S. victims, translating to an average of $150,000 per individual affected. This figure is possibly an underrepresentation of the actual losses, as many victims do not report their experiences.

Romance bait scams, often referred to as “pig butchering,” have seen exponential growth as crime syndicates in Southeast Asia, predominantly of Chinese origin, forcibly recruit individuals into operational compounds. These individuals employ scripted interactions to deceive victims through popular messaging platforms, leading them to invest in fake cryptocurrency or non-existent enterprises.

Typical tactics employed in these scams include emotional manipulation, wherein scammers incrementally build trust with victims by displaying false investment gains followed by small withdrawals. Once victims are adequately entrapped, the scams ultimately collapse when they no longer wish to invest further. Such scams have been linked to global losses exceeding $4.4 billion.

A collaboration between public and private sectors led to the identification of 230 romance bait victims in July, recovering 33 million British pounds in the process. Additional investigations by security firm Silent Push revealed that nearly 40% of the infrastructure utilized by Funnull comprised IP addresses associated with major cloud providers like Microsoft Azure and Amazon Web Services. The firm also detected fraudulent trading applications and dubious gambling networks linked to Funnull’s operations.

In a response to these revelations, both Microsoft Azure and Amazon Web Services moved to block Funnull’s associated IP addresses, but experts contend that these measures have not been swift enough to counter ongoing acquisition efforts for new IPs by the criminal organization.

In early 2024, there were indications that operators linked to Funnull had begun diversifying their approach, using open-source JavaScript libraries like polyfill.io to launch supply chain attacks, which redirected users to platforms advertising illicit gambling.

This report acknowledges contributions from Information Security Media Group’s David Perera based in Northern Virginia.