A Philippine-based company accused of enabling large-scale crypto fraud has been formally sanctioned by the U.S. Treasury.
The U.S. Treasury Department has sanctioned tech company Funnull for allegedly providing infrastructure used in widespread online fraud schemes known as pig butchering scams. According to the Treasury’s Office of Foreign Assets Control (OFAC), Funnull is linked to the majority of crypto investment scam websites reported to the FBI, with estimated losses totaling $200 million and an average victim loss of $150,000.
These scams typically involve fraudsters building fake romantic relationships online to lure victims into investing in fake crypto projects. Many of the scam websites impersonated legitimate financial services using tools and domains allegedly created and hosted by Funnull.
Funnull, which is based in the Philippines and operated by Chinese national Liu Lizhi (also sanctioned), provided services such as domain name registration, IP hosting, and website templates tailored for fraudulent use. The Treasury notes that these tools allowed scammers to easily replicate trusted financial brands and rotate between domains quickly to evade takedowns.
Funnull was also linked to a major supply chain attack involving the Polyfill JavaScript service, commonly used by web developers. According to cybersecurity firm Silent Push, Funnull acquired the Polyfill codebase and modified it to redirect users to gambling and scam websites, some allegedly tied to Chinese money laundering operations.
The FBI released a parallel alert to raise public awareness about these scams and how they are being deployed at scale using tech infrastructure.
Silent Push researcher Zach Edwards, who helped uncover Funnull's activities in 2024, welcomed the sanctions and confirmed the findings align with the firm's earlier reporting. “It’s encouraging that the Treasury has taken actions against the largest pig butchering and money laundering network targeting people in the U.S.,” said Edwards, while also noting that broader action is needed to address the full scope of international financial fraud.
The Treasury stated that Funnull’s tactics, including impersonation, fast domain switching, and code tampering, make scam sites harder to detect and dismantle, contributing to the growing threat of tech-enabled fraud.
The term comes from the practice of slowly "fattening" the victim, building trust over time before the scammer "butchers" them by convincing them to make a large, fraudulent investment.
Services such as domain registration, IP hosting, and site templates make it easier for scammers to create convincing websites, hide their identities, and quickly recover from takedowns.
The Polyfill attack involved injecting malicious redirects into JavaScript code used by thousands of websites. It’s a form of supply chain compromise that impacts users indirectly via trusted software.
Sanctions freeze any U.S.-based assets tied to Funnull or its operator and prohibit U.S. entities from doing business with them. It also signals global financial institutions to avoid these actors.
Yes. Victims and observers can report crypto scams to the FBI’s Internet Crime Complaint Center (IC3) or directly to platforms like the FTC or SEC, depending on the nature of the fraud.