Feds gut host behind pig butchering scams that bilked $200M from Americans – Source: go.theregister.com

The US Treasury has sanctioned a Philippine company and its administrator after linking them to the infrastructure behind the majority of so-called “pig butchering” scams reported to the FBI.

Treasury’s Office of Foreign Assets Control designated Funnull Technology Inc, meaning any property or assets it owns in the US – directly or indirectly, and at 50 percent or more – are now blocked. Designation also means American companies are barred from doing business with the company. Chinese national Liu Lizhi, named as the site’s admin, was also sanctioned by the Treasury.

“Liu was involved in and possessed spreadsheets and other documents containing information about Funnull’s employees, their performance, and their progress on tasks,” the Feds said. “These tasks included assigning domain names to cybercriminals, including domains associated with virtual currency investment fraud, phishing scams, and online gambling sites.”

Pig butchering scams see scammers contact a victim and earn their trust through social engineering, typically involving romantic come-ons. That phase of the scam is known as fattening the pig.

The scammer next convinces the target to invest in a fraudulent investment scheme, often involving cryptocurrency. Over a long period of time the scammer gradually drains their funds – the slaughtering phase. Once the money runs out, the scammers typically cut off contact and vanish.

Interpol prefers the term “romance baiting” because of its less pejorative description of the victims. Whatever you call it, the technique is growing in popularity among criminals, particularly in Asia. AI is also playing an increasing role, with Sophos telling us crims use bots in the early stages of campaigns before a human butcher takes over.

On Thursday, the Treasury Department accused Funnull and its administrator of facilitating infrastructure used in scams that led to over $200 million in reported losses by US victims, with average losses exceeding $150,000 per person. The feds said it was linked to “the majority of virtual currency investment scam websites reported to the FBI.”

“Today’s action underscores our focus on disrupting the criminal enterprises, like Funnull, that enable these cyber scams and deprive Americans of their hard-earned savings,” said Deputy Secretary of the Treasury Michael Faulkender in a statement.

“The United States is strongly committed to ensuring the continued growth of a legitimate, safe, and secure digital asset ecosystem, including the use of virtual currencies and similar technologies.”

• Generative AI makes fraud fluent – from phishing lures to fake lovers
• Interpol wants everyone to stop saying ‘pig butchering’
• A Kansas pig butchering: CEO who defrauded bank, church, friends gets 24 years
• US cybercops take on ‘pig butchering’ org, return $9M in scammed crypto

At the same time as the Treasury made its announcement, the FBI issued its own alert about Funnull, accusing it of acquiring IP addresses and internet infrastructure from legitimate US providers, and then reselling them to cybercriminals who use them to host fraudulent websites. The feds said that since January 2025, it identified 548 unique Funnull Canonical Name (CNAME) records linked to over 332,000 domains tied to cryptocurrency investment scams. You can download the full list here.

“Domain name system (DNS) providers, Internet service providers, web browser manufacturers, and safe browsing aggregators should take note of the Funnull infrastructure and increase the risk metric for domains hosted on this infrastructure. If the provider has a mechanism to return a risk warning to the end user, it is recommended that they do so,” the FBI advised in a warning [PDF] to businesses.

“End users should be aware that a HTTPS or green lock icon does not indicate a specific website is trustworthy. End users should also be aware that scam websites often imitate legitimate websites.”

You may remember Funnull after its involvement in last year’s Polyfill scandal. In February, Funnull bought the site, which originally offered downloadable JavaScript code that could be used with older browsers. Soon after, security researchers discovered the service had been modified to inject malicious scripts into websites, redirecting users to scam and gambling sites. Its domain registrar eventually shut the site down, even as the new owner insisted that nothing untoward was going on.

While the FBI information is useful for network administrators, and the Treasury sanctions might inconvenience the company, there’s very little else that can be done to rein these kinds of scammers in. Last month, the UN Office on Drugs and Crime issued a report on the growing dominance of Southeast Asia in the cyber fraud field and admitted that the trade was proving difficult to stop.

“It spreads like a cancer,” Benedikt Hofmann, UNODC Acting Regional Representative for Southeast Asia and the Pacific, said in a release.

“Authorities treat it in one area, but the roots never disappear; they simply migrate. This has resulted in a situation in which the region has essentially become an interconnected ecosystem, driven by sophisticated syndicates freely exploiting vulnerabilities, jeopardizing state sovereignty, and distorting and corrupting policy-making processes and other government systems and institutions.” ®