FUNNULL Uses Amazon and Microsoft Cloud to Hide Malicious Infrastructure
A sophisticated threat network called “Triad Nexus,” which operates through the FUNNULL content delivery network (CDN) to hide malicious infrastructure within major Western cloud providers including Amazon and Microsoft.
The operation, led by sanctioned individual Lizhi Liu, has facilitated over $200 million in losses to U.S. victims through investment fraud schemes.
Silent Push threat analysts have identified FUNNULL’s use of “Infrastructure Laundering” as a primary method to conceal malicious operations.
This technique involves systematically abusing Western cloud providers to illicitly acquire accounts and rapidly integrate IP addresses into the FUNNULL infrastructure network.
The approach effectively allows threat actors to host fraudulent websites for free, primarily leveraging trusted Western providers to evade detection.
The Treasury Department and FBI issued joint advisories in May 2025, announcing that FUNNULL and its administrator Lizhi Liu were added to the U.S. sanctions list due to their support of scam investment sites.
The username “bmchaoshi” is exclusive to this website, but it appears to be an early Liu persona.
Despite these sanctions, Liu continues to maintain active accounts across multiple major Western services, including Google, Microsoft, Meta, and other platforms, raising compliance concerns for enterprise organizations.
FUNNULL has been linked to the majority of virtual currency investment scam websites reported to the FBI, with the average individual loss reaching $150,000 per victim.
The network’s connection to Huione Pay, an illicit marketplace recently flagged by FinCEN as a “financial institution of primary money laundering concern,” demonstrates the sophisticated nature of this criminal ecosystem.
Western Service Accounts
Research reveals that Liu, also known as “Steve/Steven” Liu, maintains extensive digital footprints across Western platforms despite U.S. Treasury sanctions.
Shanghai Zhiyan was founded in 2012 and is a network service agency focusing on high-end website construction and brand communication.
![FUNNULL Uses Amazon and Microsoft Cloud to Hide Malicious Infrastructure 2 Example of the domain “zylinkus[.]com”](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-15-domain-zylinkus-com.png)
On the zylinkus[.]com website the Chat widget brand “Tawk[.]to” provides chat services for visitors.
Silent Push analysts identified active accounts on X/Twitter, GitHub/Microsoft, LinkedIn/Microsoft, Facebook/Meta, Google services, Medium, PayPal, WordPress, and numerous other platforms.
Notably, Liu continues actively using his Facebook account to update a group about Ganzhou, China, making posts and content changes as recently as June 2025, weeks after sanctions were issued.
This ongoing activity highlights the mixed response from technology companies to U.S. Treasury sanctions, with Google appearing to be one of the few companies that have tracked and taken action against Liu’s accounts by removing his YouTube channel.
The 41-year-old developer from China has maintained a visible online presence since 2010, operating under various personas including “chinawolfs,” “zylinkus,” and “phpedu”.
![FUNNULL Uses Amazon and Microsoft Cloud to Hide Malicious Infrastructure 3 Liu’s blog “models[.]net[.]cn/new-blog-start/”](https://www.silentpush.com/wp-content/uploads/funnull-admin-image-9-models-net-new-blog.png)
His technical expertise spans full-stack development, cloud computing, and DNS systems, making him well-positioned to orchestrate the sophisticated infrastructure laundering operations.
Ongoing Threat Monitoring
According to Report, the research emphasizes that defenders must remain constantly alert to respond and block FUNNULL accounts across their networks.
Brian Krebs collaborated with Silent Push to publish research confirming that enterprise companies are responding to U.S. Treasury sanctions inconsistently, with not all companies immediately banning accounts or taking significant actions.
This creates challenges for organizations attempting to maintain compliance with sanctions frameworks while addressing ongoing threats.
Silent Push continues investigating the FUNNULL CDN and related Triad Nexus threat actors, providing enterprise customers with specialized reporting on these evolving threats.
Organizations are encouraged to review their services for potential connections to sanctioned entities and take appropriate termination actions to ensure compliance with U.S. Treasury regulations.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link