![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/01\/funnell-ss.png?resize=749%2C452&ssl=1\")
<\/p>\nImage: Shutterstock, ArtHead.<\/p>\n<\/div>\n
In an effort to blend in and make their malicious traffic tougher to block, hosting firms catering to cybercriminals in China and Russia increasingly are funneling their operations through major U.S. cloud providers. Research published this week on one such outfit \u2014 a sprawling network tied to Chinese organized crime gangs and aptly named \u201cFunnull<\/strong>\u201d \u2014 highlights a persistent whac-a-mole problem facing cloud services.<\/p>\n In October 2024, the security firm Silent Push<\/strong> published a lengthy analysis<\/a> of how Amazon AWS<\/strong> and Microsoft Azure<\/strong> were providing services to Funnull, a two-year-old Chinese content delivery network that hosts a wide variety of fake trading apps, pig butchering scams<\/a>, gambling websites, and retail phishing pages.<\/p>\n Funnull made headlines last summer after it acquired the domain name polyfill[.]io<\/strong>, previously the home of a widely-used open source code library that allowed older browsers to handle advanced functions that weren\u2019t natively supported. There were still tens of thousands of legitimate domains linking to the Polyfill domain at the time of its acquisition, and Funnull soon after conducted a supply-chain attack that redirected visitors to malicious sites<\/a>.<\/p>\n Silent Push\u2019s October 2024 report found a vast number of domains hosted via Funnull promoting gambling sites that bear the logo of the Suncity Group<\/strong>, a Chinese entity named in a 2024 UN report<\/a> (PDF) for laundering millions of dollars for the North Korean Lazarus Group<\/a>.<\/p>\n In 2023, Suncity\u2019s CEO was\u00a0sentenced to 18 years in prison<\/a>\u00a0on charges of fraud, illegal gambling, and \u201ctriad<\/a>\u00a0offenses,\u201d i.e. working with Chinese transnational organized crime syndicates. Suncity is alleged to have built an underground banking system that\u00a0laundered billions of dollars for criminals<\/a>.<\/p>\n It is likely the gambling sites coming through Funnull are abusing top casino brands as part of their money laundering schemes. In reporting on Silent Push\u2019s October report, TechCrunch<\/em> obtained<\/a> a comment from Bwin, one of the casinos being advertised en masse through Funnull, and Bwin said those websites did not belong to them.<\/p>\n Gambling is illegal in China except in Macau, a special administrative region of China. Silent Push researchers say Funnull may be helping online gamblers in China evade the Communist party\u2019s \u201cGreat Firewall,\u201d which blocks access to gambling destinations.<\/p>\n Silent Push\u2019s Zach Edwards<\/strong> said that upon revisiting Funnull\u2019s infrastructure again this month<\/a>, they found dozens of the same Amazon and Microsoft cloud Internet addresses still forwarding Funnull traffic through a dizzying chain of auto-generated domain names before redirecting malicious or phishous websites.<\/p>\n Edwards said Funnull is a textbook example of an increasing trend Silent Push calls \u201cinfrastructure laundering,\u201d wherein crooks selling cybercrime services will relay some or all of their malicious traffic through U.S. cloud providers.<\/p>\n \u201cIt\u2019s crucial for global hosting companies based in the West to wake up to the fact that extremely low quality and suspicious web hosts based out of China are deliberately renting IP space from multiple companies and then mapping those IPs to their criminal client websites,\u201d Edwards told KrebsOnSecurity. \u201cWe need these major hosts to create internal policies so that if they are renting IP space to one entity, who further rents it to host numerous criminal websites, all of those IPs should be reclaimed and the CDN who purchased them should be banned from future IP rentals or purchases.\u201d<\/p>\n A Suncity gambling site promoted via Funnull. The sites feature a prompt for a Tether\/USDT deposit program.<\/p>\n<\/div>\n Reached for comment, Amazon referred this reporter to a statement Silent Push included in a report released today<\/a>. Amazon said AWS was already aware of the Funnull addresses tracked by Silent Push, and that it had suspended all known accounts linked to the activity.<\/p>\n Amazon said that contrary to implications in the Silent Push report, it has every reason to aggressively police its network against this activity, noting the accounts tied to Funnull used \u201cfraudulent methods to temporarily acquire infrastructure, for which it never pays. Thus, AWS incurs damages as a result of the abusive activity.\u201d<\/p>\n \u201cWhen AWS\u2019s automated or manual systems detect potential abuse, or when we receive reports of potential abuse, we act quickly to investigate and take action to stop any prohibited activity,\u201d Amazon\u2019s statement continues. \u201cIn the event anyone suspects that AWS resources are being used for abusive activity, we encourage them to report it to AWS Trust & Safety using the report abuse form<\/a>. In this case, the authors of the report never notified AWS of the findings of their research via our easy-to-find security and abuse reporting channels. Instead, AWS first learned of their research from a journalist to whom the researchers had provided a draft.\u201d<\/p>\n Microsoft likewise said it takes such abuse seriously, and encouraged others to report suspicious activity found on its network.<\/p>\n \u201cWe are committed to protecting our customers against this kind of activity and actively enforce acceptable use policies when violations are detected,\u201d Microsoft said in a written statement. \u201cWe encourage reporting<\/a> suspicious activity to Microsoft so we can investigate and take appropriate actions.\u201d<\/span><\/p>\n Richard Hummel<\/strong> is threat intelligence lead at NETSCOUT<\/strong>. Hummel said it used to be that \u201cnoisy\u201d and frequently disruptive malicious traffic \u2014 such as automated application layer attacks, and \u201cbrute force\u201d efforts to crack passwords or find vulnerabilities in websites \u2014 came mostly from botnets, or large collections of hacked devices.<\/p>\n But he said the vast majority of the infrastructure used to funnel this type of traffic is now proxied through major cloud providers, which can make it difficult for organizations to block at the network level.<\/p>\n \u201cFrom a defenders point of view, you can\u2019t wholesale block cloud providers, because a single IP can host thousands or tens of thousands of domains,\u201d Hummel said.<\/p>\n In May 2024, KrebsOnSecurity published a deep dive on Stark Industries Solutions<\/a>, an ISP that materialized at the start of Russia\u2019s invasion of Ukraine and has been used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia. Experts said much of the malicious traffic\u00a0 traversing Stark\u2019s network (e.g. vulnerability scanning and password brute force attacks) was being bounced through U.S.-based cloud providers.<\/p>\n Stark\u2019s network has been a favorite of the Russian hacktivist group called NoName057(16)<\/strong>, which frequently launches huge distributed denial-of-service (DDoS) attacks against a variety of targets seen as opposed to Moscow. Hummel said NoName\u2019s history suggests they are adept at cycling through new cloud provider accounts, making anti-abuse efforts into a game of whac-a-mole.<\/p>\n \u201cIt almost doesn\u2019t matter if the cloud provider is on point and takes it down because the bad guys will just spin up a new one,\u201d he said. \u201cEven if they\u2019re only able to use it for an hour, they\u2019ve already done their damage. It\u2019s a really difficult problem.\u201d<\/p>\n Edwards said Amazon declined to specify whether the banned Funnull users were operating using compromised accounts or stolen payment card data, or something else.<\/p>\n \u201cI\u2019m surprised they wanted to lean into \u2018We\u2019ve caught this 1,200+ times and have taken these down!\u2019 and yet didn\u2019t connect that each of those IPs was mapped to [the same] Chinese CDN,\u201d he said. \u201cWe\u2019re just thankful Amazon confirmed that account mules are being used for this and it isn\u2019t some front-door relationship. We haven\u2019t heard the same thing from Microsoft but it\u2019s very likely that the same thing is happening.\u201d<\/p>\n Funnull wasn\u2019t always a bulletproof hosting network for scam sites. Prior to 2022, the network was known as Anjie CDN<\/strong>, based in the Philippines. One of Anjie\u2019s properties was a website called funnull[.]app<\/strong>. Loading that domain reveals a pop-up message by the original Anjie CDN owner, who said their operations had been seized by an entity known as Fangneng CDN<\/strong> and ACB Group<\/strong>, the parent company of Funnull.<\/p>\n A machine-translated message from the former owner of Anjie CDN, a Chinese content delivery network that is now Funnull.<\/p>\n<\/div>\n \u201cAfter I got into trouble, the company was managed by my family,\u201d the message explains. \u201cBecause my family was isolated and helpless, they were persuaded by villains to sell the company. Recently, many companies have contacted my family and threatened them, believing that Fangneng CDN used penetration and mirroring technology through customer domain names to steal member information and financial transactions, and stole customer programs by renting and selling servers. This matter has nothing to do with me and my family. Please contact Fangneng CDN to resolve it.\u201d<\/p>\n In January 2024, the U.S. Department of Commerce<\/strong> issued a proposed rule<\/a> that would require cloud providers to create a \u201cCustomer Identification Program\u201d that includes procedures to collect data sufficient to determine whether each potential customer is a foreign or U.S. person.<\/p>\n According to the law firm Crowell & Moring LLP<\/strong>, the Commerce rule also would require \u201cinfrastructure as a service\u201d (IaaS) providers to report knowledge of any transactions with foreign persons that might allow the foreign entity to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.<\/p>\n \u201cThe proposed rulemaking has garnered global attention, as its cross-border data collection requirements are unprecedented in the cloud computing space,\u201d Crowell wrote<\/a>. \u201cTo the extent the U.S. alone imposes these requirements, there is concern that U.S. IaaS providers could face a competitive disadvantage, as U.S. allies have not yet announced similar foreign customer identification requirements.\u201d<\/p>\n It remains unclear if the new White House administration will push forward with the requirements. The Commerce action was mandated as part of an executive order President Trump issued a day before leaving office in January 2021.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/01\/suncity-funnull.png?resize=750%2C370&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/01\/funnull-app.png?resize=749%2C533&ssl=1\")
<\/p>\n