In May 2025, the U.S. government sanctioned a Chinese national for operating a cloud provider linked to the majority of virtual currency investment scam websites reported to the FBI. But a new report finds the accused continues to operate a slew of established accounts at American tech companies \u2014 including Facebook<\/strong>, Github<\/strong>, PayPal<\/strong> and Twitter\/X<\/strong>.<\/p>\n On May 29, the U.S. Department of the Treasury<\/strong>\u00a0announced economic sanctions<\/a> against Funnull Technology Inc.<\/strong>, a Philippines-based company alleged to provide infrastructure for hundreds of thousands of websites involved in virtual currency investment scams known as \u201cpig butchering<\/a>.\u201d In January 2025, KrebsOnSecurity detailed how Funnull was designed as a content delivery network that catered to foreign cybercriminals seeking to route their traffic through U.S.-based cloud providers<\/a>.<\/p>\n The Treasury also sanctioned Funnull\u2019s alleged operator, a 40-year-old Chinese national named Liu \u201cSteve\u201d Lizhi<\/strong>. The government says Funnull directly facilitated financial schemes resulting in more than $200 million in financial losses by Americans, and that the company\u2019s operations were linked to the majority of pig butchering scams reported to the FBI.<\/p>\n It is generally illegal for U.S. companies or individuals to transact with people sanctioned by the Treasury. However, as Mr. Lizhi\u2019s case makes clear, just because someone is sanctioned doesn\u2019t necessarily mean big tech companies are going to suspend their online accounts.<\/p>\n The government says Lizhi was born November 13, 1984, and used the nicknames \u201cXXL4<\/strong>\u201d and \u201cNice Lizhi<\/strong>.\u201d Nevertheless, Steve Liu\u2019s 17-year-old account on LinkedIn (in the name \u201cLiulizhi\u201d) had hundreds of followers (Lizhi\u2019s LinkedIn profile helpfully confirms his birthday) until quite recently: The account was deleted this morning, just hours after KrebsOnSecurity sought comment from LinkedIn.<\/p>\n Mr. Lizhi\u2019s LinkedIn account was suspended sometime in the last 24 hours, after KrebsOnSecurity sought comment from LinkedIn.<\/p>\n<\/div>\n In an emailed response, a LinkedIn spokesperson said the company\u2019s \u201cProhibited countries policy<\/a>\u201d states that LinkedIn \u201cdoes not sell, license, support or otherwise make available its Premium accounts or other paid<\/strong> products and services to individuals and companies sanctioned by the U.S. government.\u201d LinkedIn declined to say whether the profile in question was a premium or free account.<\/p>\n Mr. Lizhi also maintains a working PayPal account<\/a> under the name Liu Lizhi and username \u201c@nicelizhi<\/strong>,\u201d another nickname listed in the Treasury sanctions. PayPal did not respond to a request for comment. A 15-year-old Twitter\/X account named \u201cLizhi\u201d<\/a> that links to Mr. Lizhi\u2019s personal domain remains active, although it has few followers and hasn\u2019t posted in years.<\/p>\n These accounts and many others were flagged by the security firm Silent Push<\/strong>, which has been tracking Funnull\u2019s operations for the past year and calling out U.S. cloud providers like Amazon<\/strong> and Microsoft<\/strong> for failing to more quickly sever ties with the company.<\/p>\n Liu Lizhi\u2019s PayPal account.<\/p>\n<\/div>\n In a report<\/a> released today, Silent Push found Lizhi still operates numerous Facebook accounts and groups, including a private Facebook account under the name Liu Lizhi. Another Facebook account clearly connected to Lizhi is a tourism page for Ganzhou, China called \u201cEnjoyGanzhou<\/strong>\u201d that was named in the Treasury Department sanctions.<\/p>\n \u201cThis guy is the technical administrator for the infrastructure that is hosting a majority of scams targeting people in the United States, and hundreds of millions have been lost based on the websites he\u2019s been hosting,\u201d said Zach Edwards<\/strong>, senior threat researcher at Silent Push. \u201cIt\u2019s crazy that the vast majority of big tech companies haven\u2019t done anything to cut ties with this guy.\u201d<\/p>\n The FBI says it received nearly 150,000 complaints last year involving digital assets and $9.3 billion in losses \u2014 a 66 percent increase from the previous year. Investment scams were the top crypto-related crimes reported, with $5.8 billion in losses.<\/span><\/p>\n In a statement, a Meta spokesperson said the company continuously takes steps to meet its legal obligations, but that sanctions laws are complex and varied. They explained that sanctions are often targeted in nature and don\u2019t always prohibit people from having a presence on its platform. Nevertheless, Meta confirmed it had removed the account, unpublished Pages, and removed Groups and events associated with the user for violating its policies.<\/p>\n Attempts to reach Mr. Lizhi via his primary email addresses at Hotmail<\/strong> and Gmail<\/strong> bounced as undeliverable. Likewise, his 14-year-old YouTube<\/strong> channel appears to have been taken down recently.<\/p>\n However, anyone interested in viewing or using Mr. Lizhi\u2019s 146 computer code repositories will have no problem finding GitHub accounts for him, including one registered under the NiceLizhi and XXL4 nicknames mentioned in the Treasury sanctions.<\/p>\n One of multiple GitHub profiles used by Liu \u201cSteve\u201d Lizhi, who uses the nickname XXL4 (a moniker listed in the Treasury sanctions for Mr. Lizhi).<\/p>\n<\/div>\n Mr. Lizhi also operates a GitHub page for an open source e-commerce platform called NexaMerchant<\/strong>, which advertises itself as a payment gateway working with numerous American financial institutions. Interestingly, this profile\u2019s \u201cfollowers\u201d page<\/a> shows several other accounts that appear to be Mr. Lizhi\u2019s. All of the account\u2019s followers are tagged as \u201csuspended,\u201d even though that suspended message does not display when one visits those individual profiles.<\/p>\n In response to questions, GitHub said it has a process in place to identify when users and customers are Specially Designated Nationals or other denied or blocked parties, but that it locks those accounts instead of removing them. According to its policy, GitHub takes care that users and customers aren\u2019t impacted beyond what is required by law.<\/p>\n All of the follower accounts for the XXL4 GitHub account appear to be Mr. Lizhi\u2019s, and have been suspended by GitHub, but their code is still accessible.<\/p>\n<\/div>\n \u201cThis includes keeping public repositories, including those for open source projects, available and accessible to support personal communications involving developers in sanctioned regions,\u201d the policy states. \u201cThis also means GitHub will advocate for developers in sanctioned regions to enjoy greater access to the platform and full access to the global open source community.\u201d<\/p>\n Edwards said it\u2019s great that GitHub has a process for handling sanctioned accounts, but that the process doesn\u2019t seem to communicate risk in a transparent way, noting that the only indicator on the locked accounts is the message, \u201cThis repository has been archived by the owner. It is not read-only.\u201d<\/p>\n \u201cIt\u2019s an odd message that doesn\u2019t communicate, \u2018This is a sanctioned entity, don\u2019t fork this code or use it in a production environment\u2019,\u201d Edwards said.<\/p>\n Mark Rasch<\/strong> is a former federal cybercrime prosecutor who now serves as counsel for the New York City based security consulting firm Unit 221B<\/strong>. Rasch said when Treasury\u2019s Office of Foreign Assets Control (OFAC) sanctions a person or entity, it then becomes illegal for businesses or organizations to transact with the sanctioned party.<\/p>\n Rasch said financial institutions have very mature systems for severing accounts tied to people who become subject to OFAC sanctions, but that tech companies may be far less proactive \u2014 particularly with free accounts.<\/p>\n \u201cBanks have established ways of checking [U.S. government sanctions lists] for sanctioned entities, but tech companies don\u2019t necessarily do a good job with that, especially for services that you can just click and sign up for,\u201d Rasch said. \u201cIt\u2019s potentially a risk and liability for the tech companies involved, but only to the extent OFAC is willing to enforce it.\u201d<\/p>\n Liu Lizhi operates numerous Facebook accounts and groups, including this one for an entity specified in the OFAC sanctions: The \u201cEnjoy Ganzhou\u201d tourism page for Ganzhou, China. Image: Silent Push.<\/p>\n<\/div>\n In July 2024, Funnull purchased the domain polyfill[.]io, the longtime home of a legitimate open source project that allowed websites to ensure that devices using legacy browsers could still render content in newer formats. After the Polyfill domain changed hands, at least 384,000 websites were caught in a supply-chain attack<\/a> that redirected visitors to malicious sites. According to the Treasury, Funnull used the code to redirect people to scam websites and online gambling sites, some of which were linked to Chinese criminal money laundering operations.<\/p>\n The U.S. government says Funnull provides domain names for websites on its purchased IP addresses, using domain generation algorithms (DGAs) \u2014 programs that generate large numbers of similar but unique names for websites \u2014 and that it sells web design templates to cybercriminals.<\/p>\n \u201cThese services not only make it easier for cybercriminals to impersonate trusted brands when creating scam websites, but also allow them to quickly change to different domain names and IP addresses when legitimate providers attempt to take the websites down,\u201d reads a Treasury statement.<\/p>\n Meanwhile, Funnull appears to be morphing nearly all aspects of its business in the wake of the sanctions, Edwards said.<\/p>\n \u201cWhereas before they might have used 60 DGA domains to hide and bounce their traffic, we\u2019re seeing far more now,\u201d he said. \u201cThey\u2019re trying to make their infrastructure harder to track and more complicated, so for now they\u2019re not going away but more just changing what they\u2019re doing. And a lot more organizations should be holding their feet to the fire.\u201d<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/07\/lizhisanctions.png?resize=663%2C569&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/07\/linkedin-liu.png?resize=750%2C623&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/07\/pp-lizhi.png?resize=749%2C471&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/07\/xxl4-github.png?resize=750%2C515&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/07\/nexamerchant.png?resize=748%2C493&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/07\/fb-ganzhou.png?resize=773%2C651&ssl=1\")
<\/p>\n