[ad_1]
In May 2025, the U.S. authorities sanctioned a Chinese nationwide for working a cloud supplier linked to the vast majority of digital foreign money funding rip-off web sites reported to the FBI. But a brand new report finds the accused continues to function a slew of established accounts at American tech firms — together with Facebook, Github, PayPal and Twitter/X.
On May 29, the U.S. Department of the Treasury introduced financial sanctions towards Funnull Technology Inc., a Philippines-based firm alleged to offer infrastructure for a whole bunch of hundreds of internet sites concerned in digital foreign money funding scams generally known as “pig butchering.” In January 2025, KrebsOnSecurity detailed how Funnull was designed as a content material supply community that catered to international cybercriminals searching for to route their visitors via U.S.-based cloud suppliers.
The Treasury additionally sanctioned Funnull’s alleged operator, a 40-year-old Chinese nationwide named Liu “Steve” Lizhi. The authorities says Funnull instantly facilitated monetary schemes leading to greater than $200 million in monetary losses by Americans, and that the corporate’s operations have been linked to the vast majority of pig butchering scams reported to the FBI.
It is usually unlawful for U.S. firms or people to transact with individuals sanctioned by the Treasury. However, as Mr. Lizhi’s case makes clear, simply because somebody is sanctioned doesn’t essentially imply large tech firms are going to droop their on-line accounts.
The authorities says Lizhi was born November 13, 1984, and used the nicknames “XXL4” and “Nice Lizhi.” Nevertheless, Steve Liu’s 17-year-old account on LinkedIn (within the identify “Liulizhi”) had a whole bunch of followers (Lizhi’s LinkedIn profile helpfully confirms his birthday) till fairly just lately: The account was deleted this morning, simply hours after KrebsOnSecurity sought remark from LinkedIn.
Mr. Lizhi’s LinkedIn account was suspended someday within the final 24 hours, after KrebsOnSecurity sought remark from LinkedIn.
In an emailed response, a LinkedIn spokesperson mentioned the corporate’s “Prohibited countries policy” states that LinkedIn “does not sell, license, support or otherwise make available its Premium accounts or other paid products and services to individuals and companies sanctioned by the U.S. government.” LinkedIn declined to say whether or not the profile in query was a premium or free account.
Mr. Lizhi additionally maintains a working PayPal account below the identify Liu Lizhi and username “@nicelizhi,” one other nickname listed within the Treasury sanctions. PayPal didn’t reply to a request for remark. A 15-year-old Twitter/X account named “Lizhi” that hyperlinks to Mr. Lizhi’s private area stays lively, though it has few followers and hasn’t posted in years.
These accounts and plenty of others have been flagged by the safety agency Silent Push, which has been monitoring Funnull’s operations for the previous yr and calling out U.S. cloud suppliers like Amazon and Microsoft for failing to extra rapidly sever ties with the corporate.
Liu Lizhi’s PayPal account.
In a report launched at this time, Silent Push discovered Lizhi nonetheless operates quite a few Facebook accounts and teams, together with a non-public Facebook account below the identify Liu Lizhi. Another Facebook account clearly related to Lizhi is a tourism web page for Ganzhou, China known as “EnjoyGanzhou” that was named within the Treasury Department sanctions.
“This guy is the technical administrator for the infrastructure that is hosting a majority of scams targeting people in the United States, and hundreds of millions have been lost based on the websites he’s been hosting,” mentioned Zach Edwards, senior risk researcher at Silent Push. “It’s crazy that the vast majority of big tech companies haven’t done anything to cut ties with this guy.”
The FBI says it acquired practically 150,000 complaints final yr involving digital belongings and $9.3 billion in losses — a 66 % improve from the earlier yr. Investment scams have been the highest crypto-related crimes reported, with $5.8 billion in losses.
In an announcement, a Meta spokesperson mentioned the corporate constantly takes steps to fulfill its authorized obligations, however that sanctions legal guidelines are complicated and different. They defined that sanctions are sometimes focused in nature and don’t at all times prohibit individuals from having a presence on its platform. Nevertheless, Meta confirmed it had eliminated the account, unpublished Pages, and eliminated Groups and occasions related to the consumer for violating its insurance policies.
Attempts to achieve Mr. Lizhi through his main electronic mail addresses at Hotmail and Gmail bounced as undeliverable. Likewise, his 14-year-old YouTube channel seems to have been taken down just lately.
However, anybody enthusiastic about viewing or utilizing Mr. Lizhi’s 146 pc code repositories can have no downside discovering GitHub accounts for him, together with one registered below the NiceLizhi and XXL4 nicknames talked about within the Treasury sanctions.
One of a number of GitHub profiles utilized by Liu “Steve” Lizhi, who makes use of the nickname XXL4 (a moniker listed within the Treasury sanctions for Mr. Lizhi).
Mr. Lizhi additionally operates a GitHub web page for an open supply e-commerce platform known as NexaMerchant, which advertises itself as a fee gateway working with quite a few American monetary establishments. Interestingly, this profile’s “followers” web page reveals a number of different accounts that look like Mr. Lizhi’s. All of the account’s followers are tagged as “suspended,” though that suspended message doesn’t show when one visits these particular person profiles.
In response to questions, GitHub mentioned it has a course of in place to determine when customers and prospects are Specially Designated Nationals or different denied or blocked events, however that it locks these accounts as an alternative of eradicating them. According to its coverage, GitHub takes care that customers and prospects aren’t impacted past what’s required by regulation.
All of the follower accounts for the XXL4 GitHub account look like Mr. Lizhi’s, and have been suspended by GitHub, however their code remains to be accessible.
“This includes keeping public repositories, including those for open source projects, available and accessible to support personal communications involving developers in sanctioned regions,” the coverage states. “This also means GitHub will advocate for developers in sanctioned regions to enjoy greater access to the platform and full access to the global open source community.”
Edwards mentioned it’s nice that GitHub has a course of for dealing with sanctioned accounts, however that the method doesn’t appear to speak threat in a clear approach, noting that the one indicator on the locked accounts is the message, “This repository has been archived by the owner. It is not read-only.”
“It’s an odd message that doesn’t communicate, ‘This is a sanctioned entity, don’t fork this code or use it in a production environment’,” Edwards mentioned.
Mark Rasch is a former federal cybercrime prosecutor who now serves as counsel for the New York City based mostly safety consulting agency Unit 221B. Rasch mentioned when Treasury’s Office of Foreign Assets Control (OFAC) sanctions an individual or entity, it then turns into unlawful for companies or organizations to transact with the sanctioned social gathering.
Rasch mentioned monetary establishments have very mature programs for severing accounts tied to individuals who develop into topic to OFAC sanctions, however that tech firms could also be far much less proactive — significantly with free accounts.
“Banks have established ways of checking [U.S. government sanctions lists] for sanctioned entities, but tech companies don’t necessarily do a good job with that, especially for services that you can just click and sign up for,” Rasch mentioned. “It’s potentially a risk and liability for the tech companies involved, but only to the extent OFAC is willing to enforce it.”
Liu Lizhi operates quite a few Facebook accounts and teams, together with this one for an entity specified within the OFAC sanctions: The “Enjoy Ganzhou” tourism web page for Ganzhou, China. Image: Silent Push.
In July 2024, Funnull bought the area polyfill[.]io, the longtime house of a respectable open supply mission that allowed web sites to make sure that units utilizing legacy browsers might nonetheless render content material in newer codecs. After the Polyfill area modified palms, a minimum of 384,000 web sites have been caught in a supply-chain assault that redirected guests to malicious websites. According to the Treasury, Funnull used the code to redirect individuals to rip-off web sites and on-line playing websites, a few of which have been linked to Chinese prison cash laundering operations.
The U.S. authorities says Funnull supplies domains for web sites on its bought IP addresses, utilizing area technology algorithms (DGAs) — packages that generate giant numbers of comparable however distinctive names for web sites — and that it sells internet design templates to cybercriminals.
“These services not only make it easier for cybercriminals to impersonate trusted brands when creating scam websites, but also allow them to quickly change to different domain names and IP addresses when legitimate providers attempt to take the websites down,” reads a Treasury assertion.
Meanwhile, Funnull seems to be morphing practically all elements of its enterprise within the wake of the sanctions, Edwards mentioned.
“Whereas before they might have used 60 DGA domains to hide and bounce their traffic, we’re seeing far more now,” he mentioned. “They’re trying to make their infrastructure harder to track and more complicated, so for now they’re not going away but more just changing what they’re doing. And a lot more organizations should be holding their feet to the fire.”
Update, 2:48 PM ET: Added response from Meta, which confirmed it has closed the accounts and teams related to Mr. Lizhi.