In Could 2025, the U.S. authorities sanctioned a Chinese language nationwide for working a cloud supplier linked to the vast majority of digital forex funding rip-off web sites reported to the FBI. However a brand new report finds the accused continues to function a slew of established accounts at American tech corporations — together with Fb, Github, PayPal and Twitter/X.
On Could 29, the U.S. Division of the Treasury introduced financial sanctions in opposition to Funnull Know-how Inc., a Philippines-based firm alleged to supply infrastructure for a whole bunch of 1000’s of internet sites concerned in digital forex funding scams often known as “pig butchering.” In January 2025, KrebsOnSecurity detailed how Funnull was designed as a content material supply community that catered to overseas cybercriminals looking for to route their visitors by U.S.-based cloud suppliers.
The Treasury additionally sanctioned Funnull’s alleged operator, a 40-year-old Chinese language nationwide named Liu “Steve” Lizhi. The federal government says Funnull instantly facilitated monetary schemes leading to greater than $200 million in monetary losses by Individuals, and that the corporate’s operations had been linked to the vast majority of pig butchering scams reported to the FBI.
It’s usually unlawful for U.S. corporations or people to transact with folks sanctioned by the Treasury. Nonetheless, as Mr. Lizhi’s case makes clear, simply because somebody is sanctioned doesn’t essentially imply massive tech corporations are going to droop their on-line accounts.
The federal government says Lizhi was born November 13, 1984, and used the nicknames “XXL4” and “Good Lizhi.” Nonetheless, Steve Liu’s 17-year-old account on LinkedIn (within the title “Liulizhi”) had a whole bunch of followers (Lizhi’s LinkedIn profile helpfully confirms his birthday) till fairly lately: The account was deleted this morning, simply hours after KrebsOnSecurity sought remark from LinkedIn.
Mr. Lizhi’s LinkedIn account was suspended someday within the final 24 hours, after KrebsOnSecurity sought remark from LinkedIn.
In an emailed response, a LinkedIn spokesperson stated the corporate’s “Prohibited nations coverage” states that LinkedIn “doesn’t promote, license, assist or in any other case make obtainable its Premium accounts or different paid services to people and corporations sanctioned by the U.S. authorities.” LinkedIn declined to say whether or not the profile in query was a premium or free account.
Mr. Lizhi additionally maintains a working PayPal account below the title Liu Lizhi and username “@nicelizhi,” one other nickname listed within the Treasury sanctions. PayPal didn’t reply to a request for remark. A 15-year-old Twitter/X account named “Lizhi” that hyperlinks to Mr. Lizhi’s private area stays lively, though it has few followers and hasn’t posted in years.
These accounts and plenty of others had been flagged by the safety agency Silent Push, which has been monitoring Funnull’s operations for the previous 12 months and calling out U.S. cloud suppliers like Amazon and Microsoft for failing to extra rapidly sever ties with the corporate.
Liu Lizhi’s PayPal account.
In a report launched right now, Silent Push discovered Lizhi nonetheless operates quite a few Fb accounts and teams, together with a personal Fb account below the title Liu Lizhi. One other Fb account clearly related to Lizhi is a tourism web page for Ganzhou, China known as “EnjoyGanzhou” that was named within the Treasury Division sanctions.
“This man is the technical administrator for the infrastructure that’s internet hosting a majority of scams focusing on folks in america, and a whole bunch of thousands and thousands have been misplaced based mostly on the web sites he’s been internet hosting,” stated Zach Edwards, senior risk researcher at Silent Push. “It’s loopy that the overwhelming majority of massive tech corporations haven’t performed something to chop ties with this man.”
The FBI says it acquired almost 150,000 complaints final 12 months involving digital belongings and $9.3 billion in losses — a 66 % enhance from the earlier 12 months. Funding scams had been the highest crypto-related crimes reported, with $5.8 billion in losses.
In an announcement, a Meta spokesperson stated the corporate repeatedly takes steps to satisfy its authorized obligations, however that sanctions legal guidelines are advanced and assorted. They defined that sanctions are sometimes focused in nature and don’t all the time prohibit folks from having a presence on its platform. Nonetheless, Meta confirmed it had eliminated the account, unpublished Pages, and eliminated Teams and occasions related to the consumer for violating its insurance policies.
Makes an attempt to succeed in Mr. Lizhi by way of his main e mail addresses at Hotmail and Gmail bounced as undeliverable. Likewise, his 14-year-old YouTube channel seems to have been taken down lately.
Nonetheless, anybody desirous about viewing or utilizing Mr. Lizhi’s 146 pc code repositories could have no drawback discovering GitHub accounts for him, together with one registered below the NiceLizhi and XXL4 nicknames talked about within the Treasury sanctions.
One among a number of GitHub profiles utilized by Liu “Steve” Lizhi, who makes use of the nickname XXL4 (a moniker listed within the Treasury sanctions for Mr. Lizhi).
Mr. Lizhi additionally operates a GitHub web page for an open supply e-commerce platform known as NexaMerchant, which advertises itself as a cost gateway working with quite a few American monetary establishments. Apparently, this profile’s “followers” web page reveals a number of different accounts that look like Mr. Lizhi’s. The entire account’s followers are tagged as “suspended,” despite the fact that that suspended message doesn’t show when one visits these particular person profiles.
In response to questions, GitHub stated it has a course of in place to determine when customers and clients are Specifically Designated Nationals or different denied or blocked events, however that it locks these accounts as a substitute of eradicating them. Based on its coverage, GitHub takes care that customers and clients aren’t impacted past what’s required by regulation.
The entire follower accounts for the XXL4 GitHub account look like Mr. Lizhi’s, and have been suspended by GitHub, however their code remains to be accessible.
“This consists of maintaining public repositories, together with these for open supply initiatives, obtainable and accessible to assist private communications involving builders in sanctioned areas,” the coverage states. “This additionally means GitHub will advocate for builders in sanctioned areas to get pleasure from higher entry to the platform and full entry to the worldwide open supply neighborhood.”
Edwards stated it’s nice that GitHub has a course of for dealing with sanctioned accounts, however that the method doesn’t appear to speak threat in a clear approach, noting that the one indicator on the locked accounts is the message, “This repository has been archived by the proprietor. It isn’t read-only.”
“It’s an odd message that doesn’t talk, ‘This can be a sanctioned entity, don’t fork this code or use it in a manufacturing setting’,” Edwards stated.
Mark Rasch is a former federal cybercrime prosecutor who now serves as counsel for the New York Metropolis based mostly safety consulting agency Unit 221B. Rasch stated when Treasury’s Workplace of Overseas Belongings Management (OFAC) sanctions an individual or entity, it then turns into unlawful for companies or organizations to transact with the sanctioned social gathering.
Rasch stated monetary establishments have very mature programs for severing accounts tied to individuals who develop into topic to OFAC sanctions, however that tech corporations could also be far much less proactive — notably with free accounts.
“Banks have established methods of checking [U.S. government sanctions lists] for sanctioned entities, however tech corporations don’t essentially do a great job with that, particularly for companies which you can simply click on and join,” Rasch stated. “It’s probably a threat and legal responsibility for the tech corporations concerned, however solely to the extent OFAC is prepared to implement it.”
Liu Lizhi operates quite a few Fb accounts and teams, together with this one for an entity specified within the OFAC sanctions: The “Get pleasure from Ganzhou” tourism web page for Ganzhou, China. Picture: Silent Push.
In July 2024, Funnull bought the area polyfill[.]io, the longtime residence of a official open supply mission that allowed web sites to make sure that gadgets utilizing legacy browsers might nonetheless render content material in newer codecs. After the Polyfill area modified fingers, a minimum of 384,000 web sites had been caught in a supply-chain assault that redirected guests to malicious websites. Based on the Treasury, Funnull used the code to redirect folks to rip-off web sites and on-line playing websites, a few of which had been linked to Chinese language legal cash laundering operations.
The U.S. authorities says Funnull supplies domains for web sites on its bought IP addresses, utilizing area era algorithms (DGAs) — applications that generate massive numbers of comparable however distinctive names for web sites — and that it sells internet design templates to cybercriminals.
“These companies not solely make it simpler for cybercriminals to impersonate trusted manufacturers when creating rip-off web sites, but in addition permit them to rapidly change to totally different domains and IP addresses when official suppliers try and take the web sites down,” reads a Treasury assertion.
In the meantime, Funnull seems to be morphing almost all points of its enterprise within the wake of the sanctions, Edwards stated.
“Whereas earlier than they could have used 60 DGA domains to cover and bounce their visitors, we’re seeing way more now,” he stated. “They’re attempting to make their infrastructure more durable to trace and extra sophisticated, so for now they’re not going away however extra simply altering what they’re doing. And much more organizations ought to be holding their ft to the hearth.”
Replace, 2:48 PM ET: Added response from Meta, which confirmed it has closed the accounts and teams related to Mr. Lizhi.
In Could 2025, the U.S. authorities sanctioned a Chinese language nationwide for working a cloud supplier linked to the vast majority of digital forex funding rip-off web sites reported to the FBI. However a brand new report finds the accused continues to function a slew of established accounts at American tech corporations — together with Fb, Github, PayPal and Twitter/X.
On Could 29, the U.S. Division of the Treasury introduced financial sanctions in opposition to Funnull Know-how Inc., a Philippines-based firm alleged to supply infrastructure for a whole bunch of 1000’s of internet sites concerned in digital forex funding scams often known as “pig butchering.” In January 2025, KrebsOnSecurity detailed how Funnull was designed as a content material supply community that catered to overseas cybercriminals looking for to route their visitors by U.S.-based cloud suppliers.
The Treasury additionally sanctioned Funnull’s alleged operator, a 40-year-old Chinese language nationwide named Liu “Steve” Lizhi. The federal government says Funnull instantly facilitated monetary schemes leading to greater than $200 million in monetary losses by Individuals, and that the corporate’s operations had been linked to the vast majority of pig butchering scams reported to the FBI.
It’s usually unlawful for U.S. corporations or people to transact with folks sanctioned by the Treasury. Nonetheless, as Mr. Lizhi’s case makes clear, simply because somebody is sanctioned doesn’t essentially imply massive tech corporations are going to droop their on-line accounts.
The federal government says Lizhi was born November 13, 1984, and used the nicknames “XXL4” and “Good Lizhi.” Nonetheless, Steve Liu’s 17-year-old account on LinkedIn (within the title “Liulizhi”) had a whole bunch of followers (Lizhi’s LinkedIn profile helpfully confirms his birthday) till fairly lately: The account was deleted this morning, simply hours after KrebsOnSecurity sought remark from LinkedIn.
Mr. Lizhi’s LinkedIn account was suspended someday within the final 24 hours, after KrebsOnSecurity sought remark from LinkedIn.
In an emailed response, a LinkedIn spokesperson stated the corporate’s “Prohibited nations coverage” states that LinkedIn “doesn’t promote, license, assist or in any other case make obtainable its Premium accounts or different paid services to people and corporations sanctioned by the U.S. authorities.” LinkedIn declined to say whether or not the profile in query was a premium or free account.
Mr. Lizhi additionally maintains a working PayPal account below the title Liu Lizhi and username “@nicelizhi,” one other nickname listed within the Treasury sanctions. PayPal didn’t reply to a request for remark. A 15-year-old Twitter/X account named “Lizhi” that hyperlinks to Mr. Lizhi’s private area stays lively, though it has few followers and hasn’t posted in years.
These accounts and plenty of others had been flagged by the safety agency Silent Push, which has been monitoring Funnull’s operations for the previous 12 months and calling out U.S. cloud suppliers like Amazon and Microsoft for failing to extra rapidly sever ties with the corporate.
Liu Lizhi’s PayPal account.
In a report launched right now, Silent Push discovered Lizhi nonetheless operates quite a few Fb accounts and teams, together with a personal Fb account below the title Liu Lizhi. One other Fb account clearly related to Lizhi is a tourism web page for Ganzhou, China known as “EnjoyGanzhou” that was named within the Treasury Division sanctions.
“This man is the technical administrator for the infrastructure that’s internet hosting a majority of scams focusing on folks in america, and a whole bunch of thousands and thousands have been misplaced based mostly on the web sites he’s been internet hosting,” stated Zach Edwards, senior risk researcher at Silent Push. “It’s loopy that the overwhelming majority of massive tech corporations haven’t performed something to chop ties with this man.”
The FBI says it acquired almost 150,000 complaints final 12 months involving digital belongings and $9.3 billion in losses — a 66 % enhance from the earlier 12 months. Funding scams had been the highest crypto-related crimes reported, with $5.8 billion in losses.
In an announcement, a Meta spokesperson stated the corporate repeatedly takes steps to satisfy its authorized obligations, however that sanctions legal guidelines are advanced and assorted. They defined that sanctions are sometimes focused in nature and don’t all the time prohibit folks from having a presence on its platform. Nonetheless, Meta confirmed it had eliminated the account, unpublished Pages, and eliminated Teams and occasions related to the consumer for violating its insurance policies.
Makes an attempt to succeed in Mr. Lizhi by way of his main e mail addresses at Hotmail and Gmail bounced as undeliverable. Likewise, his 14-year-old YouTube channel seems to have been taken down lately.
Nonetheless, anybody desirous about viewing or utilizing Mr. Lizhi’s 146 pc code repositories could have no drawback discovering GitHub accounts for him, together with one registered below the NiceLizhi and XXL4 nicknames talked about within the Treasury sanctions.
One among a number of GitHub profiles utilized by Liu “Steve” Lizhi, who makes use of the nickname XXL4 (a moniker listed within the Treasury sanctions for Mr. Lizhi).
Mr. Lizhi additionally operates a GitHub web page for an open supply e-commerce platform known as NexaMerchant, which advertises itself as a cost gateway working with quite a few American monetary establishments. Apparently, this profile’s “followers” web page reveals a number of different accounts that look like Mr. Lizhi’s. The entire account’s followers are tagged as “suspended,” despite the fact that that suspended message doesn’t show when one visits these particular person profiles.
In response to questions, GitHub stated it has a course of in place to determine when customers and clients are Specifically Designated Nationals or different denied or blocked events, however that it locks these accounts as a substitute of eradicating them. Based on its coverage, GitHub takes care that customers and clients aren’t impacted past what’s required by regulation.
The entire follower accounts for the XXL4 GitHub account look like Mr. Lizhi’s, and have been suspended by GitHub, however their code remains to be accessible.
“This consists of maintaining public repositories, together with these for open supply initiatives, obtainable and accessible to assist private communications involving builders in sanctioned areas,” the coverage states. “This additionally means GitHub will advocate for builders in sanctioned areas to get pleasure from higher entry to the platform and full entry to the worldwide open supply neighborhood.”
Edwards stated it’s nice that GitHub has a course of for dealing with sanctioned accounts, however that the method doesn’t appear to speak threat in a clear approach, noting that the one indicator on the locked accounts is the message, “This repository has been archived by the proprietor. It isn’t read-only.”
“It’s an odd message that doesn’t talk, ‘This can be a sanctioned entity, don’t fork this code or use it in a manufacturing setting’,” Edwards stated.
Mark Rasch is a former federal cybercrime prosecutor who now serves as counsel for the New York Metropolis based mostly safety consulting agency Unit 221B. Rasch stated when Treasury’s Workplace of Overseas Belongings Management (OFAC) sanctions an individual or entity, it then turns into unlawful for companies or organizations to transact with the sanctioned social gathering.
Rasch stated monetary establishments have very mature programs for severing accounts tied to individuals who develop into topic to OFAC sanctions, however that tech corporations could also be far much less proactive — notably with free accounts.
“Banks have established methods of checking [U.S. government sanctions lists] for sanctioned entities, however tech corporations don’t essentially do a great job with that, particularly for companies which you can simply click on and join,” Rasch stated. “It’s probably a threat and legal responsibility for the tech corporations concerned, however solely to the extent OFAC is prepared to implement it.”
Liu Lizhi operates quite a few Fb accounts and teams, together with this one for an entity specified within the OFAC sanctions: The “Get pleasure from Ganzhou” tourism web page for Ganzhou, China. Picture: Silent Push.
In July 2024, Funnull bought the area polyfill[.]io, the longtime residence of a official open supply mission that allowed web sites to make sure that gadgets utilizing legacy browsers might nonetheless render content material in newer codecs. After the Polyfill area modified fingers, a minimum of 384,000 web sites had been caught in a supply-chain assault that redirected guests to malicious websites. Based on the Treasury, Funnull used the code to redirect folks to rip-off web sites and on-line playing websites, a few of which had been linked to Chinese language legal cash laundering operations.
The U.S. authorities says Funnull supplies domains for web sites on its bought IP addresses, utilizing area era algorithms (DGAs) — applications that generate massive numbers of comparable however distinctive names for web sites — and that it sells internet design templates to cybercriminals.
“These companies not solely make it simpler for cybercriminals to impersonate trusted manufacturers when creating rip-off web sites, but in addition permit them to rapidly change to totally different domains and IP addresses when official suppliers try and take the web sites down,” reads a Treasury assertion.
In the meantime, Funnull seems to be morphing almost all points of its enterprise within the wake of the sanctions, Edwards stated.
“Whereas earlier than they could have used 60 DGA domains to cover and bounce their visitors, we’re seeing way more now,” he stated. “They’re attempting to make their infrastructure more durable to trace and extra sophisticated, so for now they’re not going away however extra simply altering what they’re doing. And much more organizations ought to be holding their ft to the hearth.”
Replace, 2:48 PM ET: Added response from Meta, which confirmed it has closed the accounts and teams related to Mr. Lizhi.
