In recent years, hosting firms catering to cybercriminals in China and Russia have been utilizing major U.S. cloud providers to disguise their malicious activities. One such outfit, known as “Funnull,” has caught the attention of security researchers for its ties to Chinese organized crime groups and its use of Amazon AWS and Microsoft Azure for hosting a variety of fraudulent websites.
A report published by Silent Push in October 2024 shed light on Funnull’s operations, which include hosting fake trading apps, pig butchering scams, gambling websites, and retail phishing pages. The network made headlines after acquiring the domain polyfill[.]io, previously used by a legitimate open-source code library. Funnull then conducted a supply-chain attack that redirected visitors to malicious sites.
Silent Push’s analysis also uncovered a significant number of gambling sites hosted through Funnull that were linked to the Suncity Group, a Chinese entity accused of money laundering for the North Korean Lazarus Group. The CEO of Suncity was sentenced to 18 years in prison in 2023 for fraud and illegal gambling activities.
The report suggested that the gambling sites associated with Funnull may be using reputable casino brands to launder money, taking advantage of China’s strict gambling laws. By funneling their traffic through U.S. cloud providers, Funnull and similar cybercriminal networks are able to evade detection and make it harder for defenders to block malicious activities at the network level.
Zach Edwards from Silent Push described this tactic as “infrastructure laundering,” where criminal organizations route their malicious traffic through legitimate cloud providers to avoid detection. He called on Western hosting companies to take proactive measures to prevent their services from being exploited by cybercriminals.
Following the publication of Silent Push’s report, Amazon and Microsoft responded by suspending accounts linked to Funnull’s illicit activities. Both companies emphasized their commitment to combating abuse on their platforms and encouraged users to report suspicious activity.
Richard Hummel from NETSCOUT highlighted the challenges faced by defenders in dealing with malicious traffic routed through cloud providers. He noted that cybercriminals, such as the Russian hacktivist group NoName057(16), frequently switch accounts to evade detection, making it a constant game of cat and mouse for security professionals.
The issue of infrastructure laundering has attracted the attention of regulators, with the U.S. Department of Commerce proposing rules to require cloud providers to implement a “Customer Identification Program” to monitor foreign customers. The goal is to prevent malicious actors from exploiting cloud services for cyber-enabled activities.
The proposed rules have raised concerns about cross-border data collection and potential competitive disadvantages for U.S. cloud providers. It remains to be seen whether the new administration will push forward with these requirements, which were initiated under the previous administration.
In conclusion, the phenomenon of infrastructure laundering highlights the evolving tactics of cybercriminals and the challenges faced by defenders in combating malicious activities. By leveraging major cloud providers, these criminal networks are able to blend in and evade detection, posing a significant threat to cybersecurity efforts worldwide.