In a significant effort to camouflage their malicious activities and evade detection, hosting firms in China and Russia are increasingly routing their operations through major U.S. cloud providers. This trend has been highlighted by recent research on a Chinese content delivery network named “Funnull,” which is linked to Chinese organized crime groups and engages in a variety of illicit activities such as hosting fake trading apps, pig butchering scams, gambling websites, and retail phishing pages through major cloud platforms like Amazon AWS and Microsoft Azure.
The issue of “Funnull” came to light when the security firm Silent Push published an analysis in October 2024, detailing how this Chinese network was utilizing services from Amazon and Microsoft to carry out its operations. Notably, Funnull gained attention after acquiring the domain name “polyfill[.]io” and conducting a supply-chain attack on legitimate domains linked to this popular open-source code library. The network was found to host gambling sites associated with the Suncity Group, a Chinese entity known for laundering funds for criminal organizations.
Suncity’s CEO had previously been sentenced to 18 years in prison for various offenses, including illegal gambling and collaborating with organized crime syndicates. The use of gambling sites by Funnull is suspected to be part of money laundering schemes, exploiting top casino brands to disguise illicit activities. The presence of these sites may also be aiding Chinese online gamblers in bypassing the country’s strict regulations on gambling.
Silent Push’s Zach Edwards highlighted the concept of “infrastructure laundering,” where cybercriminals route their malicious traffic through reputable U.S. cloud providers to evade detection. This practice poses challenges for security experts as blocking entire cloud providers is not feasible due to the sheer volume of legitimate domains hosted on these platforms.
Major cloud providers like Amazon and Microsoft, when alerted to abusive activities, take swift action to suspend accounts linked to such operations. However, the perpetrators often employ tactics like using compromised accounts or stolen data to continue their illicit activities, making it difficult to eradicate the problem completely.
The issue of malicious traffic being funneled through U.S. cloud providers is not new, with previous instances like the Stark Industries Solutions network being used as a proxy for cyberattacks and disinformation campaigns. Groups like NoName057(16) have leveraged cloud providers to launch DDoS attacks against targets perceived as adversarial to their interests.
Efforts are being made by regulatory bodies like the U.S. Department of Commerce to impose stricter regulations on cloud providers to curb illicit activities. Proposed rules would require providers to implement customer identification programs to verify the legitimacy of their clients, especially in cases involving foreign entities with suspicious transactions.
The evolving landscape of cybercrime and the growing use of reputable cloud providers for illicit activities present a complex challenge for law enforcement and security agencies. As cybercriminals adapt their tactics to advance through the cloud infrastructure, collaborative efforts between governments, regulatory bodies, and technology companies are essential to combat this ongoing threat effectively.