In May 2025, the US government approved a Chinese national for the operation of a cloud provider associated with the majority of virtual currency investment scam websites informed to the FBI. But a new report found that the accused continues to operate a group of accounts established in American technical companies – Facebook, Github, Papail And Twitter/X,
On May 29, U.S. Department of the Treasury Announced economic sanctions against Funonul Technology Inc.A company based in the Philippines accused of providing infrastructure for hundreds of thousands of websites involved in the virtual currency investment scams, known as “Pig Butcher”. In January 2025, Krebssnasurity expanded how the funnel was designed as a content delivery network, fulfilling foreign cyber criminals, demanding to route their traffic through the US-based cloud providers.
Treasury also approved Funnerul’s alleged operator, a 40 -year -old Chinese National name Liu “Steve” LijhiThe government says that Funnel provided the facility of direct financial plans, resulting in more than $ 200 million in the financial deficit by the Americans, and that the operating of the company was linked to the majority of pig butcher scams reported to the FBI.
It is generally illegal for American companies or individuals to transact with people approved by Treasury. However, as the case of Mr. Lizi explains, just because someone is approved, not necessarily large technical companies going to suspend their online accounts.
The government says that Lizhi was born on 13 November 1984 and used the surnames “Xxl4” And “Good lizzie“Nevertheless, there were hundreds of followers of Steve Liu’s 17 -year -old account (in” Luulishi “) on LinkedIn (Lizi’s Lizardin Profiles confirms his birthday): Recently: The account was removed this morning, a few hours after Krebsanusurity, a comment was sought from Linkedin, a few hours after Krebsanusurity.
Mr. Lizi’s LinkedIn account was suspended in the last 24 hours in the last 24 hours, when a comment was sought from LinkedIn.
In an email response, a linkedIn spokesperson said the company’s “Policy of prohibited countries“Says that LinkedIn” does not sell, provides licenses, support or otherwise its premium account or others paid Products and services to individuals and companies approved by the US government. LinkedIn refused to say whether the profile in the question used to be a premium or free account.
Mr. Lizi also maintains A working PayPal account Liu Lizzie and User Name “@nicelizhi“Another surname listed in Treasury sanctions. Payal did not respond to the request for comment. A 15 -year -old man Twitter/X Account Name “Lizzie” Mr. Lizi’s individual domain links are active, although some of its followers and have not been posted over years.
These accounts and many others were flagged by the security firm Silent pushWhich is monitoring the operation of Funonul for the last one year and calling us cloud providers Heroic And Microsoft To fail more rapidly with the company.
Liu Lizhi’s PayPal account.
In a report Today released, Silent Push found Lizi still operates several Facebook accounts and groups, including a private Facebook account called Liu Lizhi. Another active Facebook account is clearly connected to Lizi, Ganzhou is a tourist page for China “called”Enjoy“It was nominated in the treasury department sanctions.
“This man is a technical administrator for the infrastructure who is hosting most of the scams targeting people in the United States, and hundreds of millions are lost based on the websites they are hosting,” Zach EdwardsSenior Threat Researcher at Silent Push. “It is crazy that the vast majority of big tech companies have done nothing to cut relations with this man.”
The FBI says it received around 150,000 complaints last year, including digital assets and $ 9.3 billion deficit – an increase of 66 percent from the previous year. Investment scams were top crypto-related crimes, with a loss of $ 5.8 billion reported.
In a statement, a Meta spokesperson said that the company takes consistent steps to fulfill its legal obligations, but that the restrictions are complex and diverse.
The statement said, “sanctions are often targeted in nature and do not always prevent people from having appearance on our platform.” “Whether specific activity is restricted by restrictions or the terms and policies of the meta depend on specific facts.”
Attempt to reach Shri Lizi through his primary email address Hotmail And Gmail Bounce as unaware. Similarly, his 14 year old child YouTube The channel seems to have been taken down recently.
However, anyone interested in viewing or using 146 computer code repository of Mr. Lizi will not have any problem in finding active Github accounts for him, including a single one registered under the Nicelizi and XXL4 surnames mentioned in Treasury restrictions.
One of the many active Github profiles used by Liu “Steve” Lizi, which uses XXL4 nicknames (a monicor listed in Treasury restrictions for Sri Lizzie).
Mr. Lizi also operates a github page for an open source e-commerce platform NexamerachantWhich advertises himself as a payment gateway working with many US financial institutions. Interesting, this is profile “Follower” page Shows many other accounts that appear to be of Shri Lizi. All the followers of the account are tagged as “suspended”, even though he does not display the suspended message when someone visits those individual profiles.
In response to the questions, Gitab said that it is a process to identify when users and customers nominate specifically designated citizens or other refusal or blocked parties, but it locks them instead of removing those accounts. According to its policy, Github takes care that users and customers are not affected beyond being necessary by law.
The XXL4 GITHUB account seems to be of all the followers account of Shri Lizi, and is suspended by Github, but their code is still accessible.
“This involves keeping public repository, including open source projects, which are available and accessible to support personal communication associated with developers in approved areas,” it has been said in policy. “This also means that the Github will advocate developers in the approved areas to enjoy the greater access to the platform and enjoy the full access to the global open source community.”
Edwards said it is great that Github has a process to handle the sanctioned accounts, but this process does not seem to communicate in a transparent manner to communicate risk, given that the only indicator message on locks is, “This is stored by the repository owner. It is not just read.”
“This is a strange message that does not communicate,” this is an approved unit, do not fork this code or not use it in the production environment “, Edwards said.
Mark Rasch A former federal cyber crime prosecutor is now served as a lawyer for the security consultation firm in New York City Unit 221BRasach said that when the Treasury’s Office of Foreign Assets Control (OFAC) restrictions to an individual or institution, it becomes illegal to transact with a party approved for businesses or organizations.
Rasch stated that financial institutions have very mature systems to separate the accounts tied for those who are subject to the offac restrictions, but these technical companies can be very active – especially with free accounts.
“Banks have established the methods of investigation (list of US government sanctions) for approved institutions, but tech companies do not necessarily do a good job with it, especially for services you can click and sign up,” Rasach said. “It is a risk and liability for potentially involved technical companies, but only OFAC is ready to implement it only.”
Liu Lijhi operates several active Facebook accounts and groups, which also includes a unit specified in OFAC restrictions: Ganzhou, “Anand Ganzhou” tourism page for China. Picture: Silent Push.
In July 2024, Funnelul bought a domain polyphil (.) IO, a long -term home of a valid open source project, which allowed websites to ensure that the inheritance browsers using browsers can still provide materials in new formats. After the polyphil domain changed hands, there were at least 384,000 websites Caught in a supply-series attack This redesigned visitors to malicious sites. According to the Treasury, Funnelul used the code to redirect people to scam websites and online gambling sites, some of which were linked to the Chinese Criminal Money Laundering operation.
The US government says that Funnelul Domain Generation Algorithms (DGA) – using such programs, provides domain names for websites at its purchased IP addresses, which produce a large number of but unique names for websites – and it sells a web design template to cyber criminal.
“These services not only make it easy to implement reliable brands when constructing scam websites for cyber criminal, but also allows them to replace separate domain names and IP addresses quickly when valid providers try to take down the websites,” a Treasury statement said.
Edwards said that in the meantime, it appears to be converting almost all aspects of his business in view of funnel sanctions.
“Whereas before they can use 60 DGA domains to hide and bounce their traffic, we are watching more now,” he said. “They are trying to track their infrastructure and make it harder to make them more complex, so now they are not going away, but more simply changing what they are doing. And many more outfits should hold their feet in the fire.”
