FUNNULL Uses Amazon and Microsoft Cloud to Hide Malicious Infrastructure

A sophisticated threat network called “Triad Nexus,” which operates through the FUNNULL content delivery network (CDN) to hide malicious infrastructure within major Western cloud providers including Amazon and Microsoft.

The operation, led by sanctioned individual Lizhi Liu, has facilitated over $200 million in losses to U.S. victims through investment fraud schemes.

Silent Push threat analysts have identified FUNNULL’s use of “Infrastructure Laundering” as a primary method to conceal malicious operations.

This technique involves systematically abusing Western cloud providers to illicitly acquire accounts and rapidly integrate IP addresses into the FUNNULL infrastructure network.

The approach effectively allows threat actors to host fraudulent websites for free, primarily leveraging trusted Western providers to evade detection.

The Treasury Department and FBI issued joint advisories in May 2025, announcing that FUNNULL and its administrator Lizhi Liu were added to the U.S. sanctions list due to their support of scam ...