@thezedwards.bsky.social
data supply auditor | privacy & ad tech expert | internet threats Personal @ victorymedium.com Sr Threat Analyst @ SilentPush.com
cheers thanks very much!! π
06.08.2025 20:37 β π 1 π 0 π¬ 0 π 0
Mind map of SocGholish (Operated by TA56) infection chains. The details are complex but explained in more detail on our blog post.
Our team @silentpush just dropped a definitive look at SocGholish (operated by TA569) and the initial access broker ecosystem they are facilitating. Big thanks to past researchers who have worked on SocGholish! We've got details about our visibility @ www.silentpush.com/blog/socghol... ππ»
06.08.2025 19:49 β π 9 π 5 π¬ 0 π 1Congrats! Very well deserved. ππ»
22.07.2025 00:41 β π 3 π 0 π¬ 0 π 0Our team looks forward to providing updates on the FUNNULL CDN and the owner over the coming weeks and months. This network isnβt done and much stronger efforts need to be taken in the U.S. by a wide range of companies to deal w/ this ongoing persistent threat out of China. π
03.07.2025 16:56 β π 0 π 0 π¬ 0 π 0Iβve got my own personal non-lawyer opinions (seems quite risky to host accounts for the owner of the largest CDN hosting scams targeting Americans), but I gotta assume that this is complex and there is currently a grey area that the U.S. Treasury needs to clarify.
03.07.2025 16:56 β π 1 π 0 π¬ 1 π 0It seems clear that serious enterprise lawyers from major tech companies may not agree on what U.S. Treasury sanctions require them to do when an individual is sanctioned who has accounts on their service.
03.07.2025 16:56 β π 0 π 1 π¬ 1 π 0Our research confirmed Lizhi still has active accounts on services including:
Twitter
GitHub
LinkedIn
Facebook
Google Code / Google Groups
Medium
PayPal
WordPress
HuggingFace
Gravatar / WordPress
Vercel
Deviant Art / Wix
Flickr / SmugMug
About Me / Vendasta
Tawk[.]to
Krebs put it nicely in his piece, βHowever, as Mr. Lizhiβs case makes clear, just because someone is sanctioned doesnβt necessarily mean big tech companies are going to suspend their online accounts.β
03.07.2025 16:56 β π 0 π 0 π¬ 1 π 0Do U.S. Treasury sanctions really have no teeth to require companies to ban accounts?
In this publishing process, we learned that different enterprise companies currently have different interpretations of what U.S. Treasury Sanctions / SDN processes require.
FUNNULL hosted websites have caused over $200 million in losses to U.S. victims, with an average loss of $150,000 per individual.
And yet the FUNNULL admin, who was also directly sanctioned, still has dozens of accounts on various Western enterprise services. So what gives?
FUNNULL CDN and the admin Liu Lizhi (aka Steve / Steven Lizihi) were both sanctioned by the U.S. Treasury in May 2025 β and in the announcement it was noted that βFunnull is linked to the majority of virtual currency investment scam websites reported to the FBI.β
03.07.2025 16:56 β π 0 π 0 π¬ 1 π 0
Read @briankrebs.infosec.exchange.ap.brid.gy report @ "Big Techβs Mixed Response to U.S. Treasury Sanctions" @ krebsonsecurity.com/2025/07/big-...
03.07.2025 16:56 β π 0 π 0 π¬ 1 π 0We found tons of interesting details including some anti-American and anti-Japanese statements on his personal blog.
Brian Krebs was also able to cover the research and helped to engage the enterprise organizations who are still hosting his accounts.
Our SP piece can be viewed @ "Numerous Western Companies May Still Need to Ban FUNNULL Admin Accounts to Comply with U.S. Treasury Sanctions" @ www.silentpush.com/blog/funnull...
03.07.2025 16:56 β π 0 π 1 π¬ 1 π 0If Iβve been quiet you know Iβm cooking up some fire research!
Our team at @silentpush.bsky.social is out today with a big report about the admin / owner of the FUNNULL CDN β essentially a dox of all his accounts and activities on the internet for the last 15+ years.
"Funnull had direct exposure to Huione Pay, for which the U.S. Department of the Treasuryβs Financial Crimes Enforcement Network (FinCEN) recently issued a finding and notice of proposed rulemaking (NPRM) identifying it as a primary money laundering concern" π
29.05.2025 19:02 β π 1 π 0 π¬ 0 π 0More on Funnull in this Silent Push report from January: www.silentpush.com/blog/infrast...
These are also Funnull IPs and domains: bsky.app/profile/camp...
NEW: The U.S. government has announced sanctions against FUNNULL and its administrator.
FUNNULL is accused of providing infrastructure for pig butchering crypto scams, as well as being the company behind the Polyfill supply chain attack, which pushed malware to victims who visited certain websites.
In case you aren't familiar with Infrastructure Laundering, it's the new fad for Chinese threat actors trying to keep their infrastructure online. It's Bulletproof Hosts but through major legit providers, getting online by ~stealing accounts through illicit means. www.silentpush.com/blog/infrast...
29.05.2025 15:41 β π 1 π 0 π¬ 0 π 0"(Funnull) enables virtual currency investment scams by purchasing IP addresses in bulk from major cloud services companies worldwide and selling them to cybercriminals to host scam platforms and other malicious web content.
They are describing "Infrastructure Laundering" here
"Funnull is linked to the majority of virtual currency investment scam websites reported to the FBI."
29.05.2025 15:41 β π 0 π 0 π¬ 1 π 0
The FBI partnered with the Treasury on this recent effort, and released details today including:
"Funnull has directly facilitated several of these schemes, resulting in over $200 million in U.S. victim-reported losses."
The last 6 months I've traveled around the world giving presentations on FUNNULL about the scams and money laundering they are facilitating -- and today -- the U.S. Treasury has sanctioned FUNNULL and we got a bunch more facts about the operation now public.
home.treasury.gov/news/press-r...
The location data they will be selling will primarily be powered by Google and Appleβs Mobile Advertising ID schemes - combining that with new data lakes trying to connect scraped social media content to IPs and MAIDs is truly connecting the dots on dystopia.
22.05.2025 19:54 β π 15 π 10 π¬ 1 π 2oh absolutely -- but they would also need to register as a Data Broker imo. And they explicitly do NOT mention any data lakes / graphs as part of this process. That's why I think it's BS marketing rhetoric. They make a magic leap from scraping social to mapping MAIDs by claiming "AI did it"
21.05.2025 17:59 β π 1 π 0 π¬ 0 π 0
Here's the mysterious article with scant details about this magic data broker matching product : adage.com/technology/a...
Have you heard about someone matching up data from Linkedin or Youtube to MAIDs and IP addresses? Because if-so, me and a bunch of other folks would like to know how it's done.
It's always incredibly interesting when I hear about new data broker products, especially when their claims are impossible and not explained at all.
I have no idea what Coca-Cola was doing paying for this service, and no idea what Cluep is actually doing. Their rhetoric + reality don't align.
I've said clearly that I thought none of this was possible unless there was a secret data lake somewhere between the social data and the MAID data. Someone has created a data lake connecting MAIDs + IPs to social handles / usernames / emails. Or something like that. Otherwise it's all fantasy shit.
21.05.2025 16:24 β π 1 π 0 π¬ 2 π 0How in gods name does someone allege to scrape public information from major social networks -- most of which don't expose device information or any fine-grained geographic location details -- and then suddenly pull MAIDs out their ass? They claim to do this with IPs + MAIDs in private details.
21.05.2025 16:24 β π 0 π 0 π¬ 1 π 0They then claim to take this magically scraped geo data + device type + "demographic data" and then miraculously "the agent compared this information to Mobile IDs provided by Cluepβs ad tech partners, including supply-side platform Index Exchange and ad exchange Sharethrough"
21.05.2025 16:24 β π 0 π 0 π¬ 1 π 0
