Login
In May 2025, the U.S. government sanctioned a Chinese national for operating a cloud provider linked to the majority of virtual currency investment scam websites reported to the FBI. But a new report finds the accused continues to operate a slew of established accounts at American tech companies β including Facebook, Github, PayPal and Twitter/X.
On May 29, the U.S. Department of the TreasuryΒ announced economic sanctions against Funnull Technology Inc., a Philippines-based company alleged to provide infrastructure for hundreds of thousands of websites involved in virtual currency investment scams known as βpig butchering.β In January 2025, KrebsOnSecurity detailed how Funnull was designed as a content delivery network that catered to foreign cybercriminals seeking to route their traffic through U.S.-based cloud providers.
The Treasury also sanctioned Funnullβs alleged operator, a 40-year-old Chinese national named Liu βSteveβ Lizhi. The government says Funnull directly facilitated financial schemes resulting in more than $200 million in financial losses by Americans, and that the companyβs operations were linked to the majority of pig butchering scams reported to the FBI.
It is generally illegal for U.S. companies or individuals to transact with people sanctioned by the Treasury. However, as Mr. Lizhiβs case makes clear, just because someone is sanctioned doesnβt necessarily mean big tech companies are going to suspend their online accounts.
The government says Lizhi was born November 13, 1984, and used the nicknames βXXL4β and βNice Lizhi.β Nevertheless, Steve Liuβs 17-year-old account on LinkedIn (in the name βLiulizhiβ) had hundreds of followers (Lizhiβs LinkedIn profile helpfully confirms his birthday) until quite recently: The account was deleted this morning, just hours after KrebsOnSecurity sought comment from LinkedIn.
Mr. Lizhiβs LinkedIn account was suspended sometime in the last 24 hours, after KrebsOnSecurity sought comment from LinkedIn.
In an emailed response, a LinkedIn spokesperson said the companyβs βProhibited countries policyβ states that LinkedIn βdoes not sell, license, support or otherwise make available its Premium accounts or other paid products and services to individuals and companies sanctioned by the U.S. government.β LinkedIn declined to say whether the profile in question was a premium or free account.
Mr. Lizhi also maintains a working PayPal account under the name Liu Lizhi and username β@nicelizhi,β another nickname listed in the Treasury sanctions. A 15-year-old Twitter/X account named βLizhiβ that links to Mr. Lizhiβs personal domain remains active, although it has few followers and hasnβt posted in years.
These accounts and many others were flagged by the security firm Silent Push, which has been tracking Funnullβs operations for the past year and calling out U.S. cloud providers like Amazon and Microsoft for failing to more quickly sever ties with the company.
Liu Lizhiβs PayPal account.
In a report released today, Silent Push found Lizhi still operates numerous Facebook accounts and groups, including a private Facebook account under the name Liu Lizhi. Another Facebook account clearly connected to Lizhi is a tourism page for Ganzhou, China called βEnjoyGanzhouβ that was named in the Treasury Department sanctions.
βThis guy is the technical administrator for the infrastructure that is hosting a majority of scams targeting people in the United States, and hundreds of millions have been lost based on the websites heβs been hosting,β said Zach Edwards, senior threat researcher at Silent Push. βItβs crazy that the vast majority of big tech companies havenβt done anything to cut ties with this guy.β
The FBI says it received nearly 150,000 complaints last year involving digital assets and $9.3 billion in losses β a 66 percent increase from the previous year. Investment scams were the top crypto-related crimes reported, with $5.8 billion in losses.
In a statement, a Meta spokesperson said the company continuously takes steps to meet its legal obligations, but that sanctions laws are complex and varied. They explained that sanctions are often targeted in nature and donβt always prohibit people from having a presence on its platform. Nevertheless, Meta confirmed it had removed the account, unpublished Pages, and removed Groups and events associated with the user for violating its policies.
Attempts to reach Mr. Lizhi via his primary email addresses at Hotmail and Gmail bounced as undeliverable. Likewise, his 14-year-old YouTube channel appears to have been taken down recently.
However, anyone interested in viewing or using Mr. Lizhiβs 146 computer code repositories will have no problem finding GitHub accounts for him, including one registered under the NiceLizhi and XXL4 nicknames mentioned in the Treasury sanctions.
One of multiple GitHub profiles used by Liu βSteveβ Lizhi, who uses the nickname XXL4 (a moniker listed in the Treasury sanctions for Mr. Lizhi).
Mr. Lizhi also operates a GitHub page for an open source e-commerce platform called NexaMerchant, which advertises itself as a payment gateway working with numerous American financial institutions. Interestingly, this profileβs βfollowersβ page shows several other accounts that appear to be Mr. Lizhiβs. All of the accountβs followers are tagged as βsuspended,β even though that suspended message does not display when one visits those individual profiles.
In response to questions, GitHub said it has a process in place to identify when users and customers are Specially Designated Nationals or other denied or blocked parties, but that it locks those accounts instead of removing them. According to its policy, GitHub takes care that users and customers arenβt impacted beyond what is required by law.
All of the follower accounts for the XXL4 GitHub account appear to be Mr. Lizhiβs, and have been suspended by GitHub, but their code is still accessible.
βThis includes keeping public repositories, including those for open source projects, available and accessible to support personal communications involving developers in sanctioned regions,β the policy states. βThis also means GitHub will advocate for developers in sanctioned regions to enjoy greater access to the platform and full access to the global open source community.β
Edwards said itβs great that GitHub has a process for handling sanctioned accounts, but that the process doesnβt seem to communicate risk in a transparent way, noting that the only indicator on the locked accounts is the message, βThis repository has been archived by the owner. It is not read-only.β
βItβs an odd message that doesnβt communicate, βThis is a sanctioned entity, donβt fork this code or use it in a production environmentβ,β Edwards said.
Mark Rasch is a former federal cybercrime prosecutor who now serves as counsel for the New York City based security consulting firm Unit 221B. Rasch said when Treasuryβs Office of Foreign Assets Control (OFAC) sanctions a person or entity, it then becomes illegal for businesses or organizations to transact with the sanctioned party.
Rasch said financial institutions have very mature systems for severing accounts tied to people who become subject to OFAC sanctions, but that tech companies may be far less proactive β particularly with free accounts.
βBanks have established ways of checking [U.S. government sanctions lists] for sanctioned entities, but tech companies donβt necessarily do a good job with that, especially for services that you can just click and sign up for,β Rasch said. βItβs potentially a risk and liability for the tech companies involved, but only to the extent OFAC is willing to enforce it.β
Liu Lizhi operates numerous Facebook accounts and groups, including this one for an entity specified in the OFAC sanctions: The βEnjoy Ganzhouβ tourism page for Ganzhou, China. Image: Silent Push.
In July 2024, Funnull purchased the domain polyfill[.]io, the longtime home of a legitimate open source project that allowed websites to ensure that devices using legacy browsers could still render content in newer formats. After the Polyfill domain changed hands, at least 384,000 websites were caught in a supply-chain attack that redirected visitors to malicious sites. According to the Treasury, Funnull used the code to redirect people to scam websites and online gambling sites, some of which were linked to Chinese criminal money laundering operations.
The U.S. government says Funnull provides domain names for websites on its purchased IP addresses, using domain generation algorithms (DGAs) β programs that generate large numbers of similar but unique names for websites β and that it sells web design templates to cybercriminals.
βThese services not only make it easier for cybercriminals to impersonate trusted brands when creating scam websites, but also allow them to quickly change to different domain names and IP addresses when legitimate providers attempt to take the websites down,β reads a Treasury statement.
Meanwhile, Funnull appears to be morphing nearly all aspects of its business in the wake of the sanctions, Edwards said.
βWhereas before they might have used 60 DGA domains to hide and bounce their traffic, weβre seeing far more now,β he said. βTheyβre trying to make their infrastructure harder to track and more complicated, so for now theyβre not going away but more just changing what theyβre doing. And a lot more organizations should be holding their feet to the fire.β
Update, 2:48 PM ET: Added response from Meta, which confirmed it has closed the accounts and groups connected to Mr. Lizhi.
Update, July 7, 6:56 p.m. ET: In a written statement, PayPal said it continually works to combat and prevent the illicit use of its services.
βWe devote significant resources globally to financial crime compliance, and we proactively refer cases to and assist law enforcement officials around the world in their efforts to identify, investigate and stop illegal activity,β the statement reads.
Python 3 script to dump company employees from LinkedIn APIο¬
LinkedInDumper is a Python 3 script that dumps employee data from the LinkedIn social networking platform.
The results contain firstname, lastname, position (title), location and a user's profile link. Only 2 API calls are required to retrieve all employees if the company does not have more than 10 employees. Otherwise, we have to paginate through the API results. With the --email-format CLI flag one can define a Python string format to auto generate email addresses based on the retrieved first and last name.
LinkedInDumper talks with the unofficial LinkedIn Voyager API, which requires authentication. Therefore, you must have a valid LinkedIn user account. To keep it simple, LinkedInDumper just expects a cookie value provided by you. Doing it this way, even 2FA protected accounts are supported. Furthermore, you are tasked to provide a LinkedIn company URL to dump employees from.
FreshRSS li_at session cookie value e.g. via developer toolsli_at or temporarily during runtime via the CLI flag --cookie
usage: linkedindumper.py [-h] --url <linkedin-url> [--cookie <cookie>] [--quiet] [--include-private-profiles] [--email-format EMAIL_FORMAT]
options:
-h, --help show this help message and exit
--url <linkedin-url> A LinkedIn company url - https://www.linkedin.com/company/<company>
--cookie <cookie> LinkedIn 'li_at' session cookie
--quiet Show employee results only
--include-private-profiles
Show private accounts too
--email-format Python string format for emails; for example:
[1] john.doe@example.com > '{0}.{1}@example.com'
[2] j.doe@example.com > '{0[0]}.{1}@example.com'
[3] jdoe@example.com > '{0[0]}{1}@example.com'
[4] doe@example.com > '{1}@example.com'
[5] john@example.com > '{0}@example.com'
[6] jd@example.com > '{0[0]}{1[0]}@example.com'
docker run --rm l4rm4nd/linkedindumper:latest --url 'https://www.linkedin.com/company/apple' --cookie <cookie> --email-format '{0}.{1}@apple.de'
# install dependencies
pip install -r requirements.txt
python3 linkedindumper.py --url 'https://www.linkedin.com/company/apple' --cookie <cookie> --email-format '{0}.{1}@apple.de'
The script will return employee data as semi-colon separated values (like CSV):
βββ βββ ββββ β ββ βββββββββ βββββββ βββ ββββ β βββββββ β ββ ββββ βββββ ββββββ ββββββ ββββββ
ββββ ββββ ββ ββ β βββββ ββ β ββββ βββββββ ββ ββ β ββββ βββ ββ ββββββββββ& #9600; βββββββ βββββ β βββ β βββ
ββββ βββββββ ββ βββββββββ ββββ βββ βββββββββ ββ ββββββ βββββ βββββββ ββββββββ ββββββββ βββ βββ β
ββββ ββββββββ ββββββββ ββ βββ β ββββ β&# 9617;βββββββ βββββββββ ββββ βββββββ βββ βββββββ ββββ β βββββββ
ββββββββββββββββ ββββββββ ββββββββββββββββ ββββββββ βββββββββββ ββββββββ ββββ ββββββββ β βββββββ& #9618;ββββ ββββ
β βββ βββ β ββ β β β ββ ββββ ββ β βββ β ββ β ββ β β βββ β ββββ β β β ββ β βββββ β βββ ββ ββ ββ ββββ
β β β β β ββ ββ β βββ ββ ββ β β β β β β β ββ ββ β ββ β β β ββββ β β β β βββ β β β β ββ β ββ
β β β β β β β β ββ β β β β β β β β β β β β β βββ β β β β ββ β ββ β
β β β β β β β β β β β β β β β β β
β β β by LRVT
[i] Company Name: apple
[i] Company X-ID: 162479
[i] LN Employees: 1000 employees found
[i] Dumping Date: 17/10/2022 13:55:06
[i] Email Format: {0}.{1}@apple.de
Firstname;Lastname;Email;Position;Gender;Location;Profile
Katrin;Honauer;katrin.honauer@apple.com;Software Engineer at Apple;N/A;Heidelberg;https://www.linkedin.com/in/katrin-honauer
Raymond;Chen;raymond.chen@apple.com;Recruiting at Apple;N/A;Austin, Texas Metropolitan Area;https://www.linkedin.com/in/raytherecruiter
[i] Successfully crawled 2 unique apple employee(s). Hurray ^_-
LinkedIn will allow only the first 1,000 search results to be returned when harvesting contact information. You may also need a LinkedIn premium account when you reached the maximum allowed queries for visiting profiles with your freemium LinkedIn account.
Furthermore, not all employee profiles are public. The results vary depending on your used LinkedIn account and whether you are befriended with some employees of the company to crawl or not. Therefore, it is sometimes not possible to retrieve the firstname, lastname and profile url of some employee accounts. The script will not display such profiles, as they contain default values such as "LinkedIn" as firstname and "Member" in the lastname. If you want to include such private profiles, please use the CLI flag --include-private-profiles. Although some accounts may be private, we can obtain the position (title) as well as the location of such accounts. Only firstname, lastname and profile URL are hidden for private LinkedIn accounts.
Finally, LinkedIn users are free to name their profile. An account name can therefore consist of various things such as saluations, abbreviations, emojis, middle names etc. I tried my best to remove some nonsense. However, this is not a complete solution to the general problem. Note that we are not using the official LinkedIn API. This script gathers information from the "unofficial" Voyager API.
