US sanctions Philippine tech firm over ‘pig butchering’ romance scams

Funnull Technology’s infrastructure supported more than 332,000 domain names linked to cryptocurrency scams, US Treasury Department says

A Philippine tech company has been sanctioned by the United States for allegedly enabling online romance scams known as “pig butchering”, which US authorities say led to more than US$200 million in losses reported by victims linked to the company’s infrastructure.

Funnull Technology Inc, a content delivery network provider based in Metro Manila’s upscale Bonifacio Global City (BGC) district, was sanctioned last week by the US Treasury Department, along with Chinese national Liu Lizhi, described as one of its administrators.

According to the department, Funnull’s infrastructure supported more than 332,000 domain names linked to websites masquerading as legitimate cryptocurrency investment platforms. These platforms were part of a global network of online scams that “systematically targeted and exploited vulnerable individuals”, US officials said.

On average, victims lost more than US$150,000 each, the treasury said.

Tammy Bruce, spokeswoman for the US State Department, said the US “will go after those who misuse virtual currencies and internet services to perpetrate fraud and other crimes”.

She said Liu possessed internal documents showing Funnull’s employee assignments and performance tracking, including tasks such as distributing domain names to cybercriminals for use in fake investment schemes, phishing operations and online gambling.

Bruce did not say whether Liu had been arrested.

The scam, widely known as “pig butchering”, typically involves trafficked workers assuming fake identities to lure victims into online relationships. Once trust is established, the victims are convinced to invest in fraudulent virtual currency platforms promising fabricated returns.

When victims can no longer contribute more funds, the scammer cuts off communication, disappearing with the entire investment.

“The scammers leverage fictitious identities, the guise of potential relationships, and elaborate storylines to deceive victims into believing they are in trusted relationships,” the treasury said.

Funnull had played a key role in enabling these schemes by providing infrastructure and “is linked to the majority of virtual currency investment scam websites reported to the FBI”, it added.

The US Federal Bureau of Investigation issued a Flash report on Thursday urging more victims to come forward. It said it had been investigating Funnull since January.

The FBI’s findings revealed that between October 2023 and April 2025, “multiple patterns of IP address activity were observed from several domains using Funnull infrastructure”, with hundreds of domains moving en masse between IP addresses – a tactic often used to avoid detection.

According to the US Treasury’s Office of Foreign Assets Control, Funnull had purchased IP addresses in bulk from major cloud service providers and resold them to scammers, who used them to host malicious websites.

Funnull first came to the attention of cybersecurity experts after it bought Polyfill.io, a popular repository of free code used by web developers.

Last year, Silent Push and Sansec, which separately monitor cyberthreats, posted a warning that legitimate websites embedded with a Polyfill JavaScript code were maliciously redirecting users to Funnull-hosted scam websites.

Publicly available data showed that Funnull, also known as Fangneng CDN, was issued a certificate of registration by the Philippines’ Securities and Exchange Commission in 2021, during the height of the coronavirus pandemic.

Funnull is currently located on the 14th floor of the Net Cube Centre in BGC – a district known for its gleaming towers and international tenants.

The building is part of a government-accredited “cyberpark” that qualifies for tax incentives, raising concerns about how such a firm could have operated in plain sight.

Such scam operations “often choose high-profile business districts such as BGC to project an image of legitimacy and credibility”, according to Democracy.NET.PH, an advocacy group on information and communications technology rights, governance, development, policy and security.

“After the exodus of Chinese Pogo operations, many commercial landlords have prioritised occupancy and cash flow over rigorous tenant due diligence,” noted Dominic “Doc” Ligot, a member of Democracy.NET.PH and executive director of Data Ethics PH.

He told This Week in Asia that “it’s likely that the business operates from a shared or co-working space, which makes it easier to rent short-term and avoid scrutiny”.

Ligot said online scam operations continued to proliferate because “the country has a weak track record in identifying and prosecuting fraudulent operations.

“Regulatory enforcement is often inconsistent, and oversight mechanisms are either under-resourced or lack coordination.

“This creates an environment where scam operations can register, set up shop, and operate with minimal risk of detection or consequence”.

A senior figure in the Philippine internet industry, speaking on condition of anonymity, echoed those concerns to This Week in Asia, suggesting the issue was less about legislation and more about institutional integrity.

“Some government official[s] likely knew about it and were bribed to issue licences and otherwise look the other way,” the expert said.

The best course of action in such cases would be to demand a thorough investigation into all officials who approved Funnull’s registration and permits – and to pursue prosecution if wrongdoing were found, the expert added.

As of press time, however, neither the Philippine government nor the city of Taguig, which issued Funnull’s operating permit, had responded to the US sanctions.