A recent investigation by cybersecurity firm Silent Push has revealed how a China-linked Content Delivery Network (CDN), known as FUNNULL, is exploiting major cloud providers like Amazon Web Services (AWS) and Microsoft Azure to host malicious websites.
The technique, termed “infrastructure laundering,” allows cybercriminals to mask their activities by renting IP addresses from legitimate cloud services and mapping them to fraudulent domains.
This method enables phishing campaigns, investment scams, and money laundering operations, posing significant challenges for cloud providers and cybersecurity efforts.
FUNNULL has reportedly rented over 1,200 IP addresses from AWS and nearly 200 from Azure, using stolen or fraudulent accounts to bypass detection.
Once acquired, these IPs are linked to malicious domains via DNS CNAME records, allowing the network to host over 200,000 unique hostnames, 95% of which are generated through Domain Generation Algorithms (DGAs).
These domains support scams targeting major brands like Bwin, Chanel, and eBay, as well as fake trading platforms and gambling websites.
The infrastructure laundering process relies on intermediaries that obscure the origins of criminal activities.
Unlike traditional “bulletproof hosting,” which resists takedown efforts entirely, infrastructure laundering leverages the credibility of mainstream cloud providers.
This makes it difficult for defenders to block malicious traffic without disrupting legitimate services hosted on the same platforms.
Despite efforts by AWS and Azure to suspend fraudulent accounts linked to FUNNULL’s activities, the CDN continues to acquire new IPs at a rapid pace.
Silent Push’s research indicates that FUNNULL has been renting Microsoft IP space since at least 2021.
The persistent cycling of IP addresses highlights vulnerabilities in account verification processes and DNS monitoring systems used by cloud providers.
AWS has acknowledged the issue and emphasized its ongoing efforts to detect and suspend fraudulently acquired accounts.
However, Silent Push has raised concerns about the effectiveness of current measures, questioning why cloud providers are unable to identify such schemes in real time.
The firm suggests that better tracking of CNAME chains could help prevent illicit IP rentals more effectively.
FUNNULL’s operations have facilitated extensive cybercriminal activities linked to transnational organized crime groups such as Chinese Triads.
For example, dozens of fake Bwin gambling websites were discovered hosted on Microsoft infrastructure.
Additionally, FUNNULL was involved in a supply chain attack in 2024 that compromised the popular JavaScript library polyfill.io, impacting over 110,000 websites globally.
The network’s ability to blend malicious activities with legitimate web traffic complicates mitigation efforts.
Silent Push’s findings underscore the need for coordinated action among cloud providers, cybersecurity firms, and law enforcement agencies to address this growing threat.
As cybercriminals continue exploiting gaps in cloud infrastructure management, organizations must adopt robust security measures such as real-time monitoring tools, stricter account verification processes, and enhanced DNS tracking systems.
Collaborative efforts between stakeholders will be critical in combating this sophisticated form of cybercrime.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…