Exploring the Role of Cloud Giants Like Amazon and Microsoft in Concealing Infrastructure Through FUNNULL Admin Accounts

Recent research by Silent Push Threat Analysts, in partnership with Brian Krebs, has brought a sharp focus to the sprawling criminal infrastructure of the so-called Triad Nexus, which is operated through the FUNNULL Content Delivery Network (CDN).

This network, run by its administrator Lizhi Liu (also known as “Steve/Steven” Liu), is accused of facilitating hundreds of cyber-fraud and crypto-investment scam sites, resulting in over $200 million in losses to American victims.

However, crucially, FUNNULL’s persistence is enabled by the strategic abuse of Western cloud behemoths, such as Amazon Web Services and Microsoft Azure a practice known as “Infrastructure Laundering.”

Infrastructure Laundering: The Role of Amazon and Microsoft

At the heart of the Triad Nexus operation is the cunning use of “Infrastructure Laundering.” This tactic involves using stolen identities, fake businesses, or compromised payment methods to rapidly create new cloud accounts on reputable providers, such as AWS and Azure. Once onboard, the threat actor deploys scam websites or malicious infrastructure behind legitimate cloud IP addresses, making detection and blocking exponentially harder for defenders.

• Quick Account Churn: As soon as fraudulent sites are detected and a cloud account is shut down, Liu’s network pivots to new cloud accounts—often with fresh identities—allowing them to “hop” across providers with minimal downtime.
• Legitimacy by Association: By embedding their infrastructure within the same IP spaces as well-known Western businesses, attackers exploit trust relationships. Security teams risk collateral damage if they block entire IP ranges, thereby giving scammers extra cover.
• Challenging Attribution: The interconnectedness of cloud platforms means that even sophisticated security operations may struggle to distinguish legitimate business traffic from criminal activity masked by FUNNULL’s tactics.

Cloud Providers’ Mixed Compliance Response

Despite the U.S. Treasury and FBI formally sanctioning FUNNULL and Liu in May 2025, enforcement across major cloud providers has been inconsistent.

Google appears to have taken proactive action, removing Liu’s YouTube channel and associated accounts. However, many accounts tied to Liu are still active on platforms provided by Microsoft, Amazon, Meta, and others, as detailed in Silent Push’s deep dive report.

• AWS and Azure: These remain popular with Triad Nexus for spinning up short-lived, disposable infrastructure supporting new scam campaigns.
• Microsoft (GitHub, LinkedIn): Public developer accounts and code repositories linked to Liu are still live as of July 2025, despite public advisories and clear evidence of involvement.
• Meta (Facebook): Liu has been observed updating Facebook groups and pages even after being sanctioned, underscoring the struggle to enforce bans on high-profile threat actors.
• Other services, including Medium, PayPal, WordPress, and HuggingFace, among others, have not yet universally responded to known Liu-linked accounts, putting enterprises at risk of non-compliance.

Why This Matters

The continued ability of sanctioned actors like Liu to leverage major cloud providers should serve as a wake-up call to the tech industry. Infrastructure Laundering not only fuels large-scale cybercrime but also complicates compliance with government sanctions.

Silent Push’s public report provides detailed indicators, usernames, emails, and domain names that organizations can use to proactively ban or monitor accounts tied to Liu and FUNNULL.

Until cloud providers adopt both automated and manual controls to detect and prevent Infrastructure Laundering, criminal networks like Triad Nexus will continue to weaponize the reputation and scale of Western tech giants against their own customers and national security interests.