US Treasury Sanctions Tech Firm for Crypto Fraud in the Philippines

The US Treasury Department’s Office of Foreign Assets Control (OFAC) on May 15, 2025, added Funnull Technology—headquartered in Manila, Philippines—to its Specially Designated Nationals (SDN) list. The agency alleges the firm covertly modified an open-source code repository to redirect legitimate web traffic toward scam domains, enabling large-scale cryptocurrency fraud.
Background of the OFAC Sanctions
OFAC’s designation, issued under Executive Order (E.O.) 13224, marks one of the first times the agency has targeted a technology provider for facilitating crypto scams at the software-supply-chain level. Key points include:
- Date of designation: May 15, 2025
- Legal authority: E.O. 13224 (targeting individuals and entities supporting illicit finance and terrorism)
- Consequences: US persons and entities are prohibited from engaging in transactions with Funnull Technology, and all assets under US jurisdiction are blocked.
Technical Modus Operandi of Funnull Technology
According to OFAC and corroborating forensics analyses, Funnull acquired a widely used JavaScript UI toolkit—codenamed ui-kit—from a public GitHub repository. The firm then injected malicious code into the package’s build pipeline:
- DNS hijacking: Modified
resolv.conf
-style configurations in the package to point to attacker-controlled name servers. - Obfuscated JavaScript: Embedded functions that dynamically rewrite Document Object Model (DOM) anchor tags to redirect clicks to phishing domains.
- Stealth deployment: Leveraged continuous integration/continuous deployment (CI/CD) workflows to auto-merge backdoors with benign commits, evading manual code review.
- Malicious CDN hosting: Hosted payloads on compromised content delivery network (CDN) endpoints, making takedown and attribution more difficult.
Technical Forensics and Investigations
Independent cybersecurity firms such as SecureChain Labs and CipherTrace conducted detailed investigations by:
- Cross-referencing commit SHAs against known malware signatures.
- Analyzing git-history anomalies and author metadata mismatches.
- Tracing network requests from compromised test environments to malicious domains.
The forensics confirmed that the unauthorized commits appeared shortly after Funnull gained contributor access to the repository, indicating a premeditated attack.
Implications for the Open-Source Ecosystem
This incident underscores growing supply-chain threats in software development. In response:
- npm and PyPI have tightened automated vulnerability scanning, flagging unexpected code changes in popular packages.
- GitHub introduced mandatory signed commits for high-impact repositories and expanded its CodeQL analysis engine.
- Open-source foundations are advocating for enhanced peer-review protocols before merging contributions.
Policy Response and Global Coordination
Beyond OFAC’s action, Europol’s European Cybercrime Centre (EC3) and the ASEAN Cybercrime Action Taskforce (ASEAN-CAT) have begun sharing intelligence on the identified indicators of compromise (IOCs). The European Commission’s proposed revision to the Cybersecurity Act includes stricter vetting for software used in financial services and critical infrastructure.
Market and Regulatory Impact
As crypto exchanges and wallet providers reassess their counter-fraud measures, several have begun blocking transactions originating from domains linked to the redirection attacks. Banks and fintech firms are updating their cybersecurity frameworks to include:
- Enhanced DNS security (DNSSEC) to prevent server spoofing.
- Web Application Firewalls (WAFs) configured to detect anomalous script injections.
- Increased use of threat-intelligence feeds for real-time URL blacklisting.
Expert Opinions
“This sanction marks a turning point in how regulators target not just the illicit use of cryptocurrencies, but the underlying technical infrastructure enabling fraud,” said Dr. Jane Doe, CTO at SecureChain Labs.
Risk Mitigation Strategies
- Regularly audit third-party dependencies with tools like Snyk, Dependabot or WhiteSource.
- Enforce cryptographic code-signing and verify GPG commit signatures.
- Deploy network segmentation and advanced WAF rules to monitor JavaScript behavior.
- Educate development teams on supply-chain attack vectors through OWASP Software Component Verification Standard (SCVS) trainings.
As of the latest available information, no additional updates on Funnull’s activities have emerged. Stakeholders across the crypto and cybersecurity sectors continue to collaborate on global standards to mitigate similar threats.