A recent investigation by cybersecurity firm Silent Push has uncovered a troubling trend in cybercrime: the exploitation of mainstream cloud providers like Amazon Web Services (AWS) and Microsoft Azure by a Chinese Content Delivery Network (CDN) called FUNNULL.
This practice, termed infrastructure laundering, enables cybercriminals to mask their activities by renting IP addresses from legitimate cloud platforms and linking them to malicious websites.
The findings reveal a sophisticated operation that poses significant challenges to cybersecurity and cloud infrastructure.
FUNNULL’s Exploitation of Cloud Platforms
FUNNULL has reportedly rented over 1,200 IP addresses from AWS and nearly 200 from Microsoft using stolen or fraudulent accounts.
These IPs are then mapped to more than 200,000 unique hostnames, 95% of which are generated through Domain Generation Algorithms (DGAs).
The malicious infrastructure supports a range of criminal activities, including phishing campaigns, investment scams, and money laundering schemes hosted on shell websites.
Notable targets include major brands such as Bwin, Chanel, and eBay.
The CDN also employs DNS CNAME records to obscure the origins of its operations, making it difficult for defenders to block malicious traffic without disrupting legitimate services hosted on the same platforms.

This blending of malicious and legitimate web traffic complicates mitigation efforts for cloud providers.
Despite efforts by AWS and Microsoft to suspend fraudulent accounts linked to FUNNULL, the CDN continues to acquire new IPs at a rapid pace.
Silent Push’s research highlights vulnerabilities in account verification processes and DNS monitoring systems that allow such activities to persist.
While AWS has acknowledged the issue and emphasized its ongoing efforts to detect and suspend fraudulent accounts, Silent Push has raised concerns about the effectiveness of current measures.
Connections to Organized Crime
The investigation also uncovered links between FUNNULL’s operations and transnational organized crime groups, including Chinese Triads.
These groups leverage FUNNULL’s infrastructure for activities such as retail phishing, fake trading platforms, and gambling websites.
For instance, dozens of fake Bwin gambling sites were found hosted on Microsoft infrastructure.
Additionally, FUNNULL was involved in a supply chain attack in 2024 that compromised the popular JavaScript library polyfill.io, impacting over 110,000 websites globally.
The findings underscore the need for coordinated efforts among cloud providers, cybersecurity firms, and law enforcement agencies to address this growing threat.
Silent Push emphasizes that infrastructure laundering exploits gaps in international collaboration on cybersecurity issues.
The firm calls for enhanced monitoring tools, stricter account verification processes, and real-time tracking of DNS activities to combat this evolving cybercrime tactic.
AWS and Microsoft have both reiterated their commitment to combating such abuse but acknowledge the challenges posed by the technical complexities of DNS architecture.
As infrastructure laundering continues to evolve, it highlights the urgent need for proactive security strategies to protect cloud ecosystems from being exploited by cybercriminals.