Silent Push coined “infrastructure laundering” to describe cybercriminals exploiting cloud services for illegal activities. They rent IPs from AWS and Azure, then link them to criminal sites via CDNs like FUNNULL.
Despite attempts by providers to block fraudulent accounts, criminals quickly acquire new ones. FUNNULL, a CDN tied to organized crime, has rented over 1,200 IPs from AWS and nearly 200 from Microsoft.
Though most of these IPs are taken down, new ones are often acquired through stolen or fake accounts. Silent Push found that FUNNULL hosts over 200,000 domains, many linked to phishing, scams, and money laundering.
Unlike traditional bulletproof hosting, which hides illicit activities in lax jurisdictions, infrastructure laundering uses legitimate cloud platforms to mask crimes. By embedding operations in trusted environments, criminals gain legitimacy, making detection harder.
This method ensures global access to their sites while complicating blocking efforts. Silent Push found that FUNNULL uses CNAME mapping chains to link client domains to multiple IPs across regions, creating a decentralized system that’s hard to track.
The criminals’ ability to quickly acquire new IPs shows gaps in cloud providers’ monitoring and enforcement.
Implications for Cloud Security and Regulation
The findings raise concerns about cloud providers’ role in combating cybercrime. Silent Push questions why major providers lack real-time detection systems to block such activities at scale.
The report calls for greater scrutiny of third-party facilitators and stronger international collaboration to address cybercrime linked to organized crime.
Amazon responded by denying involvement and highlighting efforts to suspend fraudulent accounts tied to FUNNULL. While acknowledging damages, Amazon is committed to improving detection. However, Silent Push argues for more proactive measures to prevent criminal abuse of hosting services.
Leave A Comment