One of the biggest digital supply chain attacks of the year was launched by a little-known company that redirected large numbers of internet users to a network of copycat gambling sites, according to security researchers.
Earlier this year, a company called FUNNULL purchased Polyfill.io, a domain hosting an open source JavaScript library that — if embedded in websites — can allow outdated browsers to run features found in newer browsers. Once in control of Polyfill.io, FUNNULL used the domain to essentially carry out a supply chain attack, as cybersecurity firm Sansec reported in June, where FUNNULL took over a legitimate service and abused its access to potentially millions of websites to push malware to their visitors.
At the time of the Polyfill.io takeover, the original Polyfill author warned that he never owned the Polyfill.io domain and suggested websites remove the hosted Polyfill code completely to avoid risks. Also, content delivery network providers Cloudflare and Fastly put out their own mirrors of Polyfill.io to offer a safe trusted alternative for websites that wanted to keep using the Polyfill library.
It’s unclear what the goal of the supply chain attack was exactly, but Willem de Groot, the founder of Sansec, wrote on X at the time that it appeared to be a “laughably bad” attempt at monetization.
Now, security researchers at Silent Push say they mapped out a network of thousands of Chinese gambling sites and linked it to FUNNULL and the Polyfill.io supply chain attack.
According to the researchers’ report, which was shared with TechCrunch in advance, FUNNULL was using its access to Polyfill.io to inject malware and redirect website visitors to that malicious network of casino and online gambling sites.
“It appears likely that this ‘online gambling network’ is a front,” Zach Edwards, a senior threat analyst and one of the researchers who worked on the Silent Push report, told TechCrunch. Edwards added that FUNNULL is “operating what appears to be one of the largest online gambling rings on the internet.”
Silent Push researchers said in their report that they were able to identify around 40,000 mostly Chinese-language websites hosted by FUNNULL, all with similarly looking and likely automatically generated domains made up of a scattering of seemingly random letters and numbers. These sites appeared to impersonate online gambling and casino brands, including Sands, a casino conglomerate that owns Venetian Macau; the Grand Lisboa in Macau; SunCity Group; as well as the online gambling portals Bet365 and Bwin.
Chris Alfred, a spokesperson for Entain, the parent company of Bwin, told TechCrunch that the company “can confirm that this is not a domain we own so it appears the site owner is infringing on our Bwin brand so we will be taking action to resolve this.”
Sands, SunCity Group, Macau Grand Lisboa, and Bet365 did not respond to multiple requests for comment.
Edwards told TechCrunch that he and his colleagues found a FUNNULL developer’s GitHub account, who discussed “money-moving,” an expression that they believe refers to money laundering. The GitHub page also contained links to Telegram channels that include mentions of the gambling brands impersonated in the network of spammy sites, as well as talk about moving money.
“And those sites are all for moving money, or is their primary purpose,” said Edwards.
The suspicious network of sites, according to Edwards and his colleagues, is hosted on FUNNULL’s content delivery network, or CDN, whose website claims to be “Made in USA” but lists several office addresses in Canada, Malaysia, the Philippines, Singapore, Switzerland and the United States, which all appear to be places with no listed addresses in the real world.
On its profile on HUIDU, a hub for the gambling industry, FUNNULL says it has “more than 30 data centers on the continent,” likely referring to mainland China, and that it has a “high-security automated server room in China.”
For an ostensible technology company, FUNNULL makes its representatives difficult to reach. TechCrunch made efforts to contact the company to seek comment and to ask it questions about its role in the apparent supply chain attack, but received no responses to our inquiries.
On its website, FUNNULL lists an email address that does not exist; a phone number that the company claims to be on WhatsApp, but could not be reached; the same number which on WeChat appears to be owned by a woman in Taiwan with no affiliation to FUNNULL; a Skype account that did not respond to our requests for comment; and a Telegram account that only identifies itself as “Sara,” and has the FUNNULL logo as her avatar.
“Sara” on Telegram responded to a request for comment — sent by TechCrunch in both Chinese and English — containing a series of questions for this article saying: “We don’t understand what you said,” and stopped answering. TechCrunch was also able to identify a series of valid FUNNULL-owned email addresses, none of which responded to requests for comment.
A company called ACB Group claimed to own FUNNULL on an archived version of its official website, which is now offline. ACB Group could not be reached by TechCrunch.
With access to millions of websites, FUNNULL could have launched much more dangerous attacks, such as installing ransomware, wiper malware, or spyware, against the visitors of the spammy websites. These kinds of supply chain attacks are increasingly possible because the web is now a complex global network of websites that are often built with third party tools, controlled by third parties that, at times, could turn out to be malicious.
This time, the goal was apparently to monetize a network of spammy sites. Next time, it could be much worse.