By Ashwani Mishra, Editor-Technology, 63SATS
In the cybercrime underworld, staying hidden is the key to survival.
Just like money laundering helps criminals clean dirty money, a new tactic—infrastructure laundering—is enabling cybercriminals to disguise their operations within legitimate cloud services.
This evolving method is more than just a sophisticated form of bulletproof hosting; it’s a high-stakes game cybercriminals and defenders, with cloud giants like AWS and Azure unwittingly playing host.
The Perfect Heist
Imagine a heist movie where the criminals don’t break into a bank. Instead, they set up an office inside the bank itself, renting space under a fake business name. Security guards walk past them every day, unaware that the so-called ‘legitimate’ business is funnelling stolen funds right under their noses.
This is exactly how infrastructure laundering works in the digital world. Cybercriminals aren’t hiding in the shadows anymore; they’re operating inside the biggest cloud platforms, blending in with real businesses to avoid detection.
Silent Push in its recent report has exposed Cloudy Behaviour Around FUNNULL CDN Renting IPs from Big Tech.
What is Infrastructure Laundering?
According to Silent Push, infrastructure laundering is an advanced cybercrime technique that leverages legitimate hosting services to disguise illicit operations. Unlike traditional bulletproof hosting (BPH), where rogue service providers openly cater to cybercriminals, infrastructure laundering exploits the credibility of mainstream cloud providers.
The goal? To keep criminal operations running longer by evading detection and takedown efforts.
In this model, criminals rapidly acquire fresh cloud hosting accounts, often through stolen credentials or intermediary accounts, and strategically distribute their infrastructure across trusted platforms. Because the underlying infrastructure belongs to well-known cloud providers, security teams hesitate to block traffic, fearing disruption to legitimate businesses.
How It Works: A Layered Deception
Infrastructure laundering is a multi-step process designed to maximize anonymity and resilience:
Account Acquisition: Criminals use stolen identities or ‘IP mules’ to create hosting accounts on AWS, Azure, and other cloud platforms.
CNAME Masking: Instead of using a direct IP address, criminals map their operations through intermediary domains (e.g., FUNNULL CDN), making it difficult to trace the true origin.
Rapid Redeployment: When one instance is taken down, attackers quickly spin up new accounts, always staying ahead of takedown efforts.
Global Distribution: Hosting infrastructure is spread across different regions, ensuring fast and uninterrupted access for victims.
The Evolution of Bulletproof Hosting
While bulletproof hosting has long provided cybercriminals with a safe haven, its limitations have become evident. Authorities can blacklist BPH providers entirely, cutting off criminal activity at the source.
Infrastructure laundering, however, operates within legitimate cloud providers, making it significantly harder to disrupt without collateral damage.
Key Differences:
| Bulletproof Hosting | Infrastructure Laundering |
| Operates in jurisdictions with weak law enforcement cooperation, making takedown efforts difficult. | Operates within major cloud platforms, making it challenging to block without disrupting legitimate users. |
| Relies on criminal-friendly hosting services that ignore abuse reports. | Uses short-lived accounts that cloud providers struggle to track in real-time. |
Why Infrastructure Laundering Works
The primary advantage of infrastructure laundering is its ability to exploit blind spots in cloud security policies. Unlike traditional cybercrime models where a single entity rents IPs and domains, infrastructure laundering uses layered transactions to obscure its financial and operational trail.
Cloud providers often lack visibility into the true beneficiaries of these accounts, making it nearly impossible to proactively stop misuse.
Real-World Example: The FUNNULL CDN Network
Silent Push Threat Analysts uncovered FUNNULL CDN, a content delivery network (CDN) that launders infrastructure for cybercriminals. This network:
- Hosts over 200,000 unique domains, many of which are linked to investment scams and fake trading applications.
- Uses Domain Generation Algorithms (DGAs) to rapidly produce new domains and evade detection.
- Exploits CNAME mapping to appear as legitimate websites hosted by trusted cloud providers.
- Is responsible for massive-scale fraud, including money laundering through shell gambling websites that mimic real casino brands.
The Regulatory Blind Spot
Governments and cybersecurity firms are beginning to recognize the risks posed by infrastructure laundering. However, regulatory frameworks struggle to keep up with the pace of cybercriminal innovation. Some key concerns include:
Cloud Providers as Unwitting Accomplices: Despite strict compliance policies, major cloud services are being weaponized for cybercrime.
Global Jurisdiction Challenges: Criminal groups intentionally distribute their infrastructure across regions that rarely collaborate on cybersecurity enforcement.
The Arms Race Between Attackers and Defenders: By the time security teams detect and block an operation, attackers have already redeployed elsewhere.
Infrastructure laundering is a game-changing evolution in cybercrime, one that challenges traditional security measures. Just as law enforcement adapted to combat financial laundering, cybersecurity experts must now develop new tools and frameworks to dismantle digital laundering networks. The fight against cybercrime isn’t just about blocking bad actors; it’s about outpacing them in an ever-changing battlefield.
With cloud providers, security experts, and regulators working together, we can prevent cybercriminals from turning the digital world’s most trusted institutions into unwitting accomplices.
The heist may be elaborate, but it’s not unstoppable—as long as we know where to look.
