Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Polyfill attack redirected victims to gambling sites to carry out supply chain attack

A laptop on a lap with 100 dollar bills flying out.

More details have emerged surrounding FUNNULL, the company that bought the Polyfill.io service and used it to launch a major supply chain attack?

New research claims the service is now being used as part of an enormous money-laundering scheme that involves tens of thousands of fake gambling sites for Chinese victims.

Security researchers Silent Push published a new report claiming to have mapped out a network of 40,000 Chinese gambling sites, propped up by FUNNULL, and redirected to using Polyfill. In its attack, FUNNULL impersonated a dozen brands from the gambling industry, and used more than 200,000 unique hostnames, 95% of which were created using Domain Generation Algorithms.

No workaround

Polyfill.io grants modern functionalities on older browsers, allowing web developers to use modern web standards without worrying about compatibility. The service, and accompanying domain, was acquired February 2024 by a little-known company called FUNNULL. Subsequent investigation has shown that the company is of Chinese origin, and most likely completely fake and non-existent.

When FUNNULL acquired Polyfill, its original developers urged the users (approximately 100,000 websites) to stop using it immediately, and go for safe alternatives (both Cloudflare and Fastly propped up legitimate mirrors at the time).

In June 2024, cybersecurity experts from Sansec warned that polyfill was serving malware. "This domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io," Sansec said at the time. Google also chimed in, notifying affected advertisers about their landing pages now possibly redirecting visitors away from their intended destination, and towards possibly malicious websites.

Earlier this week, security researchers from Silent Push published a new report, claiming to have mapped out a network of 40,000 Chinese gambling sites, propped up by FUNNULL, and redirected to using polyfill.

In its attack, FUNNULL impersonated a dozen brands from the gambling industry, and used more than 200,000 unique hostnames, 95% of which were created using Domain Generation Algorithms.

The websites were most likely used for money laundering, and other schemes, with Silent Push believing FUNNULL is directly linked to the Lazarus Group, a notorious North Korean state-sponsored threat actor that’s known for targeting cryptocurrency users.

Via TechCrunch

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.