US Targets Cybercriminals Linked to 911 S5 Botnet

News

United States authorities have dismantled what the FBI described as “likely the world’s largest botnet ever.” The malicious 911 S5 botnet, which infected over 19 million IP addresses worldwide, enabled billions of dollars in pandemic and unemployment fraud and provided access to child exploitation materials.

May 30, 2024

The U.S Department of Justice estimates that over US$5.9 billion was siphoned off through fraudulent unemployment insurance claims and Economic Injury Disaster Loan (EIDL) applications.

“This Justice Department-led operation brought together law enforcement partners from around the globe to disrupt 911 S5, a botnet that facilitated cyber-attacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations,” Attorney General Merrick B. Garland stated Wednesday.

He added that as part of the international operation, dubbed Tunnel Rat, Chinese national YunHe Wang, a 35-year-old St. Kitts and Nevis citizen-by-investment, was arrested on May 24 on criminal charges related to his deployment of malware and the creation and operation of the 911 S5 residential proxy service.

Wang’s malicious botnet, according to the DOJ, “was operational from 2014 until its initial shutdown in July 2022, only to be resurrected later under the name CloudRouter.”

The dismantling of the 911 S5 botnet included the seizure of 23 internet domains and over 70 servers, which were crucial to the botnet’s functioning.

According to the DOJ, Wang and his co-conspirators allegedly spread malware through several malicious Virtual Private Network (VPN) applications, including MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN. He then oversaw and operated about 150 dedicated servers worldwide, including roughly 76 leased from U.S.-based online service providers.

After the DOJ-led operation to dismantle the malicious malware, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Wang, along with his two suspected co-conspirators, Jingping Liu and Yanni Zheng. Additionally, three entities—Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited, all owned or controlled by Wang—were also designated.

By masking their digital footprints through the 911 S5 botnet, cybercriminals made their cybercrimes seem to stem from the victim’s computer, rather than their own, effectively evading fraud detection systems, according to OFAC.

“These individuals leveraged their malicious botnet technology to compromise personal devices, enabling cybercriminals to fraudulently secure economic assistance intended for those in need and to terrorize our citizens with bomb threats,” said Under Secretary Brian E. Nelson.

According to OFAC, YunHe Wang was the mastermind behind the 911 S5 service, while Jingping Liu played a crucial role as Wang’s partner in crime, especially in the laundering of criminally acquired proceeds, mostly in virtual currency.

The virtual currency that 911 S5 botnet users paid to YunHe Wang, was transferred into U.S. dollars through over-the-counter vendors, who then wired and deposited the funds into Jingping Liu’s bank accounts.

Once the criminally obtained proceeds were laundered through Liu’s bank accounts, the money was invested in luxury real estate properties for Wang.

Yanni Zheng faced sanctions for serving as the power of attorney for Wang and his company, Spicy Code.

OFAC noted Zheng’s involvement in various business transactions, multiple payments, and the acquisition of real estate assets on Wang’s behalf, such as a luxurious beachfront condominium in Thailand.

Authorities have seized around $29 million in cryptocurrency, luxury goods worth $4 million, and approximately $30 million in real estate, with the assets located in various countries, including Singapore, Thailand, and Dubai. Additionally, dozens of assets and properties owned by Wang, including high-end vehicles such as a Ferrari F8, several BMWs, and a Rolls Royce, are now subject to forfeiture, according to the DOJ.

Wang faces a slew of charges, including conspiracy to commit computer fraud, substantive computer fraud, wire fraud, and money laundering. If convicted, he could face a maximum sentence of 65 years in prison. The DOJ said it is actively seeking Wang’s extradition from Singapore.

At the same time, OFAC sanctions mean that any assets and property owned by the designated individuals and entities in the U.S. or held by U.S. persons must be frozen and reported to OFAC, as well as any transactions passing through the U.S and involving these entities.

OFAC also cautioned that individuals engaging in transactions with the designated entity could risk being designated themselves.