Law enforcement operation dismantled 911 S5 botnet

Pierluigi Paganini May 30, 2024

An international law enforcement operation led by the U.S. DoJ disrupted the 911 S5 botnet and led to the arrest of its administrator.

The U.S. Justice Department led an international law enforcement operation that dismantled the 911 S5 proxy botnet. The law enforcement also arrested its administrator, the 35-year-old Chinese national YunHe Wang, in Singapore. The authorities sanctioned Wang and his co-conspirators. Since 2011, Wang and his co-conspirators had been distributing malware through malicious VPN applications, including MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN. The compromised devices were recruited in the 911 S5 residential proxy service.

“According to an indictment unsealed on May 24, from 2014 through July 2022, Wang and others are alleged to have created and disseminated malware to compromise and amass a network of millions of residential Windows computers worldwide.” reads the press release published by DoJ. “These devices were associated with more than 19 million unique IP addresses, including 613,841 IP addresses located in the United States. Wang then generated millions of dollars by offering cybercriminals access to these infected IP addresses for a fee.”

According to court documents, the gang bundled the malware with other program files, including pirated versions of licensed software or copyrighted materials. Wang operated approximately 150 dedicated servers worldwide, approximately 76 of which he leased from U.S. based online service providers.

Wang utilized dedicated servers to deploy and manage applications, control infected devices, operate the 911 S5 service, and offer paying customers access to proxied IP addresses associated with these compromised devices.

“As alleged in the indictment, Wang created malware that compromised millions of residential computers around the world and then sold access to the infected computers to cybercriminals,” said Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department’s Criminal Division. “These criminals used the hijacked computers to conceal their identities and commit a host of crimes, from fraud to cyberstalking. Cybercriminals should take note. Today’s announcement sends a clear message that the Criminal Division and its law enforcement partners are firm in their resolve to disrupt the most technologically sophisticated criminal tools and hold wrongdoers to account.”

The FBI has published information at fbi.gov/911S5 to help identify and remove 911 S5’s VPN applications from your devices or machines.

The FBI shared instructions on how to identify and remove VPN Applications containing the 911 S5 bot.

Cybercriminals used 911 S5 to hide their real IP addresses and locations while committing various crimes, including financial fraud, stalking, bomb threats, illegal exportation of goods, and child exploitation. Since 2014, 911 S5 has allegedly helped cybercriminals bypass financial fraud detection systems, leading to billions of dollars in theft from financial institutions, credit card issuers, and federal lending programs.

During the pandemic, crooks used the botnet to target relief programs, resulting in significant fraud. The U.S. estimates that 560,000 fraudulent unemployment claims, amounting to over $5.9 billion, originated from compromised IP addresses. Additionally, over 47,000 Economic Injury Disaster Loan (EIDL) applications were linked to these IP addresses, causing millions in losses for financial institutions.

The 911 S5 client software, hosted on U.S. servers, allowed cybercriminals outside the U.S. to purchase goods with stolen credit cards and illegally export them, violating U.S. export laws. The software may also contain encryption or features subject to export controls under the Export Administration Regulations (EAR), potentially leading to further legal violations by foreign nationals downloading it without a license.

“The indictment further alleges that from 2018 until July 2022, Wang received approximately $99 million from his sales of the hijacked proxied IP addresses through his 911 S5 operation, either in cryptocurrency or fiat currency.” continues DoJ. “Wang used the illicitly gained proceeds to purchase real property in the United States, St. Kitts and Nevis, China, Singapore, Thailand, and the United Arab Emirates. The indictment identifies dozens of assets and properties subject to forfeiture, including a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, a Rolls Royce, more than a dozen domestic and international bank accounts, over two dozen cryptocurrency wallets, several luxury wristwatches, 21 residential or investment properties (across Thailand, Singapore, the U.A.E., St. Kitts and Nevis, and the United States), and 20 domains.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued sanctions against Yunhe Wang, and other two Chinese nationals, Jingping Liu and Yanni Zheng, for their role in criminal activities associated with the 911 S5 botnet. Additionally, OFAC sanctioned three entities—Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited—due to their ownership or control by Yunhe Wang.

Yunhe Wang faces a maximum penalty of 65 years in prison if convicted on all counts. These charges include conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, 911 S5 botnet)



you might also like

leave a comment