In a coordinated international operation led by the U.S. DOJ, the notorious 911 S5 botnet was dismantled, resulting in the arrest of its administrator, YunHe Wang, a 35-year-old national of China and a citizen of St. Kitts and Nevis by investment. The botnet, which infected over 19 million IP addresses, was used to facilitate billions of dollars in pandemic and unemployment fraud, cyber-attacks, child exploitation, harassment, bomb threats, and export violations.
Overview of the Operation
On May 24, authorities arrested Wang on charges related to his deployment of malware and the creation and operation of the 911 S5 residential proxy service. According to the indictment, from 2014 through July 2022, Wang and his co-conspirators compromised millions of residential Windows computers worldwide, including 613,841 IP addresses in the U.S. They then profited by offering cybercriminals access to these infected IP addresses for a fee.
The operation, involving law enforcement from the U.S., Singapore, Thailand, and Germany, resulted in the seizure of assets valued at approximately $30 million and the identification of additional forfeitable property worth another $30 million. Authorities also seized 23 domains and over 70 servers, effectively terminating Wang’s efforts to reconstitute the botnet.
Details of the Scheme
Court documents reveal that Wang propagated malware through VPN programs like MaskVPN and DewVPN and pay-per-install services that bundled malware with other program files, including pirated software. Wang managed approximately 150 dedicated servers worldwide, with 76 leased from U.S.-based service providers. Using these servers, Wang controlled the infected devices and provided access to cybercriminals through the 911 S5 service.
The botnet enabled cybercriminals to conceal their identities and commit various crimes, including financial fraud, identity theft, cyberstalking, and transmitting bomb threats. The U.S. estimates that 560,000 fraudulent unemployment insurance claims and 47,000 Economic Injury Disaster Loan (EIDL) applications originated from compromised IP addresses linked to 911 S5, resulting in billions of dollars in losses.
Legal Proceedings and Asset Seizures
Wang is charged with conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. If convicted on all counts, he faces a maximum penalty of 65 years in prison.
On May 28, the Treasury Department’s Office of Foreign Assets Control (OFAC) issued financial sanctions against Wang and his associates, Jingping Liu and Yanni Zheng, further crippling their operations.
Stay informed with FinTelegram for ongoing updates and insights into major cybercrime operations and regulatory developments.
