The U.S. Justice Department (DoJ) on Wednesday announced that a court-authorized international law enforcement operation dismantled what is likely the world’s largest botnet — “911 S5”.
This botnet was used to commit cyberattacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.
As part of this operation, Yunhe Wang, a 35-year-old Chinese national and St. Kitts and Nevis citizen-by-investment, was arrested in Singapore on May 24, 2024, as the alleged primary administrator of the malicious botnet service, on criminal charges for deploying malware and creating and operating a residential proxy service known as “911 S5.”
According to the DoJ, Wang’s malicious 911 S5 botnet began operating in May 2014 until it was taken offline in July 2022, only to be rebranded later under the name CloudRouter.
“Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet—likely the world’s largest botnet ever,” said FBI Director Christopher Wray.
“We arrested its administrator, Yunhe Wang, seized infrastructure and assets, and levied sanctions against Wang and his co-conspirators. The 911 S5 Botnet infected computers in nearly 200 countries and facilitated a whole host of computer-enabled crimes, including financial frauds, identity theft, and child exploitation. This operation demonstrates the FBI’s commitment to working shoulder-to-shoulder with our partners to protect American businesses and the American people, and we will work tirelessly to unmask and arrest the cybercriminals who profit from this illegal activity.”
The malicious 911 S5 botnet infected more than 19 million unique IP addresses, including 613,841 IP addresses located in the United States.
From 2014 through July 2022, Wang and his accomplices allegedly created and disseminated malware to compromise home computer systems and amass a network of millions of residential Windows computers worldwide.
Wang generated millions of dollars by offering cybercriminals access to these infected IP addresses for a fee, anonymizing their online activities.
According to court documents, Wang allegedly circulated his malware through Virtual Private Network (VPN) programs, such as MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN, as well as through pirated software bundled with malware.
“Wang [..] managed and controlled approximately 150 dedicated servers worldwide, approximately 76 of which he leased from U.S. based online service providers. Using the dedicated servers, Wang deployed and managed applications, commanded and controlled the infected devices, operated his 911 S5 service, and provided paying customers with access to proxied IP addresses associated with the infected devices,” the Justice Department added.
According to the indictment, Wang received approximately $99 million from his sales of the hijacked proxied IP addresses through his 911 S5 operation between 2018 and July 2022, either in cryptocurrency or fiat currency.
He allegedly used the illicitly gained proceeds to buy real estate in the United States, St. Kitts and Nevis, China, Singapore, Thailand, and the United Arab Emirates.
Other assets and properties subject to forfeiture, include a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, a Rolls Royce, as well as several luxury wristwatches.
The operation against the botnet was a coordinated multiagency effort led by law enforcement in the United States, Singapore, Thailand, and Germany, which involved searching residences, seizing assets valued at approximately $30 million, and identifying additional forfeitable property valued at approximately $30 million.
On May 28, 2024, the Treasury Department’s Office of Foreign Assets Control (OFAC) announced the imposition of sanctions against Wang, and his two suspected co-conspirators, Jingping Liu, and Yanni Zheng, for their activities associated with 911 S5.
In addition, three entities — Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited, for being owned or controlled by Wang – were also designated.
Wang is indicted with conspiracy to commit computer fraud, substantive computer fraud, wire fraud, and money laundering.
If convicted on all counts, he could face a maximum sentence of 65 years in prison. The DoJ said it is actively pursuing Wang’s extradition from Singapore to the United States.