911 S5 – Likely The World’s Largest Botnet, Dismantled
The FBI, in collaboration with international partners, has successfully dismantled the 911 S5 botnet’s massive network that infected over 19 million IP addresses across 200 countries and facilitated several cybercriminal activities, including cyberattacks, financial frauds, identity theft, and child exploitation.
In addition to the infrastructural takedown of the 911 S5 botnet, Chinese national YunHe Wang, the alleged administrator of the botnet, was also arrested on May 24, U.S. Attorney General Merrick Garland said in a Wednesday press briefing.
“Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet—likely the world’s largest botnet ever,” said FBI Director Christopher Wray.
“We arrested its administrator, Yunhe Wang, seized infrastructure and assets, and levied sanctions against Wang and his co-conspirators,” Wray added.
Wang and two of his associates, along with three Thailand-based businesses linked to the botnet, were sanctioned by the U.S. Treasury Department on Tuesday. Wang faces up to 65 years in prison on charges that include computer fraud, wire fraud, and money laundering.
911 S5 Botnet Operations
Beginning in 2014, Wang allegedly developed and distributed malware that compromised millions of Windows operating systems worldwide, including over 600,000 IP addresses in the U.S. Wang allegedly spread malware through malicious VPN programs like MaskVPN and DewVPN, as well as through pirated software bundled with malware.
Wang managed and controlled approximately 150 dedicated servers worldwide.
“Using the dedicated servers, Wang was able to deploy and manage applications, command and control the infected devices, operate his 911 S5 service and provide to paying customers access to the proxied IP addresses associated with the infected devices,” Wang’s indictment said.
The residential proxy service that Wang developed and operated allowed subscribers to access the more than 19 million compromised IP addresses, which helped them mask their online activities. This service generated approximately $99 million for Wang.
The 911 S5 botnet facilitated a range of cybercrimes, including cyberattacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations, Garland said.
One such example is that of customers using the botnet’s services for fraudulently filing 560,000 unemployment insurance claims that resulted in a confirmed loss of $5.9 billion from federal pandemic relief programs.
In another instance, the 911 S5 botnet customers used the service to file more than 47,000 Economic Injury Disaster Loan applications, which again resulted in the loss of millions of dollars.
Infrastructure and Assets Seized
Authorities seized 23 internet domains and more than 70 servers, which formed the core of the 911 S5 botnet and its successor services. This action effectively shut down the botnet and prevented Wang from reconstituting the service under a new name, Clourouter.io. The U.S. Department of Justice emphasized that this seizure closed existing malicious backdoors used by the botnet.
Wang allegedly used the proceeds from the botnet to purchase properties across the globe, including the U.S., China, Singapore, Thailand, the United Arab Emirates, and St. Kitts and Nevis, where he also holds a citizenship. Authorities have moved to forfeit his assets, which include 21 properties and a collection of luxury cars such as a Ferrari F8, several BMWs, and a Rolls Royce.
Investigation Triggered by Ecommerce Incident
The investigation into the 911 S5 botnet was initiated following a probe into more than 2,000 fraudulent orders placed with stolen credit cards on ShopMyExchange, an e-commerce platform linked to the Army and Air Force Exchange Service. The perpetrators in Ghana and the U.S. were found to be using IP addresses acquired from 911 S5.
“Although approximately 2,525 fraudulent orders valued at $5.5 million were submitted, credit card fraud detection systems and federal investigators were able to thwart the bulk of the attempted purchases, reducing the actual loss to approximately $254,000,“ the Justice Department said.
The latest takedown is part of a broader effort of the Justice Department to combat nation-state hacking and international cybercrime. At the beginning of the year, the Justice Department dismantled botnets linked to the China-affiliated hacking group Volt Typhoon, followed by the disruption of botnet controlled by the Russian APT28 group associated with the Russian military intelligence, the GRU.
Google-owned cybersecurity firm Mandiant also warned last week that Chinese state hackers are increasingly using vast proxy server networks, built from compromised online devices and virtual private servers, to evade detection during their cyberespionage campaigns.
Garland highlighted the global collaboration in this operation, underscoring the Justice Department’s commitment to disrupting cybercrime networks that pose a significant threat to individuals and national security.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
