“Largest Botnet Ever” Disrupted. 911 S5’s Alleged Mastermind Arrested
A vast network of millions of compromised computers, being used to facilitate a wide range of cybercrime, has been disrupted by a multinational law enforcement operation.
The 911 S5 botnet, described as “likely the world’s largest botnet ever” by FBI Director Christopher Wray, has had its infrastructure and assets seized and its alleged mastermind arrested and charged.
35-year-old YunHe Wang, a dual citizen of China and St. Kitts and Nevis, is alleged with co-conspirators to have operated the 911 S5 botnet and created and distributed malware to compromise and hijack millions of Windows computers worldwide.
Methods used to recruit PCs into the botnet included the distribution of free, illegitimate VPN software such as MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN. Once users downloaded these VPN applications, they unknowingly connected to the 911 S5 infrastructure, and became part of the botnet.
In addition, the 911 S5 botnet grew through bundling its code with other software (using the disguise of fake security updates for apps like Adobe Flash Player) and via peer-to-peer file-sharing networks by posing as “cracked” or pirated software applications.
In all, devices associated with more than 19 million unique IP addresses (including 613,841 IP addresses located in the United States) appear to have been recruited into the botnet.
Law enforcement claims that Wang generated millions of dollars by offering cybercriminals access to the hijacked IP addresses for a fee, anonymising their online activities. The “911 S5” botnet was used from 2014 onwards to commit a wide range of crimes, including cyber attacks, pandemic-related fraud, child exploitation, harassment, and the transmission of bomb threats.
For instance, the US Department of Justice alleges that around 560,000 fraudulent insurance claims were made from IP addresses compromised by the botnet, resulting in a loss exceeding US $5.9 billion.
According to the US Department of Commerce’s Bureau of Industry and Security (BIS), the criminal scheme netted its operators nearly US $100 million in profit, which was used to buy luxury watches, real estate, and luxury cars, including a Ferrari F8 Spider, two BMWs, and a Rolls Royce.
Law enforcement agencies from the United States, Singapore, Thailand, and Germany collaborated in the operation against the botnet, searching properties, seizing assets worth approximately US $30 million, and dismantling the botnet’s infrastructure.
The US Department of Treasury has announced the imposition of sanctions against Wang and two others alleged to have been involved in laundering the proceeds of the criminal scheme.
Wang is charged with conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. If convicted on all counts, Wang faces a sentence of up to 65 years in prison.
The 911 S5 botnet began operating in May 2014 and was taken offline by its administrator in July 2022, before rebranding as Cloudrouter in October 2023.
Visitors to the CloudRouter webpage today will see a law enforcement seizure notice.
The FBI has created a webpage that helps users identify and remove applications that may have attempted to recruit them into the 911 S5 botnet.
If you are a company that allows your staff to use their own devices, it’s worth bearing in mind that they may also have made inadvertent connections to the 911 S5 botnet. As such, it would be a good idea to check such devices for possible infection.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.
