US dismantles 911 S5 botnet used for cyberattacks, arrests admin

The U.S. Justice Division and worldwide companions dismantled the 911 S5 proxy botnet and arrested 35-year-old Chinese language nationwide YunHe Wang, its administrator.

As early as 2011, Wang and his conspirators pushed malware onto victims’ gadgets utilizing a number of malicious VPN purposes bundling proxy backdoors. The VPN apps that added compromised gadgets to the 911 S5 residential proxy service embrace MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN.

Between 2014 and July 2022, they created a community of tens of millions of residential Home windows computer systems worldwide linked to greater than 19 million distinctive IP addresses, together with 613,841 IP addresses in the US.

“Wang [..] managed and controlled approximately 150 dedicated servers worldwide, approximately 76 of which he leased from U.S. based online service providers,” the Justice Division mentioned.

“Using the dedicated servers, Wang deployed and managed applications, commanded and controlled the infected devices, operated his 911 S5 service, and provided paying customers with access to proxied IP addresses associated with the infected devices.”

Researchers on the College of Sherbrooke revealed in June 2022 that the 911 S5 operators lured potential victims by providing free VPN providers to put in the proxy malware.

One month later, the botnet was shut down after crucial parts of the operation have been allegedly destroyed in a safety breach, however it was resurrected as “CloudRouter” just some months later.

The Justice Division is now serving seizure warrants to registrars and registry entities to grab the next domains utilized by the prison community.

Wang collected roughly $99 million by promoting entry to the proxied IP addresses to cybercriminals for a payment. The criminals used the compromised gadgets’ Web connections for a variety of crimes, together with cyber assaults, bomb threats, baby exploitation, large-scale fraud, harassment, and export violations.

911 S5 prospects additionally used the illegitimate residential proxy service to submit tens of hundreds of fraudulent purposes for packages associated to the Coronavirus Support, Aid, and Financial Safety (CARES) Act, 560,000 fraudulent unemployment insurance coverage claims, and over 47,000 Financial Damage Catastrophe Mortgage (EIDL) purposes, leading to billions of {dollars} stolen from monetary establishments, bank card issuers, and federal lending packages.

On Tuesday, the U.S. Treasury Division additionally sanctioned Wang (the administrator), Jingping Liu (the operation’s cash launderer), and Yanni Zheng (who acted as an influence of lawyer for Yunhe Wang), and three entities (Spicy Code Firm Restricted, Tulip Biz Pattaya Group Firm Restricted, and Lily Suites Firm Restricted) that have been both owned or managed by Wang.

“Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet—likely the world’s largest botnet ever,” mentioned FBI Director Christopher Wray.

“We arrested its administrator, Yunhe Wang, seized infrastructure and assets, and levied sanctions against Wang and his co-conspirators.”

In response to an indictment unsealed on Might 24, dozens of Wang’s belongings and properties at the moment are topic to forfeiture, “including a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, a Rolls Royce, more than a dozen domestic and international bank accounts, over two dozen cryptocurrency wallets, several luxury wristwatches, 21 residential or investment properties (across Thailand, Singapore, the U.A.E., St. Kitts and Nevis, and the United States), and 20 domains.”

Wang faces a most penalty of 65 years in jail if convicted on all counts, together with conspiracy to commit pc fraud, substantive pc fraud, conspiracy to commit wire fraud, and conspiracy to commit cash laundering.