The U.S. Department of Justice (DOJ) has announced the arrest of YunHe Wang, the alleged operator of 911 S5, a ten-year-old online anonymity service described as “likely the world’s largest botnet ever” by the FBI. This arrest was part of a coordinated international effort that also saw the seizure of the 911 S5 website and its infrastructure. Authorities claim that this botnet enabled billions of dollars in online fraud and cybercrime through compromised computers running various “free VPN” products.
The Arrest and Seizure
On May 24, YunHe Wang, a 35-year-old Chinese national, was arrested in Singapore. The DOJ revealed that 911 S5 allowed cybercriminals to bypass financial fraud detection systems, resulting in billions of dollars in losses from financial institutions, credit card issuers, and federal lending programs. Specifically, the botnet facilitated 560,000 fraudulent unemployment insurance claims, causing a confirmed loss exceeding $5.9 billion.
Authorities also noted that over 47,000 Economic Injury Disaster Loan (EIDL) applications originated from compromised IP addresses linked to 911 S5, contributing to millions of dollars in additional fraud losses.
How 911 S5 Operated
From 2015 to July 2022, 911 S5 sold access to hundreds of thousands of Microsoft Windows computers daily, using them as “proxies” for routing Internet traffic through PCs around the globe, particularly in the United States. The botnet mainly built its proxy network by offering “free” virtual private networking (VPN) services, which operated as advertised but also quietly converted users’ computers into traffic relays for paying customers.
The service became notorious in the cybercrime underground for its reliability and low prices. It allowed criminals to route their malicious traffic through computers geographically close to their victims, facilitating financial fraud, identity theft, and other cybercrimes.
The Investigation and Crackdown
KrebsOnSecurity identified Wang as the proprietor of 911 S5 in a detailed investigation published in July 2022. Following this exposure, 911 S5 claimed it had been hacked and shut down, but it reemerged under the name Cloud Router. The U.S. Treasury Department recently sanctioned Wang and his associates, and a subsequent coordinated international law enforcement operation led to Wang’s arrest and the seizure of approximately $30 million in assets.
Assets Seized and Legal Proceedings
The seized assets included luxury cars, such as a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, and a Rolls Royce, as well as numerous domestic and international bank accounts, cryptocurrency wallets, luxury wristwatches, and 21 residential or investment properties. These properties were located in countries including the United States, Thailand, Singapore, the UAE, and St. Kitts and Nevis.
The DOJ also noted the involvement of various international law enforcement agencies, including those from Singapore, Thailand, and Germany, which aided in searching residences tied to Wang and seizing assets.
Wang’s Criminal Enterprise
Wang allegedly propagated his malware through VPN programs like MaskVPN and DewVPN and pay-per-install services bundling his malware with other software, including pirated versions of licensed software. He managed approximately 150 dedicated servers worldwide, which he used to command and control the infected devices and operate the 911 S5 service.
From 2018 to July 2022, Wang reportedly earned approximately $99 million from the sale of hijacked proxied IP addresses, which he used to purchase real estate and luxury items.
Impact on Victims
Cybercriminals used the proxied IP addresses from 911 S5 to commit various offenses, including financial fraud, cyberstalking, transmitting bomb threats, and exchanging child exploitation materials. The DOJ estimates that 911 S5 customers stole billions of dollars from financial institutions, credit card issuers, and federal lending programs, significantly impacting pandemic relief programs and financial stability.
International Cooperation and Future Steps
This operation highlights the importance of international cooperation in tackling large-scale cybercrime. The DOJ, along with its global partners, is committed to disrupting sophisticated criminal tools and holding cybercriminals accountable. The seizure of multiple domains and servers linked to 911 S5 and its new incarnation, Cloud Router, marks a significant step in ending Wang’s criminal enterprise.
For more information on how to identify and remove applications with an 911 S5 backdoor, refer to this FBI advisory.
Conclusion
The arrest of YunHe Wang and the dismantling of the 911 S5 botnet is a significant victory in the fight against cybercrime. The coordinated efforts of law enforcement agencies worldwide demonstrate a firm resolve to protect individuals and financial institutions from the devastating impacts of cybercriminal activities.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact