A $6 billion “botnet” operation used for cyber attacks, fraud, child exploitation, harassment, and bomb threats has been broken up by U.S officials.
As a result of the operation, police arrested YunHe Wang, 35, a Chinese national and St. Kitts and Nevis citizen-by-investment, on charges related to deploying malware and operating a residential proxy service known as “911 S5.”
According to an indictment unsealed on May 24, Wang and his associates created and disseminated malware from 2014 until July 2022.
This compromised millions of residential Windows computers worldwide.
These devices, tied to over 19 million unique IP addresses, included 613,841 in the United States.
Wang is accused of generating millions by providing cybercriminals access to infected IP addresses
Attorney General Merrick B. Garland, said: “This Justice Department-led operation brought together law enforcement partners globally to disrupt the 911 S5 botnet, which facilitated cyber-attacks, fraud, child exploitation, harassment, bomb threats, and export violations.“
“As a result, YunHe Wang was arrested for creating and operating the botnet and deploying malware.
“This case demonstrates that the long arm of the law extends across borders into the darkest parts of the web, and the Justice Department will never stop fighting to hold cybercriminals accountable.”
FBI Director Christopher Wray added: “Working with our international partners, the FBI dismantled the 911 S5 Botnet, likely the world’s largest, arrested its administrator Yunhe Wang, seized infrastructure and assets, and imposed sanctions on Wang and his co-conspirators.
“The botnet infected computers in nearly 200 countries, facilitating numerous computer-enabled crimes including financial fraud, identity theft, and child exploitation.
“This operation shows the FBI’s commitment to working with partners to protect American businesses and citizens and to pursue cybercriminals relentlessly.”
Court documents claim Wang allegedly propagated malware through VPN programs like MaskVPN and DewVPN and pay-per-install services that bundled his malware with other program files.
He managed around 150 dedicated servers worldwide, including 76 leased from U.S. service providers, using them to control infected devices and operate his 911 S5 service.
Principal Deputy Assistant Attorney General Nicole M. Argentieri, said: “Wang created malware that compromised millions of residential computers worldwide and sold access to these computers to cybercriminals.
“These criminals used the hijacked computers to conceal their identities and commit various crimes.
“Today’s announcement sends a clear message that we will disrupt technologically sophisticated criminal tools and hold wrongdoers accountable.”
The DOJ claims Wang’s residential proxy service allowed cybercriminals to use proxied IP addresses to conceal their true locations and commit a wide array of offenses, including financial crimes, stalking, bomb threats, illegal exportation of goods, and child exploitation.
The botnet enabled cybercriminals to bypass fraud detection systems, stealing billions from financial institutions and federal programs.
“The alleged conduct reads like a screenplay: a scheme to sell access to millions of malware-infected computers, enabling criminals to steal billions and exchange child exploitation materials, then using nearly $100 million in profits to buy luxury items.”
For example, the U.S. estimates that 560,000 fraudulent unemployment insurance claims, originating from compromised IP addresses, resulted in a confirmed loss exceeding $5.9 billion.
Over 47,000 fraudulent Economic Injury Disaster Loan applications also originated from these IP addresses, with millions more identified by financial institutions as losses.
The 911 S5 client interface software, hosted on U.S. servers, allowed cybercriminals to purchase goods with stolen credit cards and illegally export them, potentially violating U.S. export laws.
From 2018 until July 2022, Wang allegedly received approximately $99 million from selling hijacked proxied IP addresses through 911.
It is alleged he used the proceeds to purchase properties and luxury items across multiple countries.
Assets subject to forfeiture include luxury cars, numerous bank accounts, cryptocurrency wallets, and residential properties.
Need Career Advice? Get employment skills advice at all levels of your career
Law enforcement began focusing on 911 S5 during an investigation into a money laundering and smuggling scheme, where criminals used hijacked IP addresses from 911 S5 to place fraudulent orders on the Army and Air Force Exchange Service platform.
Assistant Secretary for Export Enforcement Matthew S. Axelrod said: “The alleged conduct reads like a screenplay: a scheme to sell access to millions of malware-infected computers, enabling criminals to steal billions and exchange child exploitation materials, then using nearly $100 million in profits to buy luxury items.
“However, the real story is the hard work by law enforcement and industry partners to take down such a scheme and make an arrest.”
Wang faces charges of:
- Conspiracy to commit computer fraud,
- Substantive computer fraud
- Conspiracy to commit wire fraud
- Conspiracy to commit money laundering
If he is found guilty, he faces a potential maximum penalty of 65 years in prison.
