Massive Botnet Dismantled and Administrator Arrested in 911 S5 Case, FBI Reports

The FBI, in collaboration with international partners, has successfully dismantled a major botnet that infected over 19 million IP addresses across 200 countries, concealing various cybercrimes for years.

The alleged mastermind of the 911 S5 botnet, an individual known as YunHe Wang, a Chinese national, was arrested on 24 May and could face up to 65 years in jail, per DOJ. 

They also flagged Wang and several associates, and three Thai companies, for their role in the botnet. 

Starting in 2014, Wang is accused of using his own malware to hack into more than 600,000 Windows operating systems around the world, including 600,000 different IP addresses in the United States alone.

Prosecutors claim he was paid around $99 million by subscribers for use of the residential proxy service, which would let end users ‘browse the internet using the IP address of a computer owned by an innocent person’ in an effort to hide their own activity

Wang is charged with counts of computer fraud, wire fraud, and money laundering.

“This Justice Department-led operation was comprised of law enforcement partners around the globe that disabled 911 S5, a botnet that aided cyber‑attacks, wholesale fraud, child exploitation, harassment, bomb threats and exports violations,” the Attorney General Merrick B Garland said.

The company’s prosecutors later reported that the service had defrauded the government of $5.9 billion in relief funds from federal pandemic programmes.

According to court documents,  Wang allegedly spread his malware through VPN programmes (such as MaskVPN and DewVPN, which he also ran as a torrent distribution model), as well as through pay-per-install services (which bundled his malware content into separate program files, including pirated versions of licensed software or material protected by copyright). 

Wang hosted and leveraged approximately 150 dedicated servers worldwide (of which he leased a maximum of 76 from online service providers in the United States) to deploy and manage the applications, command and control the infected devices, operate his 911 S5 service and offer paying customers use of proxied IP addresses from the infected devices.

They raided the present incarnation of a now-defunct residential proxy service that shuttered in August 2022, capturing 23 domains and more than 70 servers.

These servers acted as the ‘backbone’ of the former initiative and the current one, the DOJ said.

‘The seizure of numerous domains associated with the historic 911 S5, in addition to several new domains and services associated with a recreation of the service, has stopped Wang’s attempts to further abuse his victims through a reconstituted service called Clourouter.io and closed the open backdoors he exploited when he was shut down earlier,’ the DOJ said. 

Investigators say Wang used money from that service to buy properties in the US, China, Singapore, Thailand, the United Arab Emirates and St Kitts and Nevis, where he is a citizen.

Among the luxury cars scheduled to be seized are a Ferrari F8, several BMWs and a Rolls Royce. His 21 properties are also in jeopardy.

The investigation into 911 S5 surfaced due to an investigation into more than 2,000 orders made with stolen credit cards by fraudsters operating on ShopMyExchange, an e-commerce site affiliated with the Army and Air Force Exchange Service.

The Ghanaian and US-based fraudsters apparently obtained IP addresses from 911 S5.

The FBI and DOJ has taken down several botnets this year linked to nation-state hacking operations.

In January, it announced the dismantling of a botnet of infected home routers – part of the China-linked APT group Volt Typhoon – and, in February, dismantling a version of this botnet network, this time used by Russia’s GRU-linked APT28 group.