The U.S. Department of Justice (DOJ) announced the dismantling of the 911 S5 botnet, a massive network of compromised computers used for various illegal activities.
The operation carried out in cooperation with international law enforcement agencies, resulted in the apprehension of YunHe Wang, a 35-year-old Chinese national, who is suspected to be the mastermind behind the botnet.
The 911 S5 botnet, described by FBI Director Christopher Wray as “likely the world’s largest botnet ever,” infected over 19 million Internet Protocol (IP) addresses across nearly 200 countries. The botnet was operational from 2014 until its initial shutdown in July 2022, only to be resurrected later under the name “CloudRouter.”
Wang and his co-conspirators allegedly spread malware through various malicious Virtual Private Network (VPN) applications, including MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN.
All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo
These applications bundled proxy backdoors, which allowed the botnet to infect millions of residential Windows computers worldwide.
The compromised devices were then used to create a residential proxy service, providing cybercriminals with access to proxied IP addresses for a fee.
The botnet facilitated a wide range of criminal activities, including cyberattacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.
Notably, the botnet was used to submit tens of thousands of fraudulent applications for programs related to the Coronavirus Aid, Relief, and Economic Security (CARES) Act, resulting in billions of dollars stolen from financial institutions, credit card issuers, and federal lending programs.
The DOJ estimates that over $5.9 billion was stolen through fraudulent unemployment insurance claims and Economic Injury Disaster Loan (EIDL) applications.
The takedown of the 911 S5 botnet involved the seizure of 23 internet domains and more than 70 servers, which were integral to the botnet’s operation.
Authorities also seized approximately $29 million in cryptocurrency, luxury goods valued at $4 million, and about $30 million in real estate. These assets were located in various countries, including Singapore, Thailand, and Dubai.
Additionally, dozens of Wang’s assets and properties, including luxury cars such as a Ferrari F8, several BMWs, and a Rolls Royce, are now subject to forfeiture.
Wang faces multiple charges, including conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering.
He could face a maximum penalty of 65 years in prison if convicted on all counts. The DOJ is currently awaiting Wang’s extradition from Singapore.
The operation, named Operation Tunnel Rat, underscores the importance of international collaboration in combating cybercrime.
The FBI, along with law enforcement partners from around the globe, played a crucial role in dismantling the botnet’s infrastructure and arresting Wang.
The DOJ has also set up a web page where individuals can check if their IP address was among those compromised by the botnet, helping potential victims identify and mitigate any security issues stemming from the infection.
This takedown is part of the federal government’s ongoing efforts to thwart global cybercrime, which has become increasingly sophisticated and widespread.
The DOJ has dismantled multiple botnets this year, including those linked to nation-state hacking activities, highlighting the persistent and evolving threat posed by cybercriminals.
Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.