US dismantles 911 S5 botnet used for cyberattacks, arrests admin


The U.S. Justice Department and international partners dismantled the 911 S5 proxy botnet and arrested 35-year-old Chinese national YunHe Wang, its administrator.

As early as 2011, Wang and his conspirators pushed malware onto victims’ devices using multiple malicious VPN applications bundling proxy backdoors. The VPN apps that added compromised devices to the 911 S5 residential proxy service include MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN.

Between 2014 and July 2022, they created a network of millions of residential Windows computers worldwide linked to more than 19 million unique IP addresses, including 613,841 IP addresses in the United States.

“Wang [..] managed and controlled approximately 150 dedicated servers worldwide, approximately 76 of which he leased from U.S. based online service providers,” the Justice Department said.

“Using the dedicated servers, Wang deployed and managed applications, commanded and controlled the infected devices, operated his 911 S5 service, and provided paying customers with access to proxied IP addresses associated with the infected devices.”

Researchers at the University of Sherbrooke revealed in June 2022 that the 911 S5 operators lured potential victims by offering free VPN services to install the proxy malware.

One month later, the botnet was shut down after critical components of the operation were allegedly destroyed in a security breach, but it was resurrected as “CloudRouter” just a few months later.

The Justice Department is now serving seizure warrants to registrars and registry entities to seize the following domains used by the criminal network.

DOMAIN NAME TLD REGISTRAR REGISTRY
911.re .re 1API GmbH AFNIC
911.gg .gg 1API GmbH Island Networks
911s5.net .net GoDaddy VeriSign
911s5.org .org GoDaddy PIR
911s5.com .com GoDaddy VeriSign
maskypn.ce .cc Dynadot VeriSign
maskypn.org .org GoDaddy PIR
dewvpn.com .com GoDaddy VeriSign
dewvpn.net .net GoDaddy VeriSign
dewvpn.org .org GoDaddy PIR
dewvpn.ce .cc GoDaddy VeriSign
proxygate.net .net GoDaddy VeriSign
shinevpn.com .com GoDaddy VeriSign
shinevpn.org .org GoDaddy PIR
paladinypn.com .com Namecheap VeriSign
paladinypn.org .org Namecheap PIR
shieldvpn.org .org CommuniGal PIR
cloudrouter.io .io Namecheap Identity Digital Inc
cloudrouter.pro .pro Dynadot Identity Digital Inc
cloudrouting.net .net Namecheap VeriSign
reachfresh.com .net GoDaddy VeriSign
updatepanel.ce .cc Namecheap VeriSign
upgradeportal.org .org Namecheap PIR

Wang collected approximately $99 million by selling access to the proxied IP addresses to cybercriminals for a fee. The criminals used the compromised devices’ Internet connections for a wide range of crimes, including cyber attacks, bomb threats, child exploitation, large-scale fraud, harassment, and export violations.

911 S5 customers also used the illegitimate residential proxy service to submit tens of thousands of fraudulent applications for programs related to the Coronavirus Aid, Relief, and Economic Security (CARES) Act, 560,000 fraudulent unemployment insurance claims, and over 47,000 Economic Injury Disaster Loan (EIDL) applications, resulting in billions of dollars stolen from financial institutions, credit card issuers, and federal lending programs.

On Tuesday, the U.S. Treasury Department also sanctioned Wang (the administrator), Jingping Liu (the operation’s money launderer), and Yanni Zheng (who acted as a power of attorney for Yunhe Wang), and three entities (Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited) that were either owned or controlled by Wang.

“Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet—likely the world’s largest botnet ever,” said FBI Director Christopher Wray.

“We arrested its administrator, Yunhe Wang, seized infrastructure and assets, and levied sanctions against Wang and his co-conspirators.”

911 S5 proxy service prices
911 S5 proxy service prices (BleepingComputer)

According to an indictment unsealed on May 24, dozens of Wang’s assets and properties are now subject to forfeiture, “including a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, a Rolls Royce, more than a dozen domestic and international bank accounts, over two dozen cryptocurrency wallets, several luxury wristwatches, 21 residential or investment properties (across Thailand, Singapore, the U.A.E., St. Kitts and Nevis, and the United States), and 20 domains.”

Wang faces a maximum penalty of 65 years in prison if convicted on all counts, including conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering.



Source link