The U.S. Treasury Department has sanctioned a cybercrime network comprising three Chinese nationals and three Thailand-based companies linked to a massive botnet controlling a residential proxy service known as “911 S5.”
Researchers at the Canadian University of Sherbrooke found almost two years ago that this illegitimate residential proxy service lured potential victims by offering free VPN services to install malware designed to add their IP addresses to the 911 S5 botnet.
At the time, the botnet controlled approximately 120,000 residential proxy nodes from all over the world, all of which communicated with multiple command-and-control servers located offshore or hosted within a cloud server.
“The 911 S5 botnet was a malicious service that compromised victim computers and allowed cybercriminals to proxy their internet connections through these compromised computers,” said the Office of Foreign Assets Control (OFAC).
“Once a cybercriminal had disguised their digital tracks through the 911 S5 botnet, their cybercrimes appeared to trace back to the victim’s computer instead of their own.”
OFAC added that the residential proxy botnet compromised approximately 19 million IP addresses. The use of these infected devices allowed cybercriminals to submit tens of thousands of fraudulent applications for programs related to the Coronavirus Aid, Relief, and Economic Security Act, resulting in billions of dollars in losses.
911 S5 users also used it to commit widespread cyber-enabled fraud using residential IP addresses linked to compromised computers. These IP addresses were also used in a series of bomb threats made across the United States in July 2022.
OFAC today sanctioned Yunhe Wang (the 911 S5 service administrator), Jingping Liu (the operation’s money launderer), and Yanni Zheng (who acted as a power of attorney for Yunhe Wang), as well as three entities (Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited), all owned or controlled by Yunhe Wang.
As a result of today’s sanctions, all transactions involving U.S. interests and properties of designated individuals and entities are prohibited, and dealings with sanctioned individuals and companies also expose them to sanctions or enforcement actions.
Cybersecurity firm Mandiant also warned last week that Chinese state hackers are increasingly relying on vast proxy server networks (also known as operational relay box networks) built from compromised online devices and virtual private servers to evade detection during their cyberespionage campaigns.