The feds bust one of the world’s largest malicious botnets and arrest its administrator

Washington — Federal investigators have taken down one of the world’s biggest malware programs botnetsthat helped generate tens of thousands of fraudulent transactions that cost victims billions – many of them related COVID subsidized aid.

Law enforcement also arrested the botnet’s administrator, Chinese national YunHe Wang. He was accused of organizing an international conspiracy to deploy malware and secretly selling access to the IP addresses of infected computers. IP addresses, a string of numbers and dots, act as unique identifiers for devices and domains on the Internet, allowing them to communicate with each other and send information back and forth.

Wang is accused of masterminding an operation known as the 911 S5 botnet, which deployed 19 million compromised IP addresses in more than 190 countries, using them as an “infrastructure highway to commit crimes such as bomb threats, financial fraud, identity theft, child exploitation, initial access and many other computer crimes,” said Brett Leatherman, deputy director of the FBI’s cyber division.

Officials confirmed that Wang had financial motives and had no direct ties to nation states.

According to the court, Wang allegedly bought properties worth $30 million in the US, St. Kitts and Nevis, China, Singapore, Thailand and the United Arab Emirates and paid more than $4 million for luxury items including a BMW, a Rolls Royce and several watches. documents.

More than 600,000 IP addresses were located in the US. Wang was arrested on Friday and faces four charges, including conspiracy and computer fraud.

Court documents show that Wang allegedly sold various virtual private network (VPN) programs to his unsuspecting victims.

VPN extensions are routinely used to encrypt your Internet connection and route it through a remote server to mask your IP address and hide your browsing history and location.

In this case, these VPN programs installed malware on computers after downloading, secretly allowing their IP addresses to be remotely hijacked. Investigators said Wang then distributed the stolen IP addresses to cybercriminals for millions of dollars to facilitate illegal activity.

By operating under the cover of victims’ IP addresses, cybercriminals could implement their plans and avoid detection by law enforcement agencies. In some cases, prosecutors said, Wang even sold access to IP addresses based on the particular geographic needs of criminals.

Leatherman warned that the malicious VPN services downloaded included Mask VPN, Dew VPN, Paladin VPN, Proxy Gate, Shield VPN and Shine VPN.

“Cybercriminals used the 911 S5 service to bypass financial fraud detection systems in the United States and other countries, and since 2014, they have successfully stolen billions of dollars from financial institutions, credit card issuers and account holders, as well as federal lending programs,” according to charging documents. . In one case, prosecutors said more than $5.9 billion in potential losses related to pandemic relief fraud were tied to IP addresses “exploited and traded” by Wang’s botnet.

Investigators said a key aspect of the growing network of infected computers was the ability of Wang and his associates to infect victims without their knowledge and bypass software that typically detects viruses.

In all, prosecutors said Wang allegedly made more than $99 million selling hijacked IP addresses and worked with others to launder some of his proceeds through U.S. banks.

“The majority of fraud resulted from fraudulent applications for pandemic assistance,” Leatherman said. “This is a significant theft against Americans who have been seeking financial relief from the pandemic during very difficult times.”

“There is an entire ecosystem that enables cybercriminals to operate, from Bitcoin, to elder fraud, to ransomware, to illegal activities by nation states,” he added.

“Working with our international partners, the FBI conducted a joint, sequential cyber operation to take down the 911 S5 botnet, arguably the world’s largest botnet in history,” FBI Director Christopher Wray said in a statement Wednesday.

FBI officials said both Singaporean and Thai authorities were critical of Wang’s arrest after conducting searches and interviews and seizing property. U.S. officials are working with the Singapore government to extradite him to the United States

Law enforcement seized 23 domains and more than 70 servers, dismantling a network of infected devices that investigators say Wang and co-conspirators built between 2014 and 2022.

“You can never guarantee the complete dismantling of these networks, but his arrest is also a milestone for us,” Leatherman noted. “The investigation is not over,” he added. “We hope that through physical search warrants, interviews and seizures, we will identify artifacts and evidence that will lead us to others using these services to target innocent American individuals and corporations.”

Wang’s attorney could not immediately be identified.

The FBI has created a website that allows potential victims to determine whether their device has been compromised and guide them through the self-repair process.