The USA eliminates the world’s largest botnet 911 S5 with 19 million infected devices

The US Department of Justice (DoJ) said on Wednesday it had disbanded what it described as “probably the world’s largest botnet in history,” consisting of an army of 19 million infected devices that were rented to other threat actors to commit a wide range of crimes.

The botnet, with a global reach spanning over 190 countries, operated as a consumer proxy service known as 911S5. On May 24, 2024, 35-year-old Chinese citizen YunHe Wang was arrested in Singapore for creating an illegal platform and performing this function in the years 2014–77 2022.

Wang was charged with conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud and conspiracy to commit money laundering. If convicted on all counts, Wang faces a maximum sentence of 65 years in prison.

The Justice Department said the botnet was used to conduct cyberattacks, financial fraud, identity theft, child exploitation, harassment, bomb threats and export violations.

Notably, in July 2022, security journalist Brian Krebs identified Wang as the owner of the 911 S5, after which the company was abruptly shut down on July 28, 2022, citing a data breach involving its key components.

Although the service was resurrected a few months later under a different CloudRouter brand, Spur said the service went down last weekend, cybersecurity firm co-founder Riley Kilmer told Krebs.

“It is alleged that Wang and others created and distributed malware to compromise and massacre a network of millions of Windows desktop computers around the world,” according to the unsealed indictment.

“These devices were associated with over 19 million unique IP addresses, including 613,841 IP addresses located in the United States. “Wang then made millions of dollars by offering cybercriminals paid access to these infected IP addresses.”

Residential Proxies (RESIP) are networks of legitimate user devices that route traffic on behalf of paid subscribers. This typically involves providers renting access to route network traffic through computers, smartphones or routers belonging to real users.

The main purpose of using such proxy software services is to route traffic through the IP addresses of these devices to anonymize the source of malicious requests.

Court documents accuse Wang of allegedly spreading malware through free virtual private network (VPN) programs such as MaskVPN and DewVPN, as well as other pay-to-install services that bundled them with pirated software.

It was estimated that the defendant managed an infrastructure of 150 servers around the world, 76 of which were from US-based ISPs.

“Using dedicated servers, Wang deployed and managed applications, commanded and controlled infected devices, operated the 911 S5 service, and provided paying customers with access to intermediate IP addresses associated with infected devices,” the Justice Department said.

It is also alleged that 911 S5 enabled criminal actors to bypass financial fraud detection systems and steal billions of dollars from financial institutions, credit card issuers and federal lending programs, including Pandemic Relief and the Economic Injury Disaster Loan (EIDL) program, by submitting false claims.

Moreover, the service allowed attackers living outside the United States to purchase goods using stolen credit cards or criminal proceeds and then illegally export them outside the country in violation of U.S. export laws.

For his part, Wang is estimated to have received approximately $99 million from the sale of access to hijacked proxy IP addresses, and used the ill-gotten money to purchase four luxury cars, several expensive wristwatches, and 21 residential or investment properties across the United States. China, Singapore, Thailand and United Arab Emirates

Wang’s other digital assets include more than a dozen domestic and international bank accounts and more than 24 cryptocurrency wallets that were used to implement the scheme. Blockchain analytics firm Chainalytic revealed that addresses associated with Wang contain $136.4 million worth of cryptocurrency.

The takedown, the result of a coordinated effort by the United States, Singapore, Thailand and Germany, brought down 23 domains and more than 70 servers that form the core of the 911 S5. As part of this action, assets worth approximately $30 million were also seized.

Concurrent with the indictment against Wang, the Treasury Department’s Office of Foreign Assets Control (OFAC) imposed sanctions on the defendant along with his co-conspirator Jingping Liu and attorney Yanni Zheng for their activities related to the 911 S5 botnet and on-site proxy server.

The agency also imposed sanctions on three entities based in Thailand, namely Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited and Lily Suites Company Limited, which are allegedly owned or controlled by Wang, noting that Spicy Code Company Limited was used to buy real estate in the country.

“The conduct alleged here sounds like something straight out of a script: a scheme to sell access to millions of malware-infected computers around the world, enabling criminals around the world to steal billions of dollars, send bomb threats and exchange child exploitation materials,” he said. Matthew S. Axelrod of the U.S. Department of Commerce’s Bureau of Industry and Security (BIS).

“What the videos fail to capture is the painstaking work of national and international law enforcement agencies, working closely with industry partners, to foil such a brazen plan and bring about such an arrest.”