US dismantles 911 S5 botnet used for cyberattacks, arrests admin

911 S5 seizure banner
911 S5 seizure banner

The U.S. Justice Department and international partners dismantled the 911 S5 proxy botnet and arrested 35-year-old Chinese national YunHe Wang, its administrator, in Singapore.

“Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet—likely the world’s largest botnet ever,” said FBI Director Christopher Wray.

“We arrested its administrator, Yunhe Wang, seized infrastructure and assets, and levied sanctions against Wang and his co-conspirators.”

As early as 2011, Wang and his conspirators pushed malware onto victims’ devices using multiple malicious VPN applications bundling proxy backdoors. The VPN apps that added compromised devices to the 911 S5 residential proxy service include MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN.

The FBI provides detailed information on how to determine if you were a victim of 911 S5 malware HERE.

Between 2014 and July 2022, they created a network of millions of residential Windows computers worldwide linked to more than 19 million unique IP addresses, including 613,841 IP addresses in the United States.

“Wang [..] managed and controlled approximately 150 dedicated servers worldwide, approximately 76 of which he leased from U.S. based online service providers,” the Justice Department said.

“Using the dedicated servers, Wang deployed and managed applications, commanded and controlled the infected devices, operated his 911 S5 service, and provided paying customers with access to proxied IP addresses associated with the infected devices.”

Researchers at the University of Sherbrooke revealed in June 2022 that the 911 S5 operators lured potential victims by offering free VPN services to install the proxy malware.

One month later, the botnet was shut down after critical components of the operation were allegedly destroyed in a security breach, but it was resurrected as “CloudRouter” just a few months later.

The Justice Department is now serving seizure warrants to registrars and registry entities to seize the following domains used by the criminal network.

DOMAIN NAME TLD REGISTRAR REGISTRY .re 1API GmbH AFNIC .gg 1API GmbH Island Networks .net GoDaddy VeriSign .org GoDaddy PIR .com GoDaddy VeriSign
maskypn.ce .cc Dynadot VeriSign .org GoDaddy PIR .com GoDaddy VeriSign .net GoDaddy VeriSign .org GoDaddy PIR
dewvpn.ce .cc GoDaddy VeriSign .net GoDaddy VeriSign .com GoDaddy VeriSign .org GoDaddy PIR .com Namecheap VeriSign .org Namecheap PIR .org CommuniGal PIR .io Namecheap Identity Digital Inc .pro Dynadot Identity Digital Inc .net Namecheap VeriSign .net GoDaddy VeriSign
updatepanel.ce .cc Namecheap VeriSign .org Namecheap PIR

Wang collected approximately $99 million by selling access to the proxied IP addresses to cybercriminals for a fee. The criminals used the compromised devices’ Internet connections for a wide range of crimes, including cyber attacks, bomb threats, child exploitation, large-scale fraud, harassment, and export violations.

911 S5 customers also used the illegitimate residential proxy service to submit tens of thousands of fraudulent applications for programs related to the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

They also used it to file 560,000 fraudulent unemployment insurance claims and over 47,000 Economic Injury Disaster Loan (EIDL) applications, resulting in billions of dollars stolen from financial institutions, credit card issuers, and federal lending programs.

On Tuesday, the U.S. Treasury Department also sanctioned Wang (the administrator), Jingping Liu (the operation’s money launderer), and Yanni Zheng (who acted as a power of attorney for Yunhe Wang), and three entities (Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited) that were either owned or controlled by Wang.

911 S5 proxy service prices
911 S5 proxy service prices (BleepingComputer)

According to an indictment unsealed on May 24, dozens of Wang’s assets and properties are now subject to forfeiture, “including a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, a Rolls Royce, more than a dozen domestic and international bank accounts, over two dozen cryptocurrency wallets, several luxury wristwatches, 21 residential or investment properties (across Thailand, Singapore, the U.A.E., St. Kitts and Nevis, and the United States), and 20 domains.”

Wang faces a maximum penalty of 65 years in prison if convicted on all counts, including conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering.

This content is being syndicated from Source link for documentation purpose. If you are the owner of the content and like it removed, kindly contact me here and I will remove the content.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top