“The biggest botnet of all time” disrupted. Alleged 911 S5 mastermind arrested

A vast network of millions of compromised computers, used to facilitate a wide range of cybercrime, has been disrupted by a multinational law enforcement operation.

The 911 S5 botnet, described as “probably the world's largest botnet ever created” by FBI Director Christopher Wray, had its infrastructure and assets seized and its alleged mastermind arrested and charged.

YunHe Wang, 35, a dual national of China and Saint Kitts and Nevis, is suspected of operating the 911 S5 botnet with co-conspirators and creating and distributing malware to compromise and embezzle millions of Windows computers worldwide.

Methods used to recruit PCs into the botnet included the distribution of free and illegitimate VPN software such as MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN. Once users downloaded these VPN apps, they unknowingly connected to the 911 S5 infrastructure and became part of the botnet.

Additionally, the 911 S5 botnet grew by bundling its code with other software (under the guise of fake security updates for applications like Adobe Flash Player) and through peer-to-peer file sharing networks. -peer by pretending to be “cracked” or pirated software. applications.

In total, devices associated with more than 19 million unique IP addresses (including 613,841 IP addresses located in the United States) appear to have been recruited into the botnet.

Law enforcement officials say Wang generated millions of dollars by offering cybercriminals paid access to hacked IP addresses, thereby anonymizing their online activities. The “911 S5” botnet was used beginning in 2014 to commit a wide range of crimes, including cyberattacks, pandemic-related fraud, child exploitation, harassment, and the transmission of bomb threats. .

For example, the US Department of Justice claims that approximately 560,000 fraudulent insurance claims were made from IP addresses compromised by the botnet, resulting in a loss exceeding $5.9 billion.

According to the U.S. Department of Commerce's Bureau of Industry and Security (BIS), the criminal scheme netted its operators nearly $100 million in profits, which were used to purchase luxury watches, goods real estate and luxury cars, including a Ferrari F8 Spider, two BMWs and a Rolls Royce.

Law enforcement agencies from the United States, Singapore, Thailand and Germany collaborated in the operation against the botnet, searching properties, seizing assets worth approximately US$30 million and dismantling the botnet infrastructure.

The US Department of the Treasury announced the imposition of sanctions against Wang and two others suspected of being involved in laundering the proceeds of this criminal scheme.

Wang is charged with conspiracy to commit wire fraud, substantial wire fraud, conspiracy to commit wire fraud and conspiracy to commit money laundering. If convicted on all counts, Wang faces a sentence of up to 65 years in prison.

The 911 S5 botnet began operating in May 2014 and was taken offline by its administrator in July 2022, before becoming Cloudrouter in October 2023.

Visitors to the CloudRouter webpage today will see a law enforcement seizure notice.

The FBI has created a web page that helps users identify and remove apps that may have tried to recruit them into the 911 S5 botnet.

If you are a company that allows your employees to use their own devices, remember that they may also have inadvertently connected to the 911 S5 botnet. As such, it would be a good idea to check that these devices are not infected.

Editor's note: The opinions expressed in this guest authored article are solely those of the contributor and do not necessarily reflect those of Tripwire.