Washington — Federal investigators took down one of the world’s largest malicious botnets, one that helped generate tens of thousands of fraudulent transactions that cost victims billions — including many related to COVID relief funding.
Law enforcement also arrested the botnet’s administrator, YunHe Wang, a Chinese national. He’s been accused of orchestrating an international plot to deploy malware and surreptitiously sell access to the infected computers’ IP addresses. IP addresses, a string of numbers and dots, act as unique identifiers for the devices and domains on the internet, allowing them to communicate with each other and send information back and forth.
Wang is charged with leading an operation — known as the 911 S5 Botnet — that deployed 19 million compromised IP addresses in over 190 countries, using them as “an infrastructure highway for carrying out crimes such as bomb threats, financial fraud, identity theft, child exploitation, initial access brokering, and many other computer crimes,” according to FBI cyber division deputy assistant director Brett Leatherman.
Officials confirmed Wang was financially motivated, with no known direct ties to nation-states.
Wang allegedly purchased $30 million in property in the U.S., St. Kitts and Nevis, China, Singapore, Thailand, and the United Arab Emirates, and paid over $4 million for luxury items including a BMW, Rolls Royce and several watches, according to court documents.
More than 600,000 of the IP addresses were in the U.S. Wang was arrested on Friday and charged in a four-count indictment including conspiracy and computer fraud.
According to court papers, Wang allegedly sold his unsuspecting victims various Virtual Private Network (VPN) programs.
VPN extensions are routinely used to encrypt an internet connection, routing it through a remote server to mask an IP address and hide the user’s browsing history and location.
In this case, these VPN programs installed malicious software on the computers when downloaded, secretly allowing their IP addresses to be coopted remotely. Investigators said Wang then doled out the stolen IP addresses to cybercriminals for millions of dollars to facilitate the illicit activity.
By operating under the guise of the victims’ IP addresses, cybercriminals could carry out their schemes and avoid detection by law enforcement. In some cases, according to prosecutors, Wang even sold access to the IP addresses based on the particular geographic needs of the criminals.
Leatherman warned that malicious VPN services downloaded included Mask VPN, Dew VPN, Paladin VPN, Proxy Gate, Shield VPN and Shine VPN.
“Cybercriminals have used the 911 S5 service to bypass financial fraud detection systems in the United States and elsewhere and have successfully stolen billions of dollars from financial institutions, credit card issuers and account holders, and federal lending programs since 2014,” according to charging documents. In one instance, prosecutors said more than $5.9 billion in potential pandemic relief fraud losses were tied to IP addresses “exploited and trafficked” by Wang’s botnet.
Investigators said a key aspect of the growing network of infected computers was Wang and his co-conspirators’ ability to infect victims without their knowledge and bypass software that usually detects viruses.
In all, prosecutors said Wang allegedly made more than $99 million from his sales of the hijacked IP addresses and worked with others to launder some of his proceeds through U.S. banks.
“The majority of the fraud came from fraudulent pandemic relief fund applications,” said Leatherman. “That is a significant theft against Americans who in very difficult times were looking for financial relief related to the pandemic.”
“There’s an entire ecosystem, which enables the activities of cyber criminals from Bitcoin to elder fraud to ransomware, and illicit conduct from nation states,” he added.
“Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet—likely the world’s largest botnet ever,” FBI Director Christopher Wray said in a statement Wednesday.
FBI officials said both Singapore and Thailand’s authorities were “critical” to Wang’s arrest after they conducted searches and interviews and seized assets. U.S. officials are working with Singapore’s government to extradite him to the U.S.
Law enforcement seized 23 domains and over 70 servers, dismantling a network of infected devices that investigators say Wang and co-conspirators constructed from 2014 to 2022.
“You can never guarantee 100% dismantlement of these networks, but taking him into custody also serves as a key milestone for us,” noted Leatherman. “The investigation is not over,” he added. “Through physical search warrants, conducting interviews and seizures, we will hopefully identify artifacts and evidence which lead us to other individuals who use that service to target innocent American individuals and corporations.”
An attorney for Wang could not be immediately identified.
The FBI has created a webpage to allow potential victims to determine if their device has been compromised, and lead them through a self-remediation process.