The splash page for the takedown of the 911 S5 botnet.
The splash page for the takedown of the 911 S5 botnet.

Botnet down and administrator arrested in 911 S5 case, FBI says

The FBI and international partners say they have dismantled a massive botnet that had infected more than 19 million IP addresses across 200 countries and was used for years to conceal cybercrime. 

The 911 S5 botnet’s alleged administrator, Chinese national YunHe Wang, was arrested on May 24 and faces up to 65 years in prison, the Department of Justice said.

On Tuesday, Wang and several alleged associates, as well as three Thai businesses, were sanctioned by the Treasury Department in relation to the botnet. 

Beginning in 2014, Wang allegedly created and disseminated malware that compromised millions of Windows operating systems, including more than 600,000 IP addresses in the U.S., prosecutors said.

He allegedly generated about $99 million from subscribers to the residential proxy service, which gave people access to the compromised IP addresses so they could mask their online activity. He faces charges related to computer fraud, wire fraud and money laundering. 

“This Justice Department-led operation brought together law enforcement partners from around the globe to disrupt 911 S5, a botnet that facilitated cyber-attacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations,” said Attorney General Merrick B. Garland. 

Prosecutors say that customers using the service stole $5.9 billion from federal pandemic relief programs through fraudulent applications.

Wang is accused of spreading malware through malicious virtual private network (VPN) programs like MaskVPN and DewVPN, as well as pirated materials bundled with the malware. He allegedly had approximately 150 servers worldwide, about half of which were leased from U.S.-based service providers. 

Authorities seized 23 internet domains and more than 70 servers, which the DOJ said were the “backbone” of a prior residential proxy service that shuttered in 2022, as well as a “recent incarnation of the service.” 

“By seizing multiple domains tied to the historical 911 S5, as well as several new domains and services directly linked to an effort to reconstitute the service, the government has successfully terminated Wang’s efforts to further victimize individuals through his newly formed service and closed the existing malicious backdoors,” the DOJ said. 

Investigators allege Wang used the proceeds from the service to buy property in the U.S., China, Singapore, Thailand, the United Arab Emirates and St. Kitts and Nevis, where he also has citizenship. A substantial collection of luxury cars — like a Ferrari F8, several BMWs and a Rolls Royce — is subject to forfeiture, along with his 21 properties.

The investigation into 911 S5 came onto law enforcement’s radar during an investigation into more than 2,000 fraudulent orders placed with stolen credit cards on an e-commerce platform called ShopMyExchange, which is connected to the Army and Air Force Exchange Service. The perpetrators in Ghana and the U.S. were allegedly using IP addresses acquired from 911 S5. 

The Justice Department has taken out multiple botnets this year with links to nation-state hacking activity. In January, it announced an operation to dismantle a botnet consisting of infected home routers used by the China-linked hacking group Volt Typhoon. 

The following month, the DOJ said it dismantled a similar botnet network used by the APT28 group within Russia’s Main Intelligence Directorate of the General Staff (GRU).

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
James Reddick

James Reddick

has worked as a journalist around the world, including in Lebanon and in Cambodia, where he was Deputy Managing Editor of The Phnom Penh Post. He is also a radio and podcast producer for outlets like Snap Judgment.