Chinese nationals sanctioned for botnet used to steal ‘billions’ in COVID-19 relief funds

The U.S. Treasury Department on Tuesday sanctioned three Chinese nationals allegedly linked to a malicious botnet widely used to carry out fraud. 

According to the Treasury, the botnet was especially useful “when carrying out credit card theft” and was used to facilitate tens of thousands of fraudulent applications related to Covid-19 relief funding, “resulting in the loss of billions of dollars to the U.S. government.” 

A series of bomb threats in July 2022 was also made through IP addresses on the network, the Treasury said. 

The botnet was connected to 911 S5 — a popular residential proxy service that enabled users to mask their IP addresses by routing web activity through compromised devices, a Treasury announcement said. The botnet allegedly consisted of 19 million IP addresses.

The service went offline in July 2022, according to the journalist Brian Krebs, after a purported hacking incident that the proxy service said damaged essential data. 

The Secret Service alleged in 2022 that hackers linked to the Chinese government stole at least $20 million in U.S. Covid relief benefits, including Small Business Administration loans and unemployment insurance funds in over a dozen states.

The U.S. sanctioned alleged administrator Yunhe Wang and Jingping Liu, who is accused of laundering proceeds from 911 S5 for Wang. The third man, Yanni Zheng, allegedly acted as power of attorney for Wang and his company, Spicy Code Company Limited, and purchased real estate and made business transactions on his behalf.

The men reportedly live in Singapore and Thailand, both of which were cited as partners in the sanctions announcement.  Three businesses registered in Thailand were also sanctioned for their alleged links to Wang. 

The announcement of sanctions often coincides with a Department of Justice indictment, but as of Tuesday afternoon the agency had not announced further legal action against the three men.

Under the sanctions, property and interests owned by the three men in the U.S. must be reported to the agency, and U.S. citizens or residents are forbidden from doing business with them. 

In January, the DOJ announced it had taken down a botnet linked to Volt Typhoon — a hacking group with Chinese government ties that according to the U.S. government infects privately owned home and office routers with malware in order to conceal the group’s other hacking activities.