The U.S. Justice Department led a court-approved international law enforcement operation that successfully dismantled a botnet.
The botnet was used for perpetrating cyber attacks, extensive fraud, child exploitation, harassment, bomb threats, and violations of export regulations, officials stated.
YunHe Wang, a 35-year-old individual who holds citizenship in both the People’s Republic of China and St. Kitts and Nevis through investment, was apprehended on May 24, according to officials.
He faces criminal charges related to using malicious software and establishing and managing a home proxy service called “911 S5.”
An indictment that was made public on May 24 reveals that Wang and his associates are accused of developing and distributing malicious software to infiltrate and control a vast network of household Windows computers throughout the globe, spanning from 2014 to July 2022.
These devices were linked to over 19 million distinct IP addresses, including 613,841 IP addresses situated in the United States.
Wang then amassed millions of dollars by providing hackers with paid access to these compromised IP addresses.
According to Attorney General Merrick B. Garland, the Justice Department organized this operation to dismantle 911 S5, a botnet that allowed for cyberattacks, extensive fraud, child exploitation, harassment, bomb threats, and violations of export laws.
YunHe Wang was arrested due to his involvement in the creation and operation of a botnet, as well as the deployment of malware.
This prosecution demonstrates that the law’s jurisdiction extends beyond national boundaries and into the dark web’s most hidden corners.
FBI Director Christopher Wray stated that the FBI collaborated with foreign partners to carry out a coordinated cyber operation to destroy the 911 S5 Botnet, which is believed to be the largest botnet in the world.
The 911 S5 Botnet compromised computers in around 200 countries and enabled a wide range of computer-based criminal activities, such as financial scams, identity theft, and child abuse, according to Wray.
As per court records, Wang is accused of spreading his malicious software using Virtual Private Network (VPN) programs like MaskVPN and DewVPN (which he operated as torrent distribution models) and pay-per-install services that packaged his malware with other program files, including pirated versions of licensed software or copyrighted materials.
Wang thereafter oversaw and governed around 150 specialized servers across the globe, with approximately 76 of them being rented from American online service providers.
Wang utilized the specialized servers to deploy and oversee apps, exercise authority over the compromised devices, administer his 911 S5 service, and provide paying users the ability to connect to proxied IP addresses linked to the compromised devices.
The 911 S5 client interface software, hosted on servers located in the United States, facilitated the ability of cybercriminals located outside of the United States to acquire goods using stolen credit cards or illegally obtained funds, and unlawfully transport them outside of the United States in violation of U.S. export laws, such as the Export Administration Regulations (EAR). The 911 S5 client interface may also include encryption or other functionalities that make it subject to export regulations specified in the EAR. Hence, if certain foreign individuals download the 911 S5 client interface software without a license, it may be considered a breach of the EAR regulations.
According to the indictment, Wang is accused of receiving almost $99 million between 2018 and July 2022 from selling hijacked proxied IP addresses through his 911 S5 operation.
The payments were made in either bitcoin or fiat cash. Wang utilized the unlawfully acquired profits to buy real estate in the United States, St. Kitts and Nevis, China, Singapore, Thailand, and the United Arab Emirates.
The indictment lists numerous assets and properties that are eligible for confiscation, such as a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, a Rolls Royce, more than twelve domestic and international bank accounts, over twenty cryptocurrency wallets, several high-end wristwatches, 21 residential or investment properties located in Thailand, Singapore, the U.A.E., St. Kitts and Nevis, and the United States, and 20 domains.
During an investigation into a money laundering and smuggling operation, law enforcement primarily targeted 911 S5.
This operation involved criminal individuals in Ghana and the United States.
They used hijacked IP addresses obtained from 911 S5 to make fraudulent purchases using stolen credit card information on the Army and Air Force Exchange Service (AAFES) online shopping platform called ShopMyExchange.
Despite submitting over 2,525 fraudulent orders for $5.5 million, credit card fraud detection systems and federal investigators successfully prevented most of the attempted purchases, resulting in an actual loss of about $254,000.
Wang is accused of engaging in a conspiracy to commit computer fraud, committing computer fraud, participating in a conspiracy to commit wire fraud, and participating in a conspiracy to commit money laundering. If found guilty on all charges, Wang could be sentenced to a maximum of 65 years in jail.
Law enforcement agencies in the United States, Singapore, Thailand, and Germany coordinated this operation on a global scale.
Law enforcement agents and officers conducted searches of homes, confiscated assets worth around $30 million, and discovered further property that can be taken and valued at approximately $30 million.
The operation also confiscated 23 domains and more than 70 servers that formed the core infrastructure of Wang’s previous home proxy service and the most recent version of the business.
The government has effectively put an end to Wang’s attempts to harm individuals through his newly established service Clourouter.io and has closed the existing malicious backdoors by taking control of multiple domains associated with the historical 911 S5 and other domains and services connected to Wang’s efforts to revive the service.
On May 28, the Treasury Department’s Office of Foreign Assets Control (OFAC) imposed financial restrictions on Wang, Jingping Liu, and Yanni Zheng due to their involvement with 911 S5.
Additionally, three businesses were sanctioned for being owned or managed by Wang.
The FBI Dallas and Denver Field Offices, DCIS Cyber Field Office, and BIS Office of Export Enforcement’s Dallas field office are investigating the matter.
Along with Assistant U.S. Attorneys Camelia Lopez and William Tatum for the Eastern District of Texas, Trial Attorneys Candy Heath and Lydia Lichlyter from the Criminal Division’s Computer Crime and Intellectual Property Section are prosecuting the case.