One of the world's largest botnets dismantled, administrator arrested

The U.S. Department of Justice, in cooperation with the FBI and international agencies, dismantled the 911 S5 botnet, believed to be one of the largest in the world. It also arrested its administrator, a 35-year-old Chinese national named YunHe Wang, and seized property, bank accounts, cryptocurrency wallets, as well as several cars and luxury goods.

Although U.S. authorities indicate that the 911 S5 botnet operated from 2014 to mid-2022, Wang began infecting devices with malware in 2011. He reportedly distributed VPN apps with a backdoor that allowed him to infect the devices on which they were installed.

In this way, he managed to create the 911 S5 botnet using millions of compromised Windows computers. According to official data, the infected computers were linked to more than 19 million unique IP addresses and were distributed in almost 200 countries.

Malicious applications used to create the botnet include PaladinVPN, MaskVPN, DewVPN and ShieldVPN. The Department of Justice has initiated legal proceedings to seize about 20 website domains associated with these programmes, as well as the 911 Proxy service.

Wang not only hacked computers to add them to the 911 S5 botnet, but also sold access to the network of infected computers to attackers for all sorts of illegal activities. From large-scale cyberattacks and fraud to bomb threats, stalking and child abuse.

According to the US Department of Justice, the administrator of the 911 S5 botnet managed approximately 150 servers around the world. More than half of them were located in the US.

International operation to take down the 911 S5 botnet

Creating and managing the 911 S5 botnet was a lucrative business for Wang. The U.S. justice claims he made nearly $100 million from selling access to his network of infected computers and IP addresses between 2018 and 2022 alone.

‘Wang used the illegally gained funds to buy property in the United States, St Kitts and Nevis, China, Singapore, Thailand and the United Arab Emirates. The indictment lists dozens of assets and property subject to forfeiture, including a Ferrari F8 Spider S-A 2022, BMW i8, BMW X7 M50d, Rolls-Royce, more than a dozen domestic and international bank accounts, more than two dozen cryptocurrency wallets, several high-end watches, 21 residential or investment properties (in Thailand, Singapore, the United Arab Emirates, St. Kitts and Nevis, and the United States), and 20 [web] domains.’ - US Department of Justice.

It's worth noting that the 911 S5 botnet and 911 Proxy service ceased operations in mid-2022 due to an alleged technical issue. However, a few months later they resumed operations, though under a new name - CloudRouter.

‘By taking control of several domains associated with the historic 911 S5, as well as several new domains and services directly related to the attempt to restore the service, the government successfully thwarted Wang's attempts to further endanger people through the CloudRouter service he created, as well as shut down existing malicious backdoors.’ - U.S. Department of Justice.

In addition to the Department of Justice, the U.S. Treasury Department also played a role in this story. The Office of Foreign Assets Control (OFAC) imposed sanctions on Wang and two other people it named as his associates. One of them, named Jingping Liu, was found responsible for laundering money illegally obtained through the 911 S5 botnet. Another, Yanni Zheng, acted as a proxy for Wang and one of his companies.

In terms of companies, three companies owned by or related to Wang were targeted by OFAC. They are Spicy Code Company Limited, Lily Suites Company Limited and Tulip Biz Pattaya Group Company Limited. Wang's prospects after his arrest are clearly not the most favourable. The organiser of the 911 S5 botnet faces four serious charges:

• Conspiracy to commit computer fraud.
• Substantial computer fraud.
• Conspiracy to commit wire fraud.
• Conspiracy to commit money laundering.

If found guilty on all charges, he faces a maximum sentence of 65 years in prison.