A US-led law enforcement operation has successfully disrupted the 911 S5 botnet, believed to be the world’s largest ever botnet.
The 911 S5 botnet is a global network of millions of compromised residential Windows computers used to facilitate cyber-attacks, large scale fraud, child exploitation and other serious criminal activity.
The network of devices was associated with more than 19 million unique IP addresses, including 613,841 IP addresses located in the US. Cybercriminals were allowed to purchase access to these infected IP addresses to conduct various criminal activities.
The US Department of Justice (DoJ) also announced the arrest of a Chinese national, YunHe Wang, 35, on charges relating to the creation and operation of 911 S5.
He is accused of conspiracy to commit substantive computer fraud, conspiracy to commit wire fraud and conspiracy to commit money laundering, Wang could face a maximum sentence of 65 years in prison if found guilty of all charges.
Wang is alleged to have received approximately $99m from sales of the hijacked proxied IP addresses through the 911 S5 operation from 2018 to 2022.
How the 911 S5 Botnet Operated
An indictment unsealed on May 24 alleges that Wang and accomplices created and disseminated malware to compromise and amass a network of millions of residential Windows computers worldwide from 2014 through to July 2022.
This malware was propagated through virtual private network (VPN) programs, such as MaskVPN and DewVPN, and pay-per-install services that bundled the malware with other program files.
Wang also managed and controlled around 150 dedicated servers worldwide, 76 of which were leased from US based online service providers.
These servers were used to deploy and manage applications, command and control the infected devices, operate the 911 S5 service and provide paying customers with access to proxied IP addresses associated with the infected devices.
He then sold proxied IP addresses purchased from 911 S5 to conceal their locations and anonymously commit a wide range of offenses. In addition to cybercrime and fraud, this included stalking, transmitting bomb threats and threats of harm, illegal exportation of goods, and receiving and sending child exploitation materials.
The indictment alleges that 911 S5 enabled cybercriminals to steal billions of dollars from financial institutions, credit card issuers and federal lending programs.
This included the fraudulent targeting of COVID-19 pandemic relief programs.
The US government believes that 560,000 fraudulent unemployment insurance claims originated from compromised IP addresses, resulting in a confirmed fraudulent loss exceeding $5.9bn.
The 911 S5 client interface software, hosted on US-based servers, enabled cybercriminals located outside of the US to purchase goods with stolen credit cards or criminally derived proceeds.
Assistant Secretary for Export Enforcement Matthew S. Axelrod of the US Department of Commerce’s Bureau of Industry and Security (BIS), noted: “The conduct alleged here reads like it’s ripped from a screenplay: A scheme to sell access to millions of malware-infected computers worldwide, enabling criminals over the world to steal billions of dollars, transmit bomb threats, and exchange child exploitation materials – then using the scheme’s nearly $100 million in profits to buy luxury cars, watches, and real estate.”
Law Enforcement Operation
The operation to disrupt 911 S5 was led by law enforcement in the US, Singapore, Thailand and Germany.
Officers seized 23 domains and over 70 servers that underpinned the historical 911 S5 botnet, as several new domains and services directly linked to an effort to reconstitute the service. This has effectively terminated the ability of Wang and accomplices to target victims through the botnet, the DoJ said.
Additionally, assets worth approximately $30m were seized from residences, with additional forfeitable property valued at around $30m.