20240531 093957 00001

US Dismantles World’s Largest Botnet, Linked to $5.9 Billion Covid Relief Fraud

The U.S. Department of Justice (DoJ) announced victory in the fight against cybercrime on Wednesday, revealing the dismantling of what is likely the world’s largest botnet known as 911 S5. This vast network comprising 19 million infected devices across more than 190 countries was used by cybercriminals for a wide range of illegal activities including financial fraud, identity theft, child exploitation, harassment, bomb threats, and export violations.


Also Read: Delhi Hospital Fire: 7 Newborns Dead, Owner of Baby Care Centre Arrested

YunHe Wang, a 35-year-old Chinese national was arrested in Singapore on May 24, 2024. He has been identified as the primary creator and administrator of the 911 S5 botnet operating it from 2014 until July 2022.

Wang faces charges of conspiracy to commit computer fraud, computer fraud, conspiracy to commit wire fraud and conspiracy to commit money laundering. If convicted on all counts, Wang could be sentenced to a maximum of 65 years in prison.

The botnet, functioning as a residential proxy service had a global footprint with over 19 million infected devices.

It enabled cybercriminals to route malicious traffic through these devices. The network spanned more than 190 countries with 613,841 infected IP addresses located in the United States alone.

Wang is estimated to have earned approximately $99 million from selling access to the compromised IP addresses.

He used these illicit earnings to purchase luxury cars, expensive wristwatches, and 21 properties across the U.S., China, Singapore, Thailand, and the UAE.

Wang’s digital assets include over a dozen domestic and international bank accounts and more than 24 cryptocurrency wallets holding approximately $136.4 million in cryptocurrency.

Wang managed the botnet’s operations using 150 servers worldwide, 76 of which were based in the U.S. These servers were crucial for deploying and managing applications, commanding and controlling infected devices and providing access to proxied IP addresses for paying customers.

The malware was disseminated through free VPN programs such as MaskVPN and DewVPN, as well as other pay-per-install services that bundled it with pirated software. These infected devices then became part of the 911 S5 botnet.

The botnet was leased to various threat actors who used it to execute cyber attacks, commit financial fraud, and engage in other illicit activities.

The botnet was involved in stealing billions of dollars from financial institutions, credit card issuers, and federal lending programs including pandemic relief funds.

The DoJ highlighted the botnet’s role in submitting fraudulent claims to programs like the Economic Injury Disaster Loan (EIDL).

The botnet played a huge role in exploiting the Covid-19 relief efforts, filing an estimated 560,000 false unemployment insurance claims and stealing $5.9 billion in relief funds.

The takedown of the 911 S5 botnet was the result of a coordinated international effort involving law enforcement agencies from the U.S., Singapore, Thailand, and Germany.

This collaboration led to the disruption of 23 domains and over 70 servers that were integral to the botnet’s operations.

Also Read: Ivan Boesky, Convicted in the 1980s Insider Trading Scandal, Dies at 87

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on Wang, his co-conspirator Jingping Liu and power of attorney Yanni Zheng.

These sanctions also targeted three Thailand-based entities, Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited and Lily Suites Company Limited, which were allegedly used by Wang to purchase real estate in Thailand.

Authorities seized assets valued at approximately $30 million contributing to the overall disruption of the botnet’s financial infrastructure.

“The conduct alleged here reads like it’s ripped from a screenplay: A scheme to sell access to millions of malware-infected computers worldwide, enabling criminals over the world to steal billions of dollars, transmit bomb threats, and exchange child exploitation materials,” said Matthew S. Axelrod of the U.S. Department of Commerce’s Bureau of Industry and Security (BIS).

FBI Director Christopher Wray addressed the scale of the operation, calling it “likely the world’s largest botnet ever.” He also said that the FBI released a guide to help users identify and remove the 911 S5 malware from their devices.

The U.S. has been concerned about sophisticated cyber threats particularly those originating from China.

In January, the FBI dismantled the Chinese hacking group Volt Typhoon which had been targeting U.S. infrastructure including water plants and electric grids.

The 911 S5 botnet compromised over 19 million residential Windows computers worldwide including 613,841 IP addresses in the United States.

YunHe Wang, a 35-year-old national of the People’s Republic of China and citizen-by-investment of St. Kitts and Nevis was arrested on May 24 in Singapore.

The botnet enabled cybercriminals to bypass financial fraud detection systems resulting in estimated fraudulent losses exceeding $5.9 billion from pandemic relief programs and billions more from financial institutions and federal lending programs.

Wang allegedly generated approximately $99 million from selling access to the hijacked IP addresses using these proceeds to purchase luxury items and properties across multiple countries.

Also Read: Scarlett Johansson Shocked and Angered Over OpenAI’s Use of her Voice

The 911 S5 botnet was used to commit a variety of crimes including financial fraud, identity theft, child exploitation, harassment, bomb threats, and illegal exportation of goods.

Cybercriminals purchased access to the compromised IP addresses to mask their identities and conduct illegal activities anonymously.

Wang allegedly propagated the malware through VPN programs like MaskVPN and DewVPN, and pay-per-install services that bundled his malware with other program files including pirated software.

He managed and controlled approximately 150 dedicated servers worldwide with 76 leased from U.S.-based online service providers.

The operation involved a coordinated effort by law enforcement agencies from the United States, Singapore, Thailand, and Germany.

Agents and officers conducted searches, seized assets valued at approximately $30 million and identified additional property worth around $30 million.

Authorities seized 23 domains and over 70 servers, dismantling the 911 S5 botnet’s infrastructure.

Attorney General Merrick B. Garland said, “This Justice Department-led operation brought together law enforcement partners from around the globe to disrupt 911 S5. This case makes clear that the long arm of the law stretches across borders and into the deepest shadows of the dark web.”

“We arrested its administrator, YunHe Wang, seized infrastructure and assets, and levied sanctions against Wang and his co-conspirators. The 911 S5 Botnet infected computers in nearly 200 countries and facilitated a whole host of computer-enabled crimes.” said FBI Director Christopher Wray

Principal Deputy Assistant Attorney General Nicole M. Argentieri said, “These criminals used the hijacked computers to conceal their identities and commit a host of crimes. Today’s announcement sends a clear message that we are firm in our resolve to disrupt the most technologically sophisticated criminal tools and hold wrongdoers to account.”

The botnet was instrumental in perpetrating financial fraud with 560,000 fraudulent unemployment insurance claims resulting in confirmed losses exceeding $5.9 billion.

Over 47,000 fraudulent Economic Injury Disaster Loan (EIDL) applications originated from compromised IP addresses.

Law enforcement identified and seized numerous assets linked to Wang including luxury vehicles such as a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, and a Rolls Royce.

Real estate holdings included 21 properties across Thailand, Singapore, the UAE, St. Kitts and Nevis, and the United States.

The operation was supported by various international law enforcement agencies and private sector partners including the Singapore Police Force, Royal Thai Police, Chainalysis, the Shadowserver Foundation, and Microsoft.

Also Read: Julian Assange Wins Right to Appeal Against US Extradition

Top Sources Related to US Dismantles World’s Largest Botnet, Linked to $5.9 Billion Covid Relief Fraud (For R&D)

US Department of Justice:

USA Today:

The Hacker News:

BBC News:

AL Jazeera:



More From Author