Chinese national cuffed on charges of running 'likely the world's largest botnet ever'

US authorities have arrested the alleged administrator of what FBI director Christopher Wray has described as "likely the world's largest botnet ever," comprising 19 million compromised Windows machines used by its operators to reap millions of dollars over the last decade.

"Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet," Wray declared in a Justice Department statement. "We arrested its administrator, Yunhe Wang, seized infrastructure and assets, and levied sanctions against Wang and his co-conspirators."

Wray alleged the 911 S5 Botnet infected computers in nearly 200 countries and "facilitated a whole host of computer-enabled crimes, including financial frauds, identity theft, and child exploitation."

Wang is alleged not to have acted alone: a US Treasury announcement names Jingping Liu and Yanni Zheng as participants. Treasury also claimed that Wang netted around $99 million from his operations and spent some of that loot on a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, and a Rolls-Royce.

Treasury's Office of Foreign Assets Control (OFAC) claimed the 911 S5 botnet was used by cyber criminals to file fraudulent Coronavirus aid relief claims, "resulting in the loss of billions of dollars to the US government." IP addresses compromised by 911 S5 were also linked to bomb threats issued in the US. Other residential IP addresses were abused "to commit widespread cyber-enabled fraud using compromised victim computers," OFAC alleged.

Yunhe Wang – who also holds an investor's passport giving citizenship to the Caribbean nation of St Kitts and Nevis – is accused of being 911 S5's primary administrator, while Jingping Liu is described as being a co-conspirator who laundered 911 S5 proceeds for Wang. Yanni Zheng was sanctioned for acting with power of attorney for Wang in making business transactions. Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited – all owned by Wang – were also sanctioned by OFAC.

Wang faces 65 years in prison if convicted on charges of conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. The DoJ revealed it has recovered around $60 million in purloined assets and has taken control of 23 domains and over 70 servers.

• Vast botnet hijacks smart TVs for prime-time cybercrime
• Feds dismantle Russian GRU botnet built on 1,000-plus home, small biz routers
• FBI confirms it issued remote kill command to blow out Volt Typhoon's botnet
• Russian national pleads guilty to building now-dismantled IPStorm proxy botnet

911 S5's modus operandi has been known to the infosec community for several years, according to researchers from the University of Sherbrooke in Canada, who published an analysis of the botnet in 2022.

According to the Sherbrooke team, the botnet operates by offering a paid VPN service for customers – one that opened a backdoor into their machine for illicit use. The named services were Mask VPN, Dew VPN, Paladin VPN, ProxyGate, Shield VPN, and Shine VPN.

Anyone who bought access to 911 S5 gained access to any number of compromised machines using Mask, Dew or other compromised VPN services. The Sherbrooke team noted there's no vetting for 911 customers – so anyone could use it to commit cyber crimes using someone else's IP address.

Sherbrooke noted that the full extent of the 911 service was unknown, but the Treasury and DoJ's estimate paints a picture of a far larger botnet than the academics identified two years ago. ®