The U.S. Department of Justice (DoJ) on Wednesday said it dismantled what it described as “likely the world’s largest botnet ever,” which consisted of an army of 19 million infected devices that was leased to other threat actors to commit a wide array of offenses.
The botnet, which has a global footprint spanning more than 190 countries, functioned as a residential proxy service known as 911 S5. A 35-year-old Chinese national, YunHe Wang, was arrested in Singapore on May 24, 2024, for creating and acting as the primary administrator of the illegal platform from 2014 to July 2022.
Wang has been charged with conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. If convicted on all counts, Wang faces a maximum penalty of 65 years in prison.
The Justice Department said the botnet was used to carry out cyber attacks, financial fraud, identity theft, child exploitation, harassment, bomb threats, and export violations.
It’s worth noting that Wang was identified as the proprietor of 911 S5 by security journalist Brian Krebs in July 2022, following which the service abruptly shut down on July 28, 2022, citing a data breach of its key components.
Although it was resurrected under a different brand name called CloudRouter a few months later, according to Spur, the service has since ceased operations sometime this past weekend, the cybersecurity company’s co-founder Riley Kilmer told Krebs.
“Wang and others are alleged to have created and disseminated malware to compromise and amass a network of millions of residential Windows computers worldwide,” according to an unsealed indictment.
“These devices were associated with more than 19 million unique IP addresses, including 613,841 IP addresses located in the United States. Wang then generated millions of dollars by offering cybercriminals access to these infected IP addresses for a fee.”
Residential proxies (RESIPs) are networks of legitimate user devices that route traffic on behalf of paid subscribers. It typically involves the providers renting access to redirect network traffic through computers, smartphones, or routers belonging to real users.
The main objective of using such proxyware services to funnel traffic through the IP addresses of these devices so as to anonymize the source of the malicious requests.
Court documents accuse Wang of allegedly propagating the malware through free Virtual Private Network (VPN) programs, such as MaskVPN and DewVPN, as well as other pay-per-install services that bundled it with pirated software.
The defendant is estimated to have managed an infrastructure encompassing 150 servers worldwide, 76 of which were taken from U.S. based online service providers.
“Using the dedicated servers, Wang deployed and managed applications, commanded and controlled the infected devices, operated his 911 S5 service, and provided paying customers with access to proxied IP addresses associated with the infected devices,” the DoJ said.
It’s also alleged that 911 S5 allowed criminal actors to bypass financial fraud detection systems and steal billions of dollars from financial institutions, credit card issuers, and federal lending programs, including pandemic relief and the Economic Injury Disaster Loan (EIDL) program, by submitting fraudulent claims that originated from compromised IP addresses.
Furthermore, the service made it possible for attackers residing outside the U.S. to purchase goods with stolen credit cards or criminally derived proceeds, and illegally export them outside of the country in contravention of U.S. export laws.
Wang, for his part, is estimated to have received approximately $99 million from selling access to the hijacked proxied IP addresses, using the ill-gotten money to purchase four luxury cars, several expensive wristwatches, and 21 residential or investment properties across the U.S., China, Singapore, Thailand, and the U.A.E.
Other digital assets owned by Wang include over a dozen domestic and international bank accounts and more than 24 cryptocurrency wallets, which were used to pull off the scheme. Blockchain analytics firm Chainalysis revealed that the addresses associated with Wang hold $136.4 million in cryptocurrency.
Our mission is to educate our customer base, build capacity in every country we operate in and make cyber security affordable to all