The United States Department of Justice (DoJ) announced on Wednesday the dismantling of what it claims to be “likely the world’s largest botnet,” which was composed of approximately 19 million compromised devices. These infected machines were made available to various malicious actors for a variety of cybercrimes. This extensive botnet, known as 911 S5, had a presence in over 190 nations and served as a residential proxy service.
A key figure behind the operation, 35-year-old YunHe Wang, a Chinese national, was arrested in Singapore on May 24, 2024. Investigations revealed that Wang created and managed this illegal platform from 2014 until July 2022. He faces a multitude of charges, including conspiracy to commit computer fraud and money laundering, with potential prison sentences totaling up to 65 years if convicted on all counts.
The botnet facilitated a range of cyber-related criminal activities, including but not limited to cyberattacks, identity theft, child exploitation, and even bomb threats. Wired by security journalist Brian Krebs, Wang was previously identified as the mastermind behind 911 S5 in July 2022, shortly before the service went offline, ostensibly due to a data breach. Although the operation attempted a comeback under a new name, CloudRouter, it reportedly ceased activities just recently.
Wang’s operations were intricate, employing malware distributed through free Virtual Private Network (VPN) services like MaskVPN and DewVPN, as well as bundled with pirated software through pay-per-install schemes. According to court documents, the malware compromised millions of devices, amassing a network associated with over 19 million unique IP addresses, nearly 614,000 of which were located in the United States. Wang is alleged to have profited upwards of $99 million by leasing these compromised IP addresses to cybercriminals.
From a technical perspective, the activities associated with Wang’s operation exhibit several tactics identified in the MITRE ATT&CK framework. Initial access may have been achieved through compromised VPN services, while persistence could stem from the use of malware embedded in legitimate software. Additionally, the botnet’s architecture may have relied on privilege escalation through the exploitation of vulnerable systems across infected devices.
As a result of this coordinated international effort, which involved law enforcement from the U.S., Singapore, Thailand, and Germany, authorities have disrupted a significant portion of the 911 S5 infrastructure, taking down over 70 servers and seizing assets valued around $30 million. Furthermore, the Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on Wang and associated entities, underlining the seriousness of cybercriminal endeavors on a global scale.
Wang reportedly controlled numerous digital assets, including multiple bank accounts and cryptocurrency wallets, with one analytics firm estimating that these wallets contained around $136.4 million in crypto. Notably, it is alleged that the 911 S5 service enabled various actors to evade fraud detection systems, leading to substantial financial losses for institutions through scams, identity theft, and regulatory violations.
This incident serves as a stark reminder of the vulnerabilities facing businesses today, where cyber threats can originate from large-scale operations. Understanding the various tactics and techniques employed by adversaries is crucial for business owners as they seek to bolster their cybersecurity measures and mitigate potential risks.
With the operational landscape of cybercrime ever-evolving, the necessity for proactive security strategies within organizations has never been greater. The complexities and scale of these operations underline the importance of vigilance, strategic planning, and thorough cybersecurity education to combat such pervasive threats.
