A global malware network, linked to the theft of $5.9 billion in Covid relief funds and crypto crimes, has been dismantled, the Department of Justice (DOJ) announced today. The network was also involved in child exploitation, bomb threats, and various cyberattacks.
The DOJ has arrested 35-year-old YunHe Wang, a Chinese national, who was charged with creating and operating the “911 S5” botnet. This type of malware connects a network of hacked devices, allowing criminals to remotely launch cyberattacks. FBI Director Christopher Wray described it as “likely the world’s largest botnet ever.”
From 2014 to 2022, Wang managed the 911 S5 botnet using approximately 150 servers worldwide, including some in the U.S. According to the indictment, the botnet compromised over 19 million IP addresses across nearly 200 countries, with about 614,000 IP addresses located in the U.S.
A separate analysis by blockchain analytics firm Chainalysis revealed that wallet addresses associated with Wang held over $130 million in digital assets earned through illicit commissions.
Researchers at Chainalysis stated:”The 911 S5 botnet provided these services by distributing deceptive free VPN services, claiming to offer enhanced privacy while actually using backdoors to hijack millions of IP addresses globally. This allowed the 911 S5 administrators to make millions annually through a subscription-based service for cybercriminals.”
The FBI has provided a guide for users to check if their devices were affected by the 911 S5 attack and instructions on how to remove the malware if necessary.
Wang allegedly sold access to the compromised IP addresses to cybercriminals, amassing at least $99 million. He reportedly used these illicit earnings to purchase luxury cars, watches, and properties around the world.
The DOJ stated that the 911 S5 botnet was used for various crimes, including fraud, stalking, harassment, and the illegal exportation of goods. It notably targeted Covid relief programs, filing an estimated 560,000 false unemployment insurance claims and stealing $5.9 billion.
“The conduct alleged here reads like it’s ripped from a screenplay,” said Assistant Secretary for Export Enforcement Matthew S. Axelrod of the U.S. Department of Commerce’s Bureau of Industry and Security.
This arrest follows the U.S. Treasury Department’s sanctions against Wang and two associates for their involvement with the 911 S5 botnet. The Treasury also sanctioned three companies owned or controlled by Wang: Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited.
Wang faces a maximum sentence of 65 years in prison on four criminal counts: conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering.
