Washington — Federal investigators have taken down one of the world's biggest bad actors botnetsa transaction that helped generate tens of thousands of fraudulent transactions that cost victims billions – including many related COVID aid financing.
Police also arrested the botnet's administrator, YunHe Wang, a Chinese national. He is accused of orchestrating an international plot to deploy malware and covertly sell access to the IP addresses of the infected computers. IP addresses, a series of numbers and dots, act as unique identifiers for the devices and domains on the Internet, allowing them to communicate with each other and send information back and forth.
Wang is accused of leading an operation – known as the 911 S5 Botnet – that deployed 19 million compromised IP addresses in more than 190 countries and used them as “an infrastructure highway to carry out crimes such as bomb threats, financial fraud, identity theft, exploitation, initial access brokering and many other computer crimes,” said Principal Deputy Assistant Director Brett Leatherman of the FBI Cyber Division.
Officials confirmed that Wang was financially motivated, with no known direct ties to nation states.
According to the court, Wang allegedly purchased $30 million worth of real estate in the US, St. Kitts and Nevis, China, Singapore, Thailand and the United Arab Emirates, and paid more than $4 million for luxury items including a BMW, Rolls Royce and several watches. documents.
More than 600,000 of the IP addresses were in the US. Wang was arrested Friday and charged with a four-count indictment, including conspiracy and computer fraud.
According to court documents, Wang allegedly sold his unsuspecting victims various Virtual Private Network (VPN) programs.
VPN extensions are routinely used to encrypt an Internet connection and route it through a remote server to mask an IP address and hide the user's browsing history and location.
In this case, these VPN programs installed malicious software on the computers when downloaded, allowing their IP addresses to be secretly co-opted remotely. Investigators say Wang then distributed the stolen IP addresses to cybercriminals for millions of dollars to facilitate the illegal activities.
By operating under the guise of victims' IP addresses, cybercriminals were able to carry out their plans and avoid detection by law enforcement. According to prosecutors, in some cases Wang even sold access to the IP addresses based on the criminals' specific geographic needs.
Leatherman warned that downloaded malicious VPN services include Mask VPN, Dew VPN, Paladin VPN, Proxy Gate, Shield VPN and Shine VPN.
“Cybercriminals have used the 911 S5 service to evade financial fraud detection systems in the United States and elsewhere and have successfully stolen billions of dollars from financial institutions, credit card issuers and account holders, and federal lending programs since 2014,” the charging documents say. . In one case, prosecutors said more than $5.9 billion in potential losses from the pandemic were tied to IP addresses “exploited and trafficked” by Wang's botnet.
Researchers said a key aspect of the growing network of infected computers was the ability of Wang and his co-conspirators to infect victims without their knowledge and bypass software that usually detects viruses.
In total, prosecutors said Wang allegedly made more than $99 million from selling the hijacked IP addresses and worked with others to launder some of his proceeds through U.S. banks.
“The majority of the fraud stemmed from fraudulent applications for pandemic relief funds,” Leatherman said. “That is a significant theft against Americans who have been seeking financial relief related to the pandemic during very difficult times.”
“There is an entire ecosystem that enables the activities of cybercriminals, from Bitcoin to elder fraud to ransomware and illegal nation-state behavior,” he added.
“Working with our international partners, the FBI conducted a joint cyber operation to dismantle the 911 S5 Botnet – believed to be the world's largest botnet ever,” FBI Director Christopher Wray said in a statement on Wednesday.
FBI officials said both Singapore and Thailand authorities were “critical” of Wang's arrest after conducting searches and interviews and seizing assets. US officials are working with the Singapore government to extradite him to the US
Law enforcement seized 23 domains and more than 70 servers, dismantling a network of infected devices that investigators say Wang and co-conspirators built between 2014 and 2022.
“You can never guarantee a 100% dismantling of these networks, but taking him into custody is also an important milestone for us,” Leatherman said. “The investigation is not over yet,” he added. “Through physical search warrants, interviews and seizures, we will hopefully identify artifacts and evidence that will lead us to other individuals using this service to target innocent American individuals and businesses.”
An attorney for Wang could not immediately be identified.
The FBI has one web page to allow potential victims to determine if their device has been compromised and guide them through a self-healing process.
