International Operation Takes Down the World’s Largest Botnet, 911 S5

This news article is available in audio format, click play above to listen to the article.

Law enforcement agencies from the United States, Germany, Singapore, and Thailand have successfully dismantled the 911 S5 botnet. The malicious network, compromised of over 19 million IP addresses across nearly 200 countries, was allegedly administered by 35-year-old YunHe Wang, who was arrested in Singapore on May 24th as a part of the operation. Wang is a citizen of China and St. Kitts and is awaiting extradition to the United States. 

The 911 S5 botnet, which operated from 2014 to July 2022, created a vast network of hijacked IP addresses, primarily targeting residential Windows devices, that cybercriminals could purchase access to. According to the unsealed indictment, Wang and his co-conspirators propagated malware through free Virtual Private Network (VPN) programs and pay-per-install services bundled with pirated software, allowing them to use the compromised devices as proxies without the owners' knowledge. 

According to the U.S. Department of Justice (DOJ), the botnet's complex infrastructure included a network of approximately 150 dedicated servers worldwide, with 76 of them leased from U.S.-based providers. These servers formed the backbone of the operation, allowing the botnet's operators to control the infected devices, deploy malicious applications, and sell access to the compromised IP addresses.  

Wide Range of Cybercrimes and Illegal Activities Committed 

Investigators revealed that the botnet was used to facilitate a wide range of illegal activities, including financial fraud, identity theft, child exploitation, harassment, bomb threats, and even violations of export laws. “Since 2014, 911 S5 allegedly enabled cybercriminals to bypass financial fraud detection systems and steal billions of dollars from financial institutions, credit card issuers, and federal lending programs.”, stated the DOJ. The 911 S5 botnet was linked to tens of thousands of fraudulent applications for U.S. government aid programs, including those related to the Coronavirus Aid, Relief, and Economic Security (CARES) Act.  

Wang, who allegedly received approximately $99 million from selling access to the proxied IP addresses, used gains to purchase luxury vehicles, wristwatches, and 21 residential or investment properties across the U.S., St. Kitts and Nevis, China, Singapore, Thailand, and the U.A.E. If convicted on all counts, Wang could face a maximum penalty of up to 65 years in prison for conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. The U.S. Treasury Department imposed sanctions on Wang and his alleged co-conspirators, Jingping Liu and Yanni Zheng. Sanctions were also imposed on three Thailand-based entities believed to be under Wang's control; Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited. 

The takedown of the botnet required extensive international cooperation and coordination. Law enforcement agencies seized 23 domains and over 70 servers that were crucial to the botnet's operation, and identified assets valued at approximately $30 million, with an additional $30 million in forfeitable property. FBI Director Christopher Wray noted, "Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet—likely the world's largest botnet ever. We arrested its administrator, Yunhe Wang, seized infrastructure and assets, and levied sanctions against Wang and his co-conspirators." 

The FBI, the Defense Criminal Investigative Service, and the Department of Commerce's Office of Export Enforcement have published a public service announcement (the “PSA”) for individuals and businesses to better understand and guard against the 911 S5 residential proxy service and botnet. The PSA is available at ic3.gov/Media/Y2024/PSA240529.  

Instructions on how to identify and remove VPN applications that contain 911 S5 back doors are available at https://www.fbi.gov/investigate/cyber/how-to-identify-and-remove-vpn-applications-that-contain-911-s5-backdoors.