- The Breach Report
- Posts
- DoJ shuts down 911 S5 Botnet that stole $5.9 billion COVID-19 funds
DoJ shuts down 911 S5 Botnet that stole $5.9 billion COVID-19 funds
Botnet had 19 million infected devices in 190 countries
Rob Waters
May 30, 2024 • ⏱️ Reading Time: 9 minutes
Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.
U.S. Department of Justice takes down “911 S5” botnet with 19 million infected devices across 190 countries
An official domain seizure notification was posted on the former 911 S5 proxy domain. (source: FBI/DOJ)
Botnets are the plague of the globally connected internet. A Windows XP operating system can be infected with malware within 10 minutes of an internet connection–without clicking a single link or installing any software.
The United States Department of Justice announced yesterday that it had disrupted and shut down a botnet it believes is the largest on record known as “911 S5.”
With 19 million infected devices across 190 countries, the botnet was used to commit cyberattacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.
The botnet operated from 2014 to 2022 and “enabled billions of dollars in pandemic and unemployment fraud.” CNBC reports that the stolen COVID-19 fraud funds amount to $5.9 billion.
The network architecture of the 911 S5 botnet displays an infected host device with the 911 S5 malware as a proxy point to conduct other malicious cyber activities. (source: Krebs on Security)
YunHe Wang profited $99 million from 911 S5 botnet before his arrest
According to the DoJ, “YunHe Wang, 35, a People’s Republic of China national and St. Kitts and Nevis citizen-by-investment, was arrested on May 24 on criminal charges arising from his deployment of malware and the creation and operation of a residential proxy service known as "‘911 S5.’”
The botnet consisted of over 19 million unique IP addresses, with 613,841 IP addresses in the United States alone. Most infected devices were reported as the Windows operating system, although specific versions were not stated. All devices were considered “residential,” not within a corporate network.
Wang sold access to the infected devices that malicious actors could repurpose for launching any cyber activity of choice.
Wang was not afraid to spend his illegal profit gains on a lavish lifestyle spanning the globe.
Wang purchased real estate property in the U.S., St. Kitts and Nevis, China, Singapore, Thailand, and the United Arab Emirates. The indictment identifies dozens of assets and properties subject to forfeiture, including a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, a Rolls Royce, more than a dozen domestic and international bank accounts, over two dozen cryptocurrency wallets, several luxury wristwatches, 21 residential or investment properties (across Thailand, Singapore, the U.A.E., St. Kitts and Nevis, and the United States), and 20 web domains.
Botnet use included money laundering, bypassing export laws, and credit card fraud
According to the DoJ announcement, U.S. law enforcement initially focused on 911 S5 while investigating a money laundering and smuggling scheme. Criminal cyber actors originating from Ghana and the U.S. used hijacked IP addresses purchased from the 911 S5 botnet to place fraudulent orders using stolen credit cards on the Army and Air Force Exchange Service (AAFES) online e-commerce platform known as ShopMyExchange.
Although approximately 2,525 fraudulent orders valued at $5.5 million were submitted, credit card fraud detection systems and federal investigators were able to deny the bulk of the attempted purchases, reducing the actual loss to approximately $254,000.
Security researcher Brian Krebs originally reported on the 911 S5 botnet in 2022, highlighting how access to the botnet could be purchased for as low as $28.
The 911 S5 botnet proxy service as it looked in 2016. (source: Krebs on Security)
Response from the U.S. Executive Branch and Intelligence Community
Federal Bureau of Investigation Director Christopher Wray issued a statement following the arrest of Wang.
“Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet—likely the world’s largest botnet ever,” said FBI Director Christopher Wray.
“We arrested its administrator, Yunhe Wang, seized infrastructure and assets, and levied sanctions against Wang and his co-conspirators. The 911 S5 Botnet infected computers in nearly 200 countries and facilitated a whole host of computer-enabled crimes, including financial frauds, identity theft, and child exploitation. This operation demonstrates the FBI’s commitment to working shoulder-to-shoulder with our partners to protect American businesses and the American people, and we will work tirelessly to unmask and arrest the cybercriminals who profit from this illegal activity.”
U.S. DoJ Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department’s Criminal Division, added, “These criminals used the hijacked computers to conceal their identities and commit a host of crimes, from fraud to cyberstalking. Cybercriminals should take note. Today’s announcement sends a clear message that the Criminal Division and its law enforcement partners are firm in their resolve to disrupt the most technologically sophisticated criminal tools and hold wrongdoers to account.”
Latest Cybersecurity News
What we’re reading across the wire about the latest cybersecurity hacks, breaches, industry news, and more.
New from our blog:
New from our favorite blogs and journalists:
Europol Shuts Down 100+ Servers Linked to IcedID, TrickBot, and Other Malware (The Hacker News)
Okta Warns of Credential Stuffing Attacks Targeting Customer Identity Cloud (The Hacker News)
Cybercriminals Abuse Stack Overflow to Promote Malicious Python Package (The Hacker News)
Check Point Warns of Zero-Day Attacks on its VPN Gateway Products (The Hacker News)
Human vulnerability remains top threat: Report (CSOOnline)
US healthcare agency to invest $50M in threat detection tools that predict attackers’ next moves (CSOOnline)
Third-party software supply chain threats continue to plague CISOs (CSOOnline)
Nurses at Ascension hospital in Michigan raise alarms about safety following ransomware attack (The Record)
Germany's cyber ambassador on the response to Russia: 'All of this takes time' (The Record)
Latest Cybersecurity Podcasts
Check out these great new cybersecurity podcasts for insight into cybersecurity professionals and industry perspectives.
Discarded: Decrypting cyber threats: Tactics, takedowns and resilience (Proofpoint)
Shielding Small Businesses: Tips for Defending Against Cyber Threats (RSA Conference)
CyberNews Episode #41: Microsoft Recall, Scarlett Johansson & OpenAI (CyberNews)
Risky Business #748: New cyber rules for US healthcare are coming (Risky.biz)
Cloud Security Podcast: EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework (Google Cloud)
Cloud Security Podcast: EP173 SAIF in Focus: 5 AI Security Risks and SAIF Mitigations (Google Cloud)
How did you like this issue of The Breach Report? |
Until next time…
Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog
Join the conversation