• The Breach Report
  • Posts
  • DoJ shuts down 911 S5 Botnet that stole $5.9 billion COVID-19 funds

DoJ shuts down 911 S5 Botnet that stole $5.9 billion COVID-19 funds

Botnet had 19 million infected devices in 190 countries

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

U.S. Department of Justice takes down “911 S5” botnet with 19 million infected devices across 190 countries

An official domain seizure notification was posted on the former 911 S5 proxy domain

An official domain seizure notification was posted on the former 911 S5 proxy domain. (source: FBI/DOJ)

Botnets are the plague of the globally connected internet. A Windows XP operating system can be infected with malware within 10 minutes of an internet connection–without clicking a single link or installing any software.

The United States Department of Justice announced yesterday that it had disrupted and shut down a botnet it believes is the largest on record known as “911 S5.”

With 19 million infected devices across 190 countries, the botnet was used to commit cyberattacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.

The botnet operated from 2014 to 2022 and “enabled billions of dollars in pandemic and unemployment fraud.” CNBC reports that the stolen COVID-19 fraud funds amount to $5.9 billion.

The network architecture of the 911 S5 botnet displays an infected host device with the 911 S5 malware as a proxy point to conduct other malicious cyber activities.

The network architecture of the 911 S5 botnet displays an infected host device with the 911 S5 malware as a proxy point to conduct other malicious cyber activities. (source: Krebs on Security)

YunHe Wang profited $99 million from 911 S5 botnet before his arrest

According to the DoJ, “YunHe Wang, 35, a People’s Republic of China national and St. Kitts and Nevis citizen-by-investment, was arrested on May 24 on criminal charges arising from his deployment of malware and the creation and operation of a residential proxy service known as "‘911 S5.’”

The botnet consisted of over 19 million unique IP addresses, with 613,841 IP addresses in the United States alone. Most infected devices were reported as the Windows operating system, although specific versions were not stated. All devices were considered “residential,” not within a corporate network.

Wang sold access to the infected devices that malicious actors could repurpose for launching any cyber activity of choice.

Wang was not afraid to spend his illegal profit gains on a lavish lifestyle spanning the globe.

Wang purchased real estate property in the U.S., St. Kitts and Nevis, China, Singapore, Thailand, and the United Arab Emirates. The indictment identifies dozens of assets and properties subject to forfeiture, including a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, a Rolls Royce, more than a dozen domestic and international bank accounts, over two dozen cryptocurrency wallets, several luxury wristwatches, 21 residential or investment properties (across Thailand, Singapore, the U.A.E., St. Kitts and Nevis, and the United States), and 20 web domains.

Botnet use included money laundering, bypassing export laws, and credit card fraud

According to the DoJ announcement, U.S. law enforcement initially focused on 911 S5 while investigating a money laundering and smuggling scheme. Criminal cyber actors originating from Ghana and the U.S. used hijacked IP addresses purchased from the 911 S5 botnet to place fraudulent orders using stolen credit cards on the Army and Air Force Exchange Service (AAFES) online e-commerce platform known as ShopMyExchange.

Although approximately 2,525 fraudulent orders valued at $5.5 million were submitted, credit card fraud detection systems and federal investigators were able to deny the bulk of the attempted purchases, reducing the actual loss to approximately $254,000.

Security researcher Brian Krebs originally reported on the 911 S5 botnet in 2022, highlighting how access to the botnet could be purchased for as low as $28.

The 911 S5 botnet proxy service as it looked in 2016

The 911 S5 botnet proxy service as it looked in 2016. (source: Krebs on Security)

Response from the U.S. Executive Branch and Intelligence Community

Federal Bureau of Investigation Director Christopher Wray issued a statement following the arrest of Wang.

“Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet—likely the world’s largest botnet ever,” said FBI Director Christopher Wray.

“We arrested its administrator, Yunhe Wang, seized infrastructure and assets, and levied sanctions against Wang and his co-conspirators. The 911 S5 Botnet infected computers in nearly 200 countries and facilitated a whole host of computer-enabled crimes, including financial frauds, identity theft, and child exploitation. This operation demonstrates the FBI’s commitment to working shoulder-to-shoulder with our partners to protect American businesses and the American people, and we will work tirelessly to unmask and arrest the cybercriminals who profit from this illegal activity.”

U.S. DoJ Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department’s Criminal Division, added, “These criminals used the hijacked computers to conceal their identities and commit a host of crimes, from fraud to cyberstalking. Cybercriminals should take note. Today’s announcement sends a clear message that the Criminal Division and its law enforcement partners are firm in their resolve to disrupt the most technologically sophisticated criminal tools and hold wrongdoers to account.”

Latest Cybersecurity News

What we’re reading across the wire about the latest cybersecurity hacks, breaches, industry news, and more.

New from our blog:

New from our favorite blogs and journalists:

Latest Cybersecurity Podcasts

Check out these great new cybersecurity podcasts for insight into cybersecurity professionals and industry perspectives.

How did you like this issue of The Breach Report?

Login or Subscribe to participate in polls.

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

Reply

or to participate.