PYMNTS Intelligence Alternate Banner June 2024

DOJ Leads Takedown of ‘Likely the World’s Largest Botnet Ever’

In a big victory against cybercrime, the U.S. Justice Department, in collaboration with international law enforcement agencies, recently conducted a successful operation to dismantle a notorious botnet known as 911 S5.

This operation led to the arrest of YunHe Wang, a Chinese national, on charges related to the deployment of malware and the operation of 911 S5, the Justice Department said in a Wednesday (May 29) press release.

According to an unsealed indictment, Wang and his associates are accused of creating and disseminating malware to compromise millions of residential Windows computers worldwide, according to the release.

These infected devices, associated with over 19 million unique IP addresses, including more than 600,000 in the United States, formed the backbone of the 911 S5 botnet, the release said. Wang then profited by offering cybercriminals access to these infected IP addresses, enabling them to carry out various illegal activities.

Attorney General Merrick B. Garland emphasized the importance of this operation, stating in the press release that it brought together law enforcement partners from around the world to disrupt 911 S5.

FBI Director Christopher Wray highlighted the scale of the operation, describing 911 S5 as “likely the world’s largest botnet ever.” The botnet infected computers in nearly 200 countries, enabling cybercriminals to commit financial fraud, identity theft and child exploitation, Wray said in the release.

Wang allegedly propagated his malware through virtual private network (VPN) programs and pay-per-install services, according to the release. He controlled a network of approximately 150 dedicated servers worldwide, with a significant portion leased from U.S.-based online service providers. These servers allowed Wang to deploy and manage applications, control the infected devices, operate the 911 S5 service and provide paying customers with access to the compromised IP addresses.

The use of proxied IP addresses purchased from 911 S5 enabled cybercriminals to conceal their true identities and locations while committing a range of offenses, the release said.

The operation estimates that billions of dollars were stolen from financial institutions, credit card issuers and federal lending programs, per the release. Moreover, fraudulent unemployment insurance claims and applications to the Economic Injury Disaster Loan program were linked to compromised IP addresses, resulting in large financial losses.

The operation was a coordinated effort involving law enforcement agencies from the United States, Singapore, Thailand and Germany, according to the release.

In an earlier operation, announced in August, law enforcement agencies from the U.S., France, Germany, the Netherlands, Romania and Latvia disrupted the botnet and malware known as Qakbot.

That botnet infrastructure was used by cybercriminals for ransomware attacks, financial fraud and other criminal activities and caused millions of dollars in damage.