urlscan.io logo urlscan.io
SecurityTrails logo

therecord.media Open in urlscan Pro
2606:4700:4400::ac40:9b4b  Public Scan

Back to summary
URL: https://therecord.media/911-S5-botnet-takedown-arrest
Submission: On May 30 via api from TR — Scanned from DE

Form analysis 1 forms found in the DOM

<form><span class="text-black text-sm icon-search"></span><input name="s" placeholder="Search…" type="text" value=""><button type="submit">Go</button></form>

Text Content

This website stores cookies on your computer. These cookies are used to improve
your website experience and provide more personalized services to you, both on
this website and through other media. To find out more about the cookies we use,
see our Privacy Policy.

Accept


 * Leadership

 * Cybercrime

 * Nation-state

 * Elections

 * Technology

 * Cyber Daily®

 * Click Here Podcast

Go
Subscribe to The Record

✉️ Free Newsletter


The splash page for the takedown of the 911 S5 botnet.
James Reddick
May 29th, 2024
 * Cybercrime
 * Malware
 * News
 * China

 * 
 * 
 * 
 * 
 * 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
What is Threat Intelligence


BOTNET DOWN AND ADMINISTRATOR ARRESTED IN 911 S5 CASE, FBI SAYS

The FBI and international partners say they have dismantled a massive botnet
that had infected more than 19 million IP addresses across 200 countries and was
used for years to conceal cybercrime. 

The 911 S5 botnet’s alleged administrator, Chinese national YunHe Wang, was
arrested on May 24 and faces up to 65 years in prison, the Department of Justice
said.

On Tuesday, Wang and several alleged associates, as well as three Thai
businesses, were sanctioned by the Treasury Department in relation to the
botnet. 

Beginning in 2014, Wang allegedly created and disseminated malware that
compromised millions of Windows operating systems, including more than 600,000
IP addresses in the U.S., prosecutors said.

He allegedly generated about $99 million from subscribers to the residential
proxy service, which gave people access to the compromised IP addresses so they
could mask their online activity. He faces charges related to computer fraud,
wire fraud and money laundering. 

“This Justice Department-led operation brought together law enforcement partners
from around the globe to disrupt 911 S5, a botnet that facilitated
cyber-attacks, large-scale fraud, child exploitation, harassment, bomb threats,
and export violations,” said Attorney General Merrick B. Garland. 

Prosecutors say that customers using the service stole $5.9 billion from federal
pandemic relief programs through fraudulent applications.

Wang is accused of spreading malware through malicious virtual private network
(VPN) programs like MaskVPN and DewVPN, as well as pirated materials bundled
with the malware. He allegedly had approximately 150 servers worldwide, about
half of which were leased from U.S.-based service providers. 

Authorities seized 23 internet domains and more than 70 servers, which the DOJ
said were the “backbone” of a prior residential proxy service that shuttered in
2022, as well as a “recent incarnation of the service.” 

“By seizing multiple domains tied to the historical 911 S5, as well as several
new domains and services directly linked to an effort to reconstitute the
service, the government has successfully terminated Wang’s efforts to further
victimize individuals through his newly formed service Clourouter.io and closed
the existing malicious backdoors,” the DOJ said. 

Investigators allege Wang used the proceeds from the service to buy property in
the U.S., China, Singapore, Thailand, the United Arab Emirates and St. Kitts and
Nevis, where he also has citizenship. A substantial collection of luxury cars —
like a Ferrari F8, several BMWs and a Rolls Royce — is subject to forfeiture,
along with his 21 properties.

The investigation into 911 S5 came onto law enforcement’s radar during an
investigation into more than 2,000 fraudulent orders placed with stolen credit
cards on an e-commerce platform called ShopMyExchange, which is connected to the
Army and Air Force Exchange Service. The perpetrators in Ghana and the U.S. were
allegedly using IP addresses acquired from 911 S5. 

The Justice Department has taken out multiple botnets this year with links to
nation-state hacking activity. In January, it announced an operation to
dismantle a botnet consisting of infected home routers used by the China-linked
hacking group Volt Typhoon. 

The following month, the DOJ said it dismantled a similar botnet network used by
the APT28 group within Russia’s Main Intelligence Directorate of the General
Staff (GRU).

 * 
 * 
 * 
 * 
 * 

Tags
 * botnet
 * Law enforcement
 * FBI
 * arrests
 * Arrest

Previous articleNext article
Nurses at Ascension hospital in Michigan raise alarms about safety following
ransomware attack
Indian police arrest five accused of trafficking people into scam compounds

James Reddick

has worked as a journalist around the world, including in Lebanon and in
Cambodia, where he was Deputy Managing Editor of The Phnom Penh Post. He is also
a radio and podcast producer for outlets like Snap Judgment.


BRIEFS

 * Ransomware attack on Seattle Public Library knocks out online systemsMay
   28th, 2024
 * Feds continue to rack up convictions in BEC cases as Georgia man gets 10-year
   sentenceMay 22nd, 2024
 * CISA to tap cyber policy veteran Jeff Greene for top roleMay 22nd, 2024
 * HHS offering $50 million for proposals to improve hospital cybersecurityMay
   20th, 2024
 * EPA says it will step up enforcement to address ‘critical’ vulnerabilities
   within water sectorMay 20th, 2024
 * Cyber firm CyberArk inks $1.54 billion deal to acquire VenafiMay 20th, 2024
 * CISA official Eric Goldstein will leave agency in JuneMay 20th, 2024
 * Company that assists health care insurers discloses 2023 data breachMay 17th,
   2024
 * Sonne Finance developers offer bounty to hacker behind $20 million crypto
   theftMay 15th, 2024


GITCAUGHT: THREAT ACTOR LEVERAGES GITHUB REPOSITORY FOR MALICIOUS INFRASTRUCTURE


GitCaught: Threat Actor Leverages GitHub Repository for Malicious Infrastructure


EXPLORING THE DEPTHS OF SOLARMARKER'S MULTI-TIERED INFRASTRUCTURE


Exploring the Depths of SolarMarker's Multi-tiered Infrastructure


RUSSIA-LINKED COPYCOP USES LLMS TO WEAPONIZE INFLUENCE CONTENT AT SCALE


Russia-Linked CopyCop Uses LLMs to Weaponize Influence Content at Scale


IRAN-ALIGNED EMERALD DIVIDE INFLUENCE CAMPAIGN EVOLVES TO EXPLOIT ISRAEL-HAMAS
CONFLICT


Iran-Aligned Emerald Divide Influence Campaign Evolves to Exploit Israel-Hamas
Conflict


“MOBILE NOTPETYA”: SPYWARE ZERO-CLICK EXPLOIT DEVELOPMENT INCREASES THREAT OF
WORMABLE MOBILE MALWARE


“Mobile NotPetya”: Spyware Zero-Click Exploit Development Increases Threat of
Wormable Mobile Malware
 * 
 * 
 * 
 * 
 * 

 * Privacy

 * About

 * Contact Us

© Copyright 2024 | The Record from Recorded Future News