The administrator of a the 911 S5 massive network of compromised computers worldwide, which were rented out for criminal purposes causing billions of dollars in losses, has been arrested and will stand trial in the United States.
An indictment filed in a Texas District Court alleges that Chinese and St Kitts and Nevis national YunHe Wang used malware purporting to be virtual private network (VPN) applications, to compromise over 19 million Windows computers around the world.
The malware was named as ProxyGate, MaskVPN, DewVPN and Shine VPN, and contained a backdoor that allowed them to be used as a residential proxy server that Wang and others are said to have sold access to, for criminals to abuse.
In doing so, Wang is alleged to have earnt millions of dollars in fees. The botnet, known as 911 S5, was active between 2014 and 2022 when it was taken down by its operators. It is thought to be one of the largest of its kind, with over 19 million unique internet protocol (IP) addresses recorded.
Through the 911 S5 proxy server, criminals were able to hide their own IP addresses, in order to commit financial crime, stalking, issuing threats as well as sending illegal materials.
What's more, US prosecutors allege the 911 S5 botnet enabled criminals to bypass fraud detection systems to steal billions of dollars from financial institutions, credit card issuers and US federal lending programmes.
Among these were Covid-19 pandemic relief programmes, the Justice Department alleged.
... the United States estimates that 560,000 fraudulent unemployment insurance claims originated from compromised IP addresses, resulting in a confirmed fraudulent loss exceeding US$5.9 billion. Additionally, in evaluating suspected fraud loss to the Economic Injury Disaster Loan (EIDL) program, the United States estimates that more than 47,000 EIDL applications originated from IP addresses compromised by 911 S5. Millions of dollars more were similarly identified by financial institutions in the United States as loss originating from IP addresses compromised by 911 S5.
The 911 S5 operation was technically elaborate, with Wang said to have managed and controlled around 150 dedicated servers worldwide.
Wang is alleged have received US$99 million or thereabouts from selling access to 911 S5 compromise computers, being paid in either real money or cryptocurrencies.
He is said to have spent the ill-gotten gains on 21 properties in the US, China, Singapore, Thailand, the United Arab Emirates and the West Indies island of St Kitts and Nevis, where he also obtained citizenship.
The indictment also identifies Wang as the owner of luxury cars such as a 2022 Ferrari F8 Spider S-A, a BMW i8 and X7 M50, a Rolls Royce and several more assets.
Wang's undoing began when Ghanaian and US criminals leasing access to 911 S5 used stolen credit cards to place orders on the US Army and Air Force Exchange Service ShopMyExchange.
Over 2500 orders worth US$5.5 million were placed, but fraud detection systems and US investigators were able to stop the bulk of them, reducing the losses to around US$254,000.
The US Office of Foreign Assets Control (OFAC) has also sanctioned Wang, along with two other Chinese individuals, Jingping Liu and Yanni Zheng. Three companies registered in Thailand and owned by Wang are also on the OFAC list, namely Spicy Code Company Ltd, Tulip Biz Pataya Group Company Ltd, and Lily Suites Company Ltd.
As with several other recent anti cyber crime operations by authorities, the move against Wang and 911 S5 was done with multiple police forces worldwide and security researchers cooperating with each other and sharing information.
If convicted, Wang faces up to 65 years in prison.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.