Feds take down one of world’s largest malicious botnets and arrest its administrator

washington — Federal investigators took down one of the biggest malware in the world botnetswhich helped generate tens of thousands of fraudulent transactions that cost victims billions – including many related to COVID relief financing.

Law enforcement also arrested the botnet administrator, YunHe Wang, a Chinese national. He was accused of orchestrating an international conspiracy to deploy malware and surreptitiously sell access to the IP addresses of infected computers. IP addresses, a sequence of numbers and dots, act as unique identifiers for devices and domains on the Internet, allowing them to communicate with each other and send information.

Wang is tasked with leading an operation – known as the 911 S5 Botnet – that has deployed 19 million compromised IP addresses in more than 190 countries, using them as “an infrastructure highway to carry out crimes such as bomb threats, financial fraud, identity theft, child identity theft.” exploitation, early access brokering and many other computer crimes,” according to FBI Cyber ​​Division Deputy Assistant Director Brett Leatherman.

Authorities confirmed that Wang was financially motivated, with no known direct ties to nation-states.

Wang reportedly bought $30 million worth of properties in the US, Saint Kitts and Nevis, China, Singapore, Thailand and the United Arab Emirates, and paid more than $4 million for luxury items, including a BMW, Rolls Royce and several watches, according to the court. documents.

More than 600 thousand IP addresses were in the USA. Wang was arrested on Friday and charged with four counts, including conspiracy and computer fraud.

According to court documents, Wang allegedly sold his unsuspecting victims several Virtual Private Network (VPN) programs.

VPN extensions are routinely used to encrypt an Internet connection by routing it through a remote server to mask an IP address and hide the user’s browsing history and location.

In this case, these VPN programs installed malicious software on computers when downloaded, secretly allowing their IP addresses to be co-opted remotely. Investigators said Wang then distributed the stolen IP addresses to cybercriminals for millions of dollars to facilitate illicit activity.

By operating under the guise of victims’ IP addresses, cybercriminals could carry out their schemes and avoid detection by authorities. In some cases, according to prosecutors, Wang even sold access to IP addresses based on criminals’ specific geographic needs.

Leatherman warned that the malicious VPN services downloaded included Mask VPN, Dew VPN, Paladin VPN, Proxy Gate, Shield VPN and Shine VPN.

“Cybercriminals used the 911 S5 service to bypass financial fraud detection systems in the United States and elsewhere and successfully stole billions of dollars from financial institutions, credit card issuers and account holders, and federal loan programs since 2014,” according to charging documents. . In one case, prosecutors said more than $5.9 billion in potential losses from pandemic relief fraud were linked to IP addresses “exploited and trafficked” by Wang’s botnet.

Investigators said a key aspect of the growing network of infected computers was the ability of Wang and his co-conspirators to infect victims without their knowledge and bypass software that usually detects viruses.

In all, prosecutors said Wang allegedly made more than $99 million from sales of the hijacked IP addresses and worked with others to launder some of his proceeds through U.S. banks.

“Most of the fraud came from fraudulent applications for pandemic relief funds,” Leatherman said. “This is a significant theft against Americans who, in very difficult times, were looking for pandemic-related financial relief.”

“There is an entire ecosystem that enables the activities of cyber criminals, from Bitcoin to older frauds, ransomware and illicit conduct by nation states,” he added.

“Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet – likely the world’s largest botnet of all time,” FBI Director Christopher Wray said in a statement Wednesday. .

FBI officials said authorities in Singapore and Thailand were “critical” of Wang’s arrest after conducting searches and interviews and seizing assets. US authorities are working with the Singapore government to extradite him to the US

Authorities seized 23 domains and more than 70 servers, dismantling a network of infected devices that investigators say Wang and co-conspirators built from 2014 to 2022.

“We can never guarantee 100% dismantling of these networks, but taking it into custody also serves as a key milestone for us,” noted Leatherman. “The investigation is not over,” he added. “Through physical search warrants, conducting interviews and seizures, we hope to identify artifacts and evidence that will lead us to other individuals using this service to target innocent American individuals and corporations.”

A lawyer for Wang could not immediately be identified.

The FBI created a Web page to allow potential victims to determine whether their device has been compromised and walk them through a self-healing process.