Skip to content

Chinese National Arrested for Allegedly Operating ‘World’s Largest Botnet’

A Chinese national has been arrested for allegedly running a botnet of 19 million infected IP addresses in nearly 200 countries, amassing at least $99 million by leasing his network to criminals for cybercrimes including COVID-19 pandemic relief scams.

The Department of Justice (DOJ) said Wang Yunhe, 35, offered customers the use of his network of compromised IP addresses for a fee from 2014 until July 2022, according to a statement issued on May 29. The service, named “911 S5,” allowed cybercriminals to conceal their digital footprint when engaging in nefarious online activities.

Those offenses included financial crimes, stalking, transmitting bomb threats and threats of harm, illegal exportation of goods, and receiving and sending child exploitation materials.

Criminals are also alleged to have used the botnet service to bypass financial fraud detection systems in the United States and elsewhere, and to steal billions of dollars from financial institutions, credit card issuers, and federal lending programs, according to a federal indictment. About 560,529 fraudulent claims came from “IP addresses exploited and trafficked” by Mr. Wang’s botnet, leading to more than $5.9 billion in losses.

The network was “likely the world’s largest botnet ever,” the DOJ stated, quoting FBI Director Christopher Wray.

Mr. Wang’s alleged scheme “reads like it’s ripped from a screenplay,” Matthew S. Axelrod, assistant secretary for export enforcement in the Commerce Department’s Bureau of Industry and Security, said in a statement.MalwareAccording to the indictment, Mr. Wang went by several pseudonyms including “Jack Wan,” “Williams Tang,” and “Tom Long.” He was arrested in Singapore on May 24, and search warrants were executed in the Southeast Asian country and nearby Thailand, Brett Leatherman, deputy assistant director for the FBI’s cyber division, said in a LinkedIn post.Related StoriesUS Sanctions 3 Chinese Nationals Accused of Malicious Botnet Involvement5/29/2024US Sanctions 3 Chinese Nationals Accused of Malicious Botnet InvolvementUS, Partners Dismantle Russian Hacking ‘Botnet,’ Justice Department Says6/19/2022US, Partners Dismantle Russian Hacking ‘Botnet,’ Justice Department Says

Authorities also seized $29 million in cryptocurrency, according to Mr. Leatherman.

To build up his botnet, Mr. Wang allegedly began developing malicious virtual private network (VPN) programs, such as MaskVPN, DewVPN, and Shine VPN, as early as 2011, according to the indictment. He then allegedly distributed his malware “with the intent to infect residential computers worldwide.”

A VPN is a service that typically hides a user’s IP address and encrypts an internet connection, diverting traffic through a remote server.

“Wang then managed and controlled approximately 150 dedicated servers worldwide, approximately 76 of which he leased from U.S.-based online service providers,” the statement reads.

As of July 2022, Mr. Wang amassed more than 19 million unique IP addresses by spreading his malware to computers worldwide. “Cybercriminals using the 911 S5 service were able to select by city, state, zip code, or country exactly the IP addresses through which they wanted to connect to the internet,” the indictment reads.

Of the 19 million IP addresses, Mr. Wang’s botnet included about 613,841 IP addresses in the United States, according to the indictment, and his malware infected about 346 computers in the Eastern District of Texas between April 2020 and July 2022.

Mr. Wang’s botnet ceased operations in July 2022, but infected computers “remain actively compromised,” the indictment states, and so “the botnet remains available to be reconstituted into a new illicit proxy service at any time.”CooperationAttorney General Merrick Garland said international cooperation led to the dismantling of the botnet.“The Justice Department led an international law enforcement operation stretching from Southeast Asia to Europe to the Caribbean, which disrupted 911 S5,” Mr. Garland said in a video statement. “As a result of our coordinated actions, the botnet has been taken down.”

According to the DOJ, law enforcement agencies in Singapore, Thailand, and Germany worked with U.S. officials on the case. The joint operation led to the seizure of 23 domains and more than 70 servers.

“As today’s case makes clear, the long arm of the law stretches across borders and into the deepest shadows of the dark web,” Mr. Garland said.

Mr. Wang allegedly used the proceeds received from customers of his botnet to buy property in the United States, St. Kitts and Nevis, China, Singapore, Thailand, and the United Arab Emirates.

Mr. Wang is facing charges of conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering, with a maximum prison sentence of 65 years.

Federal authorities are seeking to seize dozens of assets and properties allegedly owned by Mr. Wang, according to the indictment. These include a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, a Rolls Royce, more than a dozen domestic and international bank accounts, more than two dozen cryptocurrency wallets, several luxury wristwatches, and 21 residential or investment properties.

On May 28, the Treasury Department announced sanctions against Mr. Wang, his co-conspirator Liu Jinping, his attorney Zheng Yanni, and three Thailand-based companies under his control.The Associated Press contributed to this report. 

Source link