The United States Department of Justice on Wednesday announced charges against a 35-year-old Chinese national, Yunhe Wang, accused of operating a massive botnet allegedly linked to billions of dollars in fraud, child exploitation, and bomb threats, among other crimes.
Wang, identified by numerous pseudonyms—Tom Long and Jack Wan, among others—was arrested on May 24 and is accused of distributing malware through various pop-up VPN services, such as “ProxyGate” and “MaskVPN,” and by embedding viruses in internet files distributed via peer-to-peer networks known as torrents.
The malware is said to have compromised computers located in nearly every country in the world, turning them into proxies through which criminals were able to hide their identities while committing countless crimes. According to prosecutors in the US, this included the theft of billions of dollars slated for Covid-19 pandemic relief—funds allegedly stolen by foreign actors posing as unemployed US citizens.
According to an indictment, the infected computers allegedly provided Wang’s customers with a persistent backdoor, allowing them to disguise themselves as any one of the victims of Wang’s malware. This illicit proxy service, known as “911 S5,” launched as early as 2014, the US government says.
“The 911 S5 Botnet infected computers in nearly 200 countries and facilitated a whole host of computer-enabled crimes, including financial frauds, identity theft, and child exploitation,” says FBI director Christopher Wray, who described the illicit service as “likely the world’s largest botnet ever.”
The US Treasury Department has also sanctioned Wang and two other individuals allegedly tied to 911 S5.
Wang is said to have amassed access to nearly 614,000 IP addresses in the US and more than 18 million others worldwide—collectively forming the botnet. 911 S5’s customers were able to filter the IPs geographically to choose where they’d like to appear to be located, down to a specific US zip code, the DOJ claims.
The indictment reveals that from the 150 servers dedicated to managing the botnet, up to 76 were rented from US-based service providers. Among these providers was the one hosting 911 S5’s client interface. This platform enabled criminals abroad to acquire goods with stolen credit cards, frequently with the alleged aim of bypassing US export regulations.
It’s alleged that over half a million fraudulent claims filed with pandemic relief programs in the US are connected to 911 S5. According to the indictment, almost $6 billion in losses have been associated with IP addresses seized by 911 S5. Many of these IP addresses are reported to be linked to more serious offenses, including bomb threats and the trafficking of child sexual abuse material, or CSAM.
Damien Diggs, the US attorney for the Eastern District of Texas, where Wang was indicted by a grand jury earlier this month, states, “Proxy services like 911 S5 are widespread threats hiding criminals behind the compromised IP addresses of home computers across the globe.”
Nicole Argentieri, head of the Justice Department’s Criminal Division, adds, “These criminals employed the hijacked computers to hide their identities and commit a range of offenses, from fraud to cyberstalking.”
At the time of writing, it is unclear whether these virtual impersonations resulted in any criminal investigations or charges against US-based victims whose IP addresses were hijacked as part of the 911 S5 botnet. We are awaiting a response from the Department of Justice regarding this concern.
According to the Justice Department, law enforcement agencies in Singapore, Thailand, and Germany collaborated with US authorities to effect Wang’s arrest.
Wang faces charges of conspiracy, computer fraud, conspiracy to commit wire fraud, and conspiracy to money laundering, with a maximum penalty of 65 years in prison. The US is also seeking to seize a mountain of luxury cars and goods allegedly owned by Wang, including a 2022 Ferrari Spider valued at roughly half a million dollars as well as a Patek Philippe watch worth potentially several times that amount.
By Kim Zetter
By Aarian Marshall
By Will Knight
By Matt Burgess