A Chinese national has been arrested for allegedly running a botnet of 19 million infected IP addresses in nearly 200 countries, amassing at least $99 million by leasing his network to criminals for cybercrimes including COVID-19 pandemic relief scams.
The Department of Justice (DOJ) said Wang Yunhe, 35, offered customers to use his network of compromised IP addresses for a fee from 2014 until July 2022, according to a press release issued on May 29. The service, named “911 S5,” allowed cybercriminals to conceal their digital footprint when engaging in nefarious online activities.
Those offenses included financial crimes, stalking, transmitting bomb threats and threats of harm, illegal exportation of goods, and receiving and sending child exploitation materials.
Criminals are also alleged to have used the botnet service to bypass financial fraud detection systems in the United States and elsewhere, and stolen billions of dollars from financial institutions, credit card issuers, and federal lending programs, according to an indictment. About 560,529 fraudulent claims came from “IP addresses exploited and trafficked” by Mr. Wang’s botnet, leading to more than $5.9 billion in losses.
The network was “likely the world’s largest botnet ever,” the DOJ said, quoting FBI Director Christopher Wray.
Mr. Wang’s alleged scheme “reads like it’s ripped from a screenplay,” Assistant Secretary for Export Enforcement Matthew S. Axelrod from the Commerce Department’s Bureau of Industry and Security said in a statement.
Malware
According to the indictment, Mr. Wang went by several pseudonyms including “Jack Wan,” “Williams Tang,” and “Tom Long.” He was arrested in Singapore on May 24 and search warrants were executed in the Southeast Asian country and nearby Thailand, Brett Leatherman, the deputy assistant director for the FBI’s cyber division, said in a LinkedIn post.
Authorities also seized $29 million in cryptocurrency, according to Mr. Leatherman.
To build up his botnet, Mr. Wang allegedly began developing malicious Virtual Private Network (VPN) programs, such as MaskVPN, DewVPN, and Shine VPN, as early as 2011, according to the indictment. He then allegedly distributed his malware “with the intent to infect residential computers worldwide.”
A VPN is a service that typically hides a user’s IP address and encrypts an internet connection, diverting traffic through a remote server.
“Wang then managed and controlled approximately 150 dedicated servers worldwide, approximately 76 of which he leased from U.S.-based online service providers,” the press release reads.
As of July 2022, Mr. Wang amassed more than 19 million unique IP addresses by spreading his malware to computers worldwide. “[C]ybercriminals using the 911 S5 service were able to select by city, state, zip code, or country exactly the IP addresses through which they wanted to connect to the internet,” the indictment reads.
Of the 19 million IP addresses, Mr. Wang’s botnet included about 613,841 IP addresses in the United States, the indictment stated, and his malware infected about 346 computers in the Eastern District of Texas between April 2020 and July 2022.
The indictment stated that Mr. Wang’s botnet ceased operations in July 2022 but infected computers “remain actively compromised.” Therefore “the botnet remains available to be reconstituted into a new illicit proxy service at any time,” the document reads.
Cooperation
Attorney General Merrick B. Garland said international cooperation led to the dismantling of the botnet.
“The Justice Department led an international law enforcement operation stretching from Southeast Asia to Europe to the Caribbean, which disrupted 911 S5,” Mr. Garland said in a video statement. “As a result of our coordinated actions, the botnet has been taken down.”
According to the DOJ, law enforcement agencies in Singapore, Thailand, and Germany worked with U.S. officials in the case. The joint operation led to the seizure of 23 domains and over 70 servers.
“As today’s case makes clear, the long arm of the law stretches across borders and into the deepest shadows of the dark web,” Mr. Garland added.
Mr. Wang allegedly used the proceeds received from customers of his botnet to buy property in the United States, St. Kitts and Nevis, China, Singapore, Thailand, and the United Arab Emirates.
Mr. Wang is facing charges of conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering, with a maximum 65-year prison sentence.
Federal authorities are seeking to seize dozens of assets and properties allegedly owned by Mr. Wang, according to the indictment. These include a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, a Rolls Royce, more than a dozen domestic and international bank accounts, over two dozen cryptocurrency wallets, several luxury wristwatches, and 21 residential or investment properties.
On May 28, the Treasury Department announced sanctions against Mr. Wang, his co-conspirator Liu Jinping, his attorney Zheng Yanni, and three Thailand-based companies under his control.