911 S5 botnet: US imposes sanctions against cybercriminals from China and Thailand

Tomcat

Tomcat

Professional
Messages
2,689
Reaction score
916
Points
113
How an international proxy network was used to steal social security payments.

The US Treasury Department has imposed sanctions on a network of cybercriminals that includes three Chinese citizens and three companies from Thailand. The subjects are linked to a large botnet that controlled a resident proxy service called "911 S5".

Detection and operation of the 911 S5

In June 2022, researchers from the Canadian University of Sherbrooke revealed that the 911 S5 lured victims by offering a free VPN. The VPN was used to install malware that added victims IP addresses to the 911 S5 botnet. At that time, the botnet controlled about 120,000 resident proxy nodes around the world, each of which interacted with several C2 servers located abroad or hosted on a cloud server.

Stopping and reviving the botnet

A month later, investigative journalist Brian Krebs reported that the 911 S5 stopped working after destroying key components of its business operations due to a security breach. However, the botnet was revived a few months later under the name CloudRouter, according to a report by Spur Intelligence in February.

4luj3vt4b9p25ak5rdrnkh0diur8jiy8.png

CloudRouter Interface

OFAC measures and damages

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) said the 911 S5 botnet was a malicious service that compromised victims ' computers and allowed cybercriminals to proxy their Internet connections through infected computers.

Infected devices allowed criminals to disguise their actions, shifting responsibility to the victims ' computers. The botnet compromised about 19 million IP addresses, allowing cybercriminals to file tens of thousands of fraudulent applications for programs related to the CARES Act, resulting in losses of billions of dollars.

830yyvbth8steq7vhnf8dxyf2xizeco3.png

Fares for 911 S5

Sanctions against participants

OFAC has imposed sanctions against the following individuals and companies:
  • Yunhe Wang (911 S5 administrator);
  • Jingping Liu (money launderer);
  • Yanni Zheng (Eunhae Wang's confidant);
  • Spicy Code Company Limited;
  • Tulip Biz Pattaya Group Company Limited;
  • Lily Suites Company Limited.

According to OFAC documents, "the listed individuals and legal entities used the botnet to compromise personal devices, which allowed cybercriminals to fraudulently receive economic assistance intended for those in need."

As a result of the sanctions, all operations that affect the interests of the United States and the property of listed individuals and legal entities are prohibited. Any transactions with these individuals and companies are also subject to sanctions or enforcement actions.
 
The FBI closed the 911 S5 botnet, its creator was arrested

The US Department of Justice announced the closure of the 911 S5 botnet, whose owners provided resident proxy services. Yunhe Wang, a 35-year-old citizen of China and Saint Kitts and Nevis, was arrested on charges of creating the service.

"In cooperation with our international partners, the FBI conducted a special operation to destroy the 911 S5 botnet, which can be considered the largest in the world in history," said FBI Director Christopher Wray. " We arrested its administrator Yunhe Wang, confiscated infrastructure and assets, and imposed sanctions against Wang and his associates. The 911 S5 botnet infected computers in nearly 200 countries and contributed to a range of computer crimes involving financial fraud, identity theft, and child exploitation."

According to the FBI, from 2014 to July 2022, Wang and his associates created and distributed malware to compromise Windows devices, resulting in a network of millions of home computers. They have at least 19 million unique IP addresses associated with them. According to investigators, Wang earned millions of dollars by selling cybercriminals access to them. In the US, it is also claimed that botnet users used it to submit fraudulent applications for assistance during the coronavirus pandemic. So far, we are talking about 560 thousand approved requests, as a result of which the United States lost $ 5.9 billion.

"The 911 S5's reliability and extremely low prices quickly made it one of the most popular services in the cybercrime underground," writes information security journalist Brian Krebs. — The service made it possible to direct your malicious traffic through a computer that is geographically close to the user whose stolen credit card will be used by intruders."

Back in 2022, Krebs held (https://krebsonsecurity.com/2022/07/a-deep-dive-into-the-residential-proxy-service-911/) An investigation that suggested that the founder of the 911 S5 is Yunhe Wang. However, the FBI was able to name the names of two of the closest associates of the head of the botnet. Jingping Liu was responsible for laundering dirty money, and Yanni Zheng then invested the money in real estate purchases and various investment projects. Official sanctions have been imposed against them.

• Source: https://www.justice.gov/opa/pr/911-...-arrested-coordinated-international-operation

• Source: https://www.justice.gov/opa/media/1353516/dl?inline

• Source: https://www.justice.gov/opa/media/1353521/dl?inline

• Source: https://www.fbi.gov/911S5
 
You must log in or register to reply here.

Similar threads

Carding Forum
How to get into a botnet, or what's wrong with free VPNs
Replies
0
Views
129
Carding Forum
Carding Forum
Carding Forum
The Illusion of Protection: A Free VPN and its devastating consequences
Replies
0
Views
146
Carding Forum
Carding Forum
Man
Mirai Botnet
Replies
0
Views
109
Man
Man
Man
Akamai Experts: "Accidentally Disabled a Botnet"
Replies
0
Views
93
Man
Man
Man
The Largest Botnet Attacks
Replies
0
Views
124
Man
Man
Back
Top