An international law enforcement team has arrested a Chinese national and disrupted a major botnet that officials said he ran for nearly a decade, amassing at least $99 million in profits by reselling access to criminals who used it for identity theft, child exploitation, and financial fraud, including pandemic relief scams.
According to the Department of Justice, FBI Director Christopher Wray stated on Wednesday that the ‘911 S5’ botnet, which is made up of malware-infected computers in nearly 200 countries, is ‘likely the world’s largest.’
Justice said in a news release that Yunhe Wang, 35, was arrested on May 24. Wang was arrested in Singapore, and search warrants were executed in both Singapore and Thailand, according to Brett Leatherman, the FBI’s deputy assistant director for cyber operations, in a LinkedIn post. According to Leatherman, authorities seized $29 million in cryptocurrency as well.
Cybercriminals used Wang’s network of zombie residential computers to steal “billions of dollars from financial institutions, credit card issuers and accountholders, and federal lending programs since 2014,” according to an indictment filed in Texas’ eastern district.
The administrator, Wang, sold access to the 19 million Windows computers he hijacked—more than 613,000 in the United States—to criminals who “used that access to commit a staggering array of crimes that victimized children, threatened people’s safety and defrauded financial institutions and federal lending programs,” U.S. Attorney General Merrick Garland announced the takedown.
According to him, criminals who obtained access to the zombie network from Wang were accountable for more than $5.9 billion in estimated losses caused by fraud against relief programs. Officials estimated that 560,000 fraudulent unemployment insurance claims originated from compromised IP addresses.
Wang allegedly managed the botnet through 150 dedicated servers, half of which were leased from U.S.-based online service providers.
The indictment says Wang used his illicit gains to purchase 21 properties in the United States, China, Singapore, Thailand, the United Arab Emirates and St. Kitts and Nevis, where it said he obtained citizenship through investment.
The Justice Department’s news release expressed gratitude to the police and other authorities in Singapore and Thailand for their assistance.
1. What was the ‘911 S5’ botnet?
The ‘911 S5’ botnet was a vast network of malware-infected computers spanning nearly 200 countries. As per FBI Director Christopher Wray, it was ‘likely the largest’ and allowed for multiple cybercrimes, such as identity theft, financial fraud, and access to child exploitation materials.
2. Who was behind the botnet?
Yunhe Wang, a Chinese citizen who is 35 years old, was determined to be the administrator of the botnet. Wang was arrested in Singapore on May 24. According to reports, he managed the network by using 150 dedicated servers, half of which were leased from US-based service providers.
3. How did the botnet function?
The botnet was able to control “zombie” machines remotely by infecting residential Windows computers with malware. Cybercriminals purchased access to these compromised computers and used them to carry out various illegal activities.
4. What kind of crimes were committed using the botnet?
The botnet was utilized by criminals for a vast array of crimes. Identity theft, financial fraud, child exploitation, bomb threats, and cyberattacks were among them. Defrauding financial institutions and federal lending programs, including pandemic relief scams, was also a part of the botnet’s activities. US Attorney General Merrick Garland stated that the criminals were responsible for over $5.9 billion in estimated losses due to relief program fraud.
5. What property was seized during the operation?
About $29 million in cryptocurrency, luxury goods worth $4 million, and about $30 million in real estate were seized by law enforcement. Various countries, including Singapore, Thailand, Dubai, and others, had these assets. In addition, 22 domains associated with the botnet were confiscated.
6. How did the law enforcement operation unfold?
Operation Tunnel Rat involved carrying out multiple search warrants and conducting interviews in Singapore and Thailand. Wang was arrested by the FBI and their international partners after dismantling the botnet’s infrastructure. Authorities are considering the possibility of more arrests.
7. How was the public involved in this operation?
The FBI has set up a webpage where individuals can check if their IP address was compromised by the botnet. This helps potential victims identify and mitigate any security issues that may arise from the infection.
8. What is the future for Yunhe Wang?
Wang’s extradition from Singapore is being awaited by the US. Brett Leatherman, deputy assistant director with the FBI’s Cyber Division, emphasized the urgency of the extradition, stating, ‘We want him as soon as possible’.