Chinese national behind 911 S5 botnet arrested in Singapore

Chinese national behind 911 S5 botnet arrested in Singapore

Singapore: The arrest was part of a multiagency operation involving law enforcement from the US, Singapore, Thailand, Europol and Germany. The US Department of Justice (DOJ) announced the arrest of a Chinese national, Wang Yunhe, in an international operation targeting cybercrime. Wang, aged 35, was apprehended in Singapore on 24 May for allegedly creating and using malware responsible for cyberattacks, large-scale fraud, and child exploitation.

This arrest comes on the heels of a similar high-profile sweep last August, involving 10 Chinese citizens charged with laundering over $2 billion through Singapore.

According to the US Treasury Department, the botnet, known as ‘911 S5,’ was used by criminals to compromise personal devices to further conduct identity theft, financial fraud, and child exploitation.

The Treasury’s Office of Foreign Assets Control has now imposed sanctions on three Chinese nationals behind the platform—Yunhe Wang, Jingping Liu, and Yanni Zheng—and on three entities owned or controlled by Yunhe Wang.

FBI Director Christopher Wray described the ‘911 S5’ botnet as likely the world’s largest, comprising malware-infected computers in nearly 200 countries.

According to the DOJ, Wang and unnamed accomplices developed and distributed malware that compromised millions of residential Windows computers worldwide.

From 2018 to July 2022, Wang accrued $99 million from selling access to hijacked IP addresses, facilitating cybercriminals in bypassing financial fraud detection systems. These criminals committed fraud, resulting in losses exceeding $5.9 billion, including 560,000 fraudulent unemployment insurance claims.

Wang used the illicitly obtained proceeds to acquire assets globally, spanning properties in the USA, Saint Kitts and Nevis, China, Singapore, Thailand, and the UAE. His possessions included luxury sports cars, numerous bank accounts, cryptocurrency wallets, luxury watches, and 21 properties across multiple countries.

Matthew S. Axelrod from the US Department of Commerce’s Bureau of Industry and Security described the case as resembling a screenplay, highlighting the extensive criminal enterprise and lavish expenditures financed by nearly $100 million in profits.

The operation is a collaborative effort led by law enforcement agencies from the US, Singapore, Thailand, and Germany. It underscores the international cooperation required to combat cybercrime effectively.

Europol, along with international partners, has claimed to have successfully conducted the largest ever operation against botnets which play a major role in the deployment of ransomware, codenamed Operation Endgame.

The operation, which was carried over across 16 locations in Europe and West Asia, has led to four arrests (one in Armenia and four in Ukraine), over 100 servers being taken down, and over 2,000 domains being seized.  

The operation led to the disruption of malware-distributing platforms such as IcedIDI, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot, and Europol shared that all of them are being used to deploy ransomware and are seen as the main threat in the infection chain.

Europol shared that the operation highlights the profitability of facilitating malware sharing. Citing the example that one of the main suspects earned at least €69 million ($74 million) in crypto by leasing out criminal infrastructure sites to deploy ransomware

Malware droppers are used by threat actors to breach security systems and then inject harmful viruses, spyware or ransomware programs.  While malware droppers by themselves may not be harmful, they facilitate cybercrimes such as ransomware attacks. Attack on malware droppers will have an impact on threat actors who use their facilities.

The FBI has published information at to help identify and remove 911 S5’s VPN applications from infected devices.

Share This


Wordpress (0)
Disqus ( )