US govt sanctions cybercrime gang behind massive 911 S5 botnet

US govt sanctions cybercrime gang behind massive 911 S5 botnet

The U.S. Treasury Department has sanctioned a cybercrime network comprising three Chinese nationals and three Thailand-based companies linked to a massive botnet controlling a residential proxy service known as “911 S5.”

Researchers at the Canadian University of Sherbrooke revealed almost two years ago, in June 2022, that this illegitimate residential proxy service lured potential victims by offering free VPN services to install malware designed to add their IP addresses to the 911 S5 botnet.

At the time, the botnet controlled approximately 120,000 residential proxy nodes from all over the world, all of which communicated with multiple command-and-control servers located offshore or hosted within a cloud server.

One month later, investigative journalist Brian Krebs reported that the 911 S5 “imploded” after key components of its business operations were destroyed in a security breach. The proxy botnet was resurrected months later as “CloudRouter,” according to a February report from cybersecurity company Spur Intelligence.

“The 911 S5 botnet was a malicious service that compromised victim computers and allowed cybercriminals to proxy their internet connections through these compromised computers,” said the Office of Foreign Assets Control (OFAC) on Tuesday.

“Once a cybercriminal had disguised their digital tracks through the 911 S5 botnet, their cybercrimes appeared to trace back to the victim’s computer instead of their own.”

OFAC added that the residential proxy botnet compromised approximately 19 million IP addresses. These infected devices allowed cybercriminals to submit tens of thousands of fraudulent applications for programs related to the Coronavirus Aid, Relief, and Economic Security Act, resulting in billions of dollars in losses.

911 S5 users also used it to commit widespread cyber-enabled fraud using residential IP addresses linked to compromised computers. These IP addresses were also used in a series of bomb threats made across the United States in July 2022.

OFAC today sanctioned Yunhe Wang (the 911 S5 service administrator), Jingping Liu (the operation’s money launderer), and Yanni Zheng (who acted as a power of attorney for Yunhe Wang), as well as three entities (Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited), all owned or controlled by Yunhe Wang.

“These individuals leveraged their malicious botnet technology to compromise personal devices, enabling cybercriminals to fraudulently secure economic assistance intended for those in need and to terrorize our citizens with bomb threats,” said Under Secretary Brian E. Nelson.

“Treasury, in close coordination with our law enforcement colleagues and international partners, will continue to take action to disrupt cybercriminals and other illicit actors who seek to steal from U.S. taxpayers.”

As a result of today’s sanctions, all transactions involving U.S. interests and properties of designated individuals and entities are prohibited, and dealings with sanctioned individuals and companies also expose them to sanctions or enforcement actions.

Cybersecurity firm Mandiant also warned last week that Chinese state hackers are increasingly relying on vast proxy server networks (also known as operational relay box networks) built from compromised online devices and virtual private servers to evade detection during their cyberespionage campaigns.

Share This


Wordpress (0)
Disqus ( )