Billion-dollar botnet busted for pandemic fraud, child exploitation


US Department of Justice (DoJ) officials announced the bust-up of a multi-billion dollar cybercriminal botnet ring on Wednesday – a malicious international network that FBI director Christopher Wray said is “likely the world’s largest botnet ever.”

The botnet’s mastermind – 34-year-old YunHe Wang – and two others are said to have sold access to 19 million infected IP addresses worldwide, enabling scams involving everything from pandemic fraud, stalking, and bomb threats to money laundering, export violations, and the transmission of child exploitation materials.

On May 24th, Wang, a Chinese national and citizen-by-investment of St. Kitts and Nevis, was arrested by the feds, the criminal indictment unsealed on May 28th.

The botnet, known as 911 S5, had been in operation for nearly a decade from 2014 through July 2022, according to the DoJ.

The net itself was controlled by Wang using 150 dedicated servers, with about half of them leased from American-based online service providers.

Wang created the botnet by amassing “a network of millions of residential Windows computers worldwide,” including over 600,000 in the US.

Wang would use VPN programs and pay-per-install services that bundled the malicious files with other program downloads, such as “pirated versions of licensed software or copyrighted materials,” the FBI said.

Illegal botnet in operation for years

Once the botnet was in place, the DoJ said Wang made about $99 million selling the hijacked addresses – which were then used by cybercriminals to carry out a range of illegal online activities and cyberattacks, further bilking victims of billions of dollars.

“The 911 S5 Botnet infected computers in nearly 200 countries and facilitated a whole host of computer-enabled crimes, including financial frauds, identity theft, and child exploitation,” said FBI Director Christopher Wray.

The network was said to allow threat actors to “bypass financial fraud detection systems and steal billions of dollars from financial institutions, credit card issuers, and federal lending programs,” including certain pandemic relief programs.

Criminals outside the US would use the IP addresses to purchase goods with stolen credit cards or other illegally-gotten funds and ship them outside of the country in violation of federal export laws.

The DoJ further estimates more than 550,000 fraudulent unemployment insurance claims came from 911 S5’s compromised IP addresses, resulting in losses of nearly $6 billion.

Wang now faces up to 65 years in prison on charges of conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering if convicted on all counts.

Scheme plays out like a movie

“The conduct alleged here reads like it’s ripped from a screenplay,” said Assistant Secretary for Export Enforcement Matthew S. Axelrod of the US Department of Commerce’s Bureau of Industry and Security (BIS).

“A scheme to sell access to millions of malware-infected computers worldwide, enabling criminals all over the world to steal billions of dollars, transmit bomb threats, and exchange child exploitation materials – then using the scheme’s nearly $100 million in profits to buy luxury cars, watches, and real estate,” Axelrod said.

Wang was said to use his illegal proceeds to buy up at least 21 investment properties, not only in the US but in St. Kitts and Nevis, China, Singapore, Thailand, and the United Arab Emirates – a total worth of about $30 million.

Another $30 million in other assets were also seized by the feds, including a 2022 Ferrari F8 Spider, a Rolls Royce, multiple BMWs, more than a dozen domestic and international bank accounts, over two dozen cryptocurrency wallets, and several luxury wristwatches.

The FBI said the take-down was a joint effort between law enforcement agencies in the US, Singapore, Thailand, and Germany.

Also Wednesday, the US Treasury Department issued financial sanctions against Wang and his co-conspirators (Jingping Liu, and Yanni Zheng) related to the 911 S5 botnet.

The FBI has provided a website with more information for possible victims of 911 S5 malware.