US sanctions cybercrime network operating residential proxy botnet service


The 911 S5 service, a residential proxies as a service (RPAAS) platform, leverages residential IP addresses to anonymize malicious traffic and evade detection. This is obviously illegal, and now, the US has imposed sanctions on the network.

According to the US Treasury Department, the 911 S5 service allows users to rent residential IP addresses, making their internet traffic appear as if it originates from legitimate residential users – when it actually doesn’t.

Cybercriminals use RPAAS platforms – essentially online anonymity services – to cover their activities as they make it difficult to trace malicious traffic back to its source. 911 S5 has been operational at least since 2018.

The proxy network was built almost like a VPN service – these products also allow users to surf the web anonymously. But 911 S5 also quietly turned the user’s computer into a traffic relay for paying customers.

The Treasury’s Office of Foreign Assets Control has now unveiled sanctions against three Chinese nationals behind the platform – Yunhe Wang, Jingping Liu, and Yanni Zheng. Three entities owned or controlled by Yunge Wang have also been sanctioned.

“These individuals leveraged their malicious botnet technology to compromise personal devices, enabling cybercriminals to fraudulently secure economic assistance intended for those in need and to terrorize our citizens with bomb threats,” said Under Secretary Brian Nelson.

“Treasury, in close coordination with our law enforcement colleagues and international partners, will continue to take action to disrupt cybercriminals and other illicit actors who seek to steal from US taxpayers.”

According to the press release, the 911 S5 botnet compromised approximately 19 million IP addresses and facilitated the submission of tens of thousands of fraudulent applications related to the Coronavirus Aid, Relief, and Economic Security Act programs by its users.

The US government thus lost billions of dollars, officials say. The network was also active in South Korea, Peru, and Japan.

The IP addresses compromised by the 911 S5 service were also linked to a series of bomb threats made throughout the US in July 2022. All this is potentially very risky to the true owners of these addresses.

That’s because even if they’re often unaware of any malicious activities, they could face criminal or civil liability if their devices are used for them – all while clever crooks usually try to route their malicious traffic through a computer geographically close to the target whose, for example, stolen credit card is about to be used.