A Chinese national has been arrested for allegedly running a botnet of 19 million infected IP addresses in nearly 200 countries, amassing at least $99 million by leasing his network to criminals for cybercrimes including COVID-19 pandemic relief scams.
The Department of Justice (DOJ) said Wang Yunhe, 35, offered customers to use his network of compromised IP addresses for a fee from 2014 until July 2022, according to a press release issued on May 29. The service, named “911 S5,” allowed cybercriminals to conceal their digital footprint when engaging in nefarious online activities.
Those offenses included financial crimes, stalking, transmitting bomb threats and threats of harm, illegal exportation of goods, and receiving and sending child exploitation materials.
Criminals are also alleged to have used the botnet service to bypass financial fraud detection systems in the United States and elsewhere, and stolen billions of dollars from financial institutions, credit card issuers, and federal lending programs, according to an indictment. About 560,529 fraudulent claims came from “IP addresses exploited and trafficked” by Mr. Wang’s botnet, leading to more than $5.9 billion in losses.
The network was “likely the world’s largest botnet ever,” the DOJ said, quoting FBI Director Christopher Wray.
Mr. Wang’s alleged scheme “reads like it’s ripped from a screenplay,” Assistant Secretary for Export Enforcement Matthew S. Axelrod from the Commerce Department’s Bureau of Industry and Security said in a statement.
Malware
According to the indictment, Mr. Wang went by several pseudonyms including “Jack Wan,” “Williams Tang,” and “Tom Long.” He was arrested in Singapore on May 24 and search warrants were executed in the Southeast Asian country and nearby Thailand, Brett Leatherman, the deputy assistant director for the FBI’s cyber division, said in a LinkedIn post.
Authorities also seized $29 million in cryptocurrency, according to Mr. Leatherman.
To build up his botnet, Mr. Wang allegedly began developing malicious Virtual Private Network (VPN) programs, such as MaskVPN, DewVPN, and Shine VPN, as early as 2011, according to the indictment. He then allegedly distributed his malware “with the intent to infect residential computers worldwide.”
A VPN is a service that typically hides a user’s IP address and encrypts an internet connection, diverting traffic through a remote server.
“Wang then managed and controlled approximately 150 dedicated servers worldwide, approximately 76 of which he leased from U.S.-based online service providers,” the press release reads.
As of July 2022, Mr. Wang amassed more than 19 million unique IP addresses by spreading his malware to computers worldwide. “[C]ybercriminals using the 911 S5 service were able to select by city, state, zip code, or country exactly the IP addresses through which they wanted to connect to the internet,” the indictment reads.
Of the 19 million IP addresses, Mr. Wang’s botnet included about 613,841 IP addresses in the United States, the indictment stated, and his malware infected about 346 computers in the Eastern District of Texas between April 2020 and July 2022.
The indictment stated that Mr. Wang’s botnet ceased operations in July 2022 but infected computers “remain actively compromised.” Therefore “the botnet remains available to be reconstituted into a new illicit proxy service at any time,” the document reads.
