US disables global cybercrime network that enabled theft of billions in fraud schemes

The Justice Department said it crippled a vast network of compromised computers that were used for a global enterprise run by a Chinese national and other co-conspirators that allowed cybercriminals to carry out fraud schemes costing victims billions of dollars.

The botnet, known as 911 S5, has been operating for at least a decade, and has allowed hackers to bypass financial fraud detection systems and steal billions from federal lending programs, as well as credit card issuers and financial institutions.

The heads of the criminal latticework were sanctioned by the Treasury Department on Tuesday. Its main overseer, Yunhe Wang, was arrested last week on grounds that the botnet facilitated cyberattacks, fraud, child exploitation, bomb threats and export violations, DOJ said. The criminal operation first came into the fold in 2014 under the name Clourouter, disappearing in 2022 and reconstituting in its current form in Oct. 2023.

Some 19 million IP addresses made up the botnet, which consists of compromised devices used for cybercriminal staging grounds and business dealings. The network included millions of exploited residential Windows computers around the world infected by a malware that was disseminated through sham Virtual Private Network programs — which are meant to encrypt sensitive information when browsing the web — installed by users.

The FBI has released a website to help U.S. victims identify if their devices were one of the over 600,000 targeted in the 911 S5 nexus, said Brett Leatherman, deputy assistant director of the FBI’s cybercrime division, on a call with reporters. The malicious VPN programs include offerings like MaskVPN and PaladinVPN, according to the site.

The cybercrime collective facilitated the submission of tens of thousands of fraudulent applications related to the Coronavirus Aid, Relief, and Economic Security Act programs, leading to a loss of billions of dollars for the U.S. government, according to officials. Around 560,000 fraudulent unemployment insurance claims came from the compromised IP addresses, resulting in government losses exceeding $5.9 billion, DOJ said in a Wednesday statement.

Wang managed and controlled around 150 servers globally, with about 76 leased from U.S.-based online service providers. He used these servers to deploy and manage applications, command and control infected devices, operate the 911 S5 service and offer paying customers access to proxied IP addresses linked to the infected devices.

Wang allegedly made $99 million from sales of hijacked IP addresses through the operation, received in crypto or fiat currency. Some $4 million in luxury assets around the world — including in St. Kitts and the United Arab Emirates — were seized in connection with the criminal network, including watches and cars. Wang awaits extradition to the U.S. from Singapore for the alleged crimes, Leatherman said. 

The operation is still ongoing, he added, though he called it a “significant phase” to fully remove 911 S5 infrastructure.

The botnet was taken down by seizing various domains that allowed the network to flourish, Leatherman said. Some 70 servers and 23 domains were hamstrung in the process, which the DOJ says served as the backbone of the operation.

The FBI has shown strong willingness to offensively pursue nation-state and cyber crime networks. It announced the takedown of major ransomware actor LockBit earlier this year, and its cyber operatives also drilled into compromised routers to disable a separate botnet enabling Chinese hackers to burrow into critical infrastructure.