The United States Department of Justice on Wednesday announced charges against a 35-year-old Chinese national, Yunhe Wang, accused of operating a massive botnet allegedly linked to billions of dollars in fraud, child exploitation, and bomb threats, among other crimes.
Wang, identified by numerous pseudonyms—Tom Long and Jack Wan, among others—was arrested on May 24 and is accused of distributing malware through various pop-up VPN services, such as “ProxyGate” and “MaskVPN,” and by embedding viruses in internet files distributed via peer-to-peer networks known as torrents.
The malware is said to have compromised computers located in nearly every country in the world, turning them into proxies through which criminals were able to hide their identities while committing countless crimes. According to prosecutors in the US, this included the theft of billions of dollars slated for Covid-19 pandemic relief—funds allegedly stolen by foreign actors posing as unemployed US citizens.
According to an indictment, the infected computers allegedly provided Wang’s customers with a persistent backdoor, allowing them to disguise themselves as any one of the victims of Wang’s malware. This illicit proxy service, known as “911 S5,” launched as early as 2014, the US government says.
“The 911 S5 Botnet infected computers in nearly 200 countries and facilitated a whole host of computer-enabled crimes, including financial frauds, identity theft, and child exploitation,” says FBI director Christopher Wray, who described the illicit service as “likely the world’s largest botnet ever.”
The US Treasury Department has also sanctioned Wang and two other individuals allegedly tied to 911 S5.
Wang is said to have amassed access to nearly 614,000 IP addresses in the US and more than 18 million others worldwide—collectively forming the botnet. 911 S5’s customers were able to filter the IPs geographically to choose where they’d like to appear to be located, down to a specific US zip code, the DOJ claims.
The indictment states that of the 150 dedicated servers used to manage the botnet, as many as 76 were leased by US-based service providers, including the one hosting 911 S5’s client interface, which allowed criminals overseas to purchase goods using stolen credit cards, in many cases for the alleged purpose of circumventing US export laws.
More than half a million fraudulent claims lodged with pandemic relief programs in the United States are allegedly tied to 911 S5. According to the indictment, nearly $6 billion in losses have been linked to IP addresses captured by 911 S5. Many of the IP addresses have been reportedly tied to more insidious crimes, including bomb threats and the trafficking of child sexual abuse material, or CSAM.
“Proxy services like 911 S5 are pervasive threats that shield criminals behind the compromised IP addresses of residential computers worldwide,” says Damien Diggs, the US attorney for the Eastern District of Texas, where the charges against Wang were brought by a grand jury earlier this month.
Adds Nicole Argentieri, head of the Justice Department’s Criminal Division: “These criminals used the hijacked computers to conceal their identities and commit a host of crimes, from fraud to cyberstalking.”
At the time of writing, it is unclear whether these virtual impersonations resulted in any criminal investigations or charges against US-based victims whose IP addresses were hijacked as part of the 911 S5 botnet. WIRED is awaiting a response from the Department of Justice regarding this concern.
According to the Justice Department, law enforcement agencies in Singapore, Thailand, and Germany collaborated with US authorities to effect Wang’s arrest.
Wang faces charges of conspiracy, computer fraud, conspiracy to commit wire fraud, and conspiracy to money laundering, with a maximum penalty of 65 years in prison. The US is also seeking to seize a mountain of luxury cars and goods allegedly owned by Wang, including a 2022 Ferrari Spider valued at roughly half a million dollars as well as a Patek Philippe watch worth potentially several times that amount.
