The alleged operator of the online anonymity service 911 S5, which was described as the “world’s largest botnet ever” by the FBI, has been arrested by the U.S. Department of Justice (DOJ). The arrest of the operator, identified as 35-year-old Chinese national YunHe Wang, also led to the seizure of the 911 S5 website and its infrastructure. The DOJ stated that 911 S5 facilitated billions of dollars in online fraud and cybercrime by turning computers running various “free VPN” products into Internet traffic relays.
According to authorities, 911 S5 enabled cybercriminals to bypass financial fraud detection systems and steal billions of dollars from financial institutions, credit card issuers, and federal lending programs. For instance, it is estimated that 560,000 fraudulent unemployment insurance claims originated from compromised Internet addresses linked to 911 S5, resulting in a confirmed fraudulent loss exceeding $5.9 billion. Additionally, more than 47,000 applications to the Economic Injury Disaster Loan (EIDL) program were associated with IP addresses compromised by 911 S5.
Between 2015 and July 2022, 911 S5 sold access to hundreds of thousands of Microsoft Windows computers daily, offering proxies that allowed customers to route their Internet traffic through PCs around the world, primarily in the United States. The service built its proxy network through the provision of “free” virtual private networking (VPN) services that turned users’ computers into traffic relays for paying customers.
911 S5 became popular among cybercriminals due to its reliability, low prices, and ability to anonymously route malicious traffic close to their targets. The service quickly gained notoriety in the cybercrime underground, becoming a go-to service for connecting to the final phase of cybercrime operations. Despite initial investigations and shutdowns, 911 S5 reappeared as Cloud Router under Mr. Wang’s operation.
Alongside Wang’s arrest, the U.S. Department of the Treasury sanctioned Wang and two associates, as well as several companies responsible for laundering nearly $100 million in proceeds from 911 S5 and Cloud Router customers. The DOJ collaborated with authorities in Singapore, Thailand, and Germany to search residences tied to Wang and seized approximately $30 million in assets, including luxury vehicles, bank accounts, cryptocurrency wallets, wristwatches, and properties.
Wang faces charges of conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering, with a maximum penalty of 65 years in prison if convicted on all counts. The FBI’s Cyber Division deputy assistant director, Brett Leatherman, stated that efforts are underway to extradite Wang to the U.S. for trial. Leatherman also urged Internet users to visit a new FBI webpage to determine if their computers were part of the 911 S5 botnet, which allegedly spanned over 19 million individual computers in 190 countries.
Leatherman noted that 911 S5 and Cloud Router used various “free VPN” brands to attract consumers, including MaskVPN, DewVPN, PaladinVPN, Proxygate, Shield VPN, and ShineVPN. He emphasized the importance of raising awareness among American citizens who may unknowingly have their IP space utilized for attacking U.S. businesses or defrauding the government. Leatherman highlighted the need for vigilance and education to prevent similar operations in the future.