The U.S. Department of the Treasury has recently announced sanctions against three Chinese nationals for their involvement in operating 911 S5, an online anonymity service that was known for routing web traffic through malware-infected computers worldwide. Among the individuals sanctioned, Yunhe Wang was identified by KrebsOnSecurity in a July 2022 investigation into 911 S5, which was compromised and shut down shortly after.
From 2015 to July 2022, 911 S5 provided access to a large number of Microsoft Windows computers, allowing customers to route their internet traffic through these compromised machines located in various countries, with a focus on the United States. The service became popular in the cybercrime underground due to its affordability and reliability, facilitating malicious activities such as credit card fraud and account takeovers.
KrebsOnSecurity’s deep dive into 911 S5 revealed the business’s use of aggressive tactics to distribute their proxy malware, including incentivizing affiliates to bundle it with other software for silent installation. Yunhe Wang, identified as the primary administrator of the botnet powering 911 S5, was found to be the registered subscriber to network infrastructure providers and VPN services used by the operation.
In addition to Yunhe Wang, Jingping Liu was implicated in the laundering of criminal proceeds from 911 S5, particularly virtual currencies converted into U.S. dollars through over-the-counter vendors. The sanctions allege that Liu assisted Wang in purchasing luxury real estate properties using funds derived from the illegal operation.
The third individual sanctioned, Yanni Zheng, was described as an attorney for Wang and his company, Spicy Code Company Limited, involved in laundering proceeds into real estate holdings. The sanctions also targeted properties controlled by Wang, including Tulip Biz Pattaya Group Company Limited and Lily Suites Company Limited.
After the closure of 911 S5 following a data breach in July 2022, the service resurfaced under a new name, Cloud Router, as reported by spur.us, a proxy and VPN service tracking startup. Research conducted in February 2024 by Spur revealed that Cloud Router operators reused components from 911 S5, indicating a connection between the two services.
Cloud Router, powered by PaladinVPN, saw a significant number of Internet addresses available for rent, reaching over 140,000. However, recent trends indicated a decrease in proxies offered by Cloud Router, with the service suspending or ceasing operations over the past weekend. The homepage of Cloud Router now displays a message from Cloudflare indicating that the domain’s servers are pointing to a prohibited IP address.
The actions taken by the U.S. Treasury against the individuals and entities involved in 911 S5 underscore the consequences of engaging in illegal activities that harm individuals and organizations worldwide. Despite attempts to rebrand and continue operations, the crackdown on these cybercriminal networks demonstrates the government’s commitment to combating online threats and protecting global cybersecurity interests.