https://www.bleepingcomputer.com/news/security/us-dismantles-911-s5-residential-proxy-botnet-used-for-cyberattacks-arrests-admin/ BleepingComputer.com logo * * * * [ ] [Login] [Sign up] * * * * [ ] [Login] [Sign up] * News + Featured + Latest + US dismantles 911 S5 botnet used for cyberattacks, arrests admin US dismantles 911 S5 botnet used for cyberattacks, arrests admin + Check Point releases emergency fix for VPN zero-day exploited in attacks Check Point releases emergency fix for VPN zero-day exploited in attacks + Okta warns of credential stuffing attacks targeting its CORS feature Okta warns of credential stuffing attacks targeting its CORS feature + Cooler Master hit by data breach exposing customer information Cooler Master hit by data breach exposing customer information + Windows 11 KB5037853 update fixes File Explorer issues, 20 bugs Windows 11 KB5037853 update fixes File Explorer issues, 20 bugs + Windows 10 KB5037849 update released with 9 changes or fixes Windows 10 KB5037849 update released with 9 changes or fixes + Cooler Master hit by data breach exposing customer information Cooler Master hit by data breach exposing customer information + Check Point VPN zero-day exploited in attacks since April 30 Check Point VPN zero-day exploited in attacks since April 30 * Tutorials + Latest + Popular + How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 + How to use the Windows Registry Editor How to use the Windows Registry Editor + How to backup and restore the Windows Registry How to backup and restore the Windows Registry + How to open a Windows 11 Command Prompt as Administrator How to open a Windows 11 Command Prompt as Administrator + How to start Windows in Safe Mode How to start Windows in Safe Mode + How to remove a Trojan, Virus, Worm, or other Malware How to remove a Trojan, Virus, Worm, or other Malware + How to show hidden files in Windows 7 How to show hidden files in Windows 7 + How to see hidden files in Windows How to see hidden files in Windows * Virus Removal Guides + Latest + Most Viewed + Ransomware + Remove the Theonlinesearch.com Search Redirect Remove the Theonlinesearch.com Search Redirect + Remove the Smartwebfinder.com Search Redirect Remove the Smartwebfinder.com Search Redirect + How to remove the PBlock+ adware browser extension How to remove the PBlock+ adware browser extension + Remove the Toksearches.xyz Search Redirect Remove the Toksearches.xyz Search Redirect + Remove Security Tool and SecurityTool (Uninstall Guide) Remove Security Tool and SecurityTool (Uninstall Guide) + How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo + How to remove Antivirus 2009 (Uninstall Instructions) How to remove Antivirus 2009 (Uninstall Instructions) + How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller + Locky Ransomware Information, Help Guide, and FAQ Locky Ransomware Information, Help Guide, and FAQ + CryptoLocker Ransomware Information Guide and FAQ CryptoLocker Ransomware Information Guide and FAQ + CryptorBit and HowDecrypt Information Guide and FAQ CryptorBit and HowDecrypt Information Guide and FAQ + CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ * Downloads + Latest + Most Downloaded + Qualys BrowserCheck Qualys BrowserCheck + STOPDecrypter STOPDecrypter + AuroraDecrypter AuroraDecrypter + FilesLockerDecrypter FilesLockerDecrypter + AdwCleaner AdwCleaner + ComboFix ComboFix + RKill RKill + Junkware Removal Tool Junkware Removal Tool * Deals + Categories + eLearning eLearning + IT Certification Courses IT Certification Courses + Gear & Gadgets Gear + Gadgets + Security Security * VPNs + Popular + Best VPNs Best VPNs + How to change IP address How to change IP address + Access the dark web safely Access the dark web safely + Best VPN for YouTube Best VPN for YouTube * Forums * More + Startup Database + Uninstall Database + Glossary + Chat on Discord + Send us a Tip! + Welcome Guide * Home * News * Security * US dismantles 911 S5 botnet used for cyberattacks, arrests admin * * US dismantles 911 S5 botnet used for cyberattacks, arrests admin By Sergiu Gatlan * May 29, 2024 * 01:14 PM * 0 911 S5 seizure banner911 S5 seizure banner The U.S. Justice Department and international partners dismantled the 911 S5 proxy botnet and arrested 35-year-old Chinese national YunHe Wang, its administrator, in Singapore. "Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet--likely the world's largest botnet ever," said FBI Director Christopher Wray. "We arrested its administrator, Yunhe Wang, seized infrastructure and assets, and levied sanctions against Wang and his co-conspirators." As early as 2011, Wang and his conspirators pushed malware onto victims' devices using multiple malicious VPN applications bundling proxy backdoors. The VPN apps that added compromised devices to the 911 S5 residential proxy service include MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN. The FBI provides detailed information on how to determine if you were a victim of 911 S5 malware HERE. Between 2014 and July 2022, they created a network of millions of residential Windows computers worldwide linked to more than 19 million unique IP addresses, including 613,841 IP addresses in the United States. "Wang [..] managed and controlled approximately 150 dedicated servers worldwide, approximately 76 of which he leased from U.S. based online service providers," the Justice Department said. "Using the dedicated servers, Wang deployed and managed applications, commanded and controlled the infected devices, operated his 911 S5 service, and provided paying customers with access to proxied IP addresses associated with the infected devices." Researchers at the University of Sherbrooke revealed in June 2022 that the 911 S5 operators lured potential victims by offering free VPN services to install the proxy malware. One month later, the botnet was shut down after critical components of the operation were allegedly destroyed in a security breach, but it was resurrected as "CloudRouter" just a few months later. The Justice Department is now serving seizure warrants to registrars and registry entities to seize the following domains used by the criminal network. DOMAIN NAME TLD REGISTRAR REGISTRY 911.re .re 1API GmbH AFNIC 911.gg .gg 1API GmbH Island Networks 911s5.net .net GoDaddy VeriSign 911s5.org .org GoDaddy PIR 911s5.com .com GoDaddy VeriSign maskypn.ce .cc Dynadot VeriSign maskypn.org .org GoDaddy PIR dewvpn.com .com GoDaddy VeriSign dewvpn.net .net GoDaddy VeriSign dewvpn.org .org GoDaddy PIR dewvpn.ce .cc GoDaddy VeriSign proxygate.net .net GoDaddy VeriSign shinevpn.com .com GoDaddy VeriSign shinevpn.org .org GoDaddy PIR paladinypn.com .com Namecheap VeriSign paladinypn.org .org Namecheap PIR shieldvpn.org .org CommuniGal PIR cloudrouter.io .io Namecheap Identity Digital Inc cloudrouter.pro .pro Dynadot Identity Digital Inc cloudrouting.net .net Namecheap VeriSign reachfresh.com .net GoDaddy VeriSign updatepanel.ce .cc Namecheap VeriSign upgradeportal.org .org Namecheap PIR Wang collected approximately $99 million by selling access to the proxied IP addresses to cybercriminals for a fee. The criminals used the compromised devices' Internet connections for a wide range of crimes, including cyber attacks, bomb threats, child exploitation, large-scale fraud, harassment, and export violations. 911 S5 customers also used the illegitimate residential proxy service to submit tens of thousands of fraudulent applications for programs related to the Coronavirus Aid, Relief, and Economic Security (CARES) Act. They also used it to file 560,000 fraudulent unemployment insurance claims and over 47,000 Economic Injury Disaster Loan (EIDL) applications, resulting in billions of dollars stolen from financial institutions, credit card issuers, and federal lending programs. On Tuesday, the U.S. Treasury Department also sanctioned Wang (the administrator), Jingping Liu (the operation's money launderer), and Yanni Zheng (who acted as a power of attorney for Yunhe Wang), and three entities (Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited) that were either owned or controlled by Wang. 911 S5 proxy service prices911 S5 proxy service prices (BleepingComputer) According to an indictment unsealed on May 24, dozens of Wang's assets and properties are now subject to forfeiture, "including a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, a Rolls Royce, more than a dozen domestic and international bank accounts, over two dozen cryptocurrency wallets, several luxury wristwatches, 21 residential or investment properties (across Thailand, Singapore, the U.A.E., St. Kitts and Nevis, and the United States), and 20 domains." Wang faces a maximum penalty of 65 years in prison if convicted on all counts, including conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. Related Articles: US govt sanctions cybercrime gang behind massive 911 S5 botnet State hackers turn to massive ORB proxy networks to evade detection Botnet sent millions of emails in LockBit Black ransomware campaign Ebury botnet malware infected 400,000 Linux servers since 2009 Moldovan charged for operating botnet used to push ransomware * 911 S5 * Botnet * Proxy * * * * * Sergiu Gatlan Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade. Email or Twitter DMs for tips. * Previous Article * Next Article Post a Comment Community Rules You need to login in order to post a comment [Login] Not a member yet? Register Now You may also like: [INS::INS] Mandiant mWise Conference 2024 Popular Stories * Fortinet Exploit released for maximum severity Fortinet RCE bug, patch now * Hacker Hackers target Check Point VPNs to breach enterprise networks Follow us: * * * * * Main Sections * News * VPN Buyer Guides * SysAdmin Software Guides * Downloads * Virus Removal Guides * Tutorials * Startup Database * Uninstall Database * Glossary Community * Forums * Forum Rules * Chat Useful Resources * Welcome Guide * Sitemap Company * About BleepingComputer * Contact Us * Send us a Tip! * Advertising * Write for BleepingComputer * Social & Feeds * Changelog Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2024 Bleeping Computer^(r) LLC - All Rights Reserved Login Username [ ] Password [ ] [*] Remember Me [ ] Sign in anonymously [Login] Sign in with Twitter button Sign in with Twitter --------------------------------------------------------------------- Not a member yet? Register Now Reporter Help us understand the problem. What is going on with this comment? * ( )Spam * ( )Abusive or Harmful * ( )Inappropriate content * ( )Strong language * ( )Other [ ] * [ ] Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT