Security news that informs and inspires
A map of China

U.S. Sanctions Three Chinese Nationals for Alleged Connection to 911 S5 Botnet

UPDATE--The United States government has sanctioned three Chinese nationals for their alleged roles in running the 911 S5 proxy service, which consisted of compromised machines that the network’s operators rented out to cybercriminals as proxies through which they could connect to the Internet and hide their identities.

The Department of the Treasury’s Office of Foreign Asset Control on Tuesday announced sanctions against Yunhe Wang, Jingping Liu, and Yanni Zheng, and also against three companies allegedly controlled by Wang, Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited.

“These individuals leveraged their malicious botnet technology to compromise personal devices, enabling cybercriminals to fraudulently secure economic assistance intended for those in need and to terrorize our citizens with bomb threats,” said Under Secretary Brian E. Nelson. “Treasury, in close coordination with our law enforcement colleagues and international partners, will continue to take action to disrupt cybercriminals and other illicit actors who seek to steal from U.S. taxpayers.”

The Department of Justice announced on Wednesday that Wang had been arrested on May 24 and law enforcement had seized 23 domains and more than 70 servers that were part of the botnet.

“We arrested its administrator, Yunhe Wang, seized infrastructure and assets, and levied sanctions against Wang and his co-conspirators. The 911 S5 Botnet infected computers in nearly 200 countries and facilitated a whole host of computer-enabled crimes, including financial frauds, identity theft, and child exploitation," FBI Director Chris Wray said.

The 911 S5 network was essentially a botnet made up of compromised computers and the operators allowed customers to proxy their Internet connections through those machines. In some cases, the customers used the service to submit fraudulent claims through the various COVID-19 relief programs run by the federal government. The botnet also was connected to some bomb threats made in 2022 in various locations in the U.S. Researchers from the University of Sherbrooke in Canada detailed the operations of the 911 S5 network in 2022, along with the operations of other similar services.

As part of the sanctions, OFAC said that Wang was the main operator of the 911 S5 network, while Liu was allegedly in charge of the financial side of the business.

“The virtual currency that 911 S5 users paid to Yunhe Wang were converted into U.S. dollars using over-the-counter vendors who wired and deposited funds into bank accounts held by Jingping Liu. Jingping Liu assisted Yunhe Wang by laundering criminally derived proceeds through bank accounts held in her name that were then utilized to purchase luxury real estate properties for Yunhe Wang,” the OFAC statement says.

Zheng, meanwhile, allegedly assisted Wang in buying luxury properties. The OFAC sanctions mean that U.S. persons or companies can not do business with the sanctioned entities or people.

In its indictment, the Justice Department said that Wang had earned as much as $99 million by operating the 911 S5 botnet, and had accumulate a huge pile of assets that are subject to forfeiture, including "a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, a Rolls Royce, more than a dozen domestic and international bank accounts, over two dozen cryptocurrency wallets, several luxury wristwatches, 21 residential or investment properties (across Thailand, Singapore, the U.A.E., St. Kitts and Nevis, and the United States), and 20 domains."

This story was updated on May 29 to add information about Wang's arrest.