The FBI has successfully taken down one of the largest malicious botnets in the world, which facilitated fraudulent transactions costing billions of dollars, including those related to COVID relief funding. The botnet's administrator, YunHe Wang, a Chinese national, was apprehended by law enforcement.

Wang has been accused of masterminding an international scheme involving the deployment of malware and the illicit sale of access to infected computers' IP addresses. These IP addresses, which function as unique identifiers for devices and domains on the internet, were used to carry out various crimes, such as bomb threats, financial fraud, identity theft, and child exploitation.

According to Brett Leatherman, the FBI cyber division deputy assistant director, Wang led the operation known as the 911 S5 Botnet, which utilized 19 million compromised IP addresses across 190 countries. This vast network served as an infrastructure for cybercriminal activities, enabling crimes that also included initial access brokering and other computer-related offenses.

Although there are no known direct ties to nation-states, officials confirmed that Wang was financially motivated. Court documents revealed that he purchased approximately $30 million worth of property in the United States, St. Kitts and Nevis, China, Singapore, Thailand, and the United Arab Emirates. Additionally, he spent over $4 million on luxury items, including high-end vehicles like a BMW and Rolls Royce, as well as several watches.

Of the 19 million compromised IP addresses, over 600,000 were located in the United States. Wang was arrested on Friday and is facing a four-count indictment, which includes conspiracy and computer fraud charges. Court papers allege that Wang sold unsuspecting victims various Virtual Private Network (VPN) programs, which, when downloaded, installed malicious software on their computers, allowing their IP addresses to be remotely controlled.

Investigators discovered that Wang then sold these stolen IP addresses to other cybercriminals for millions of dollars, facilitating their illicit activities. By using the victims' IP addresses, these cybercriminals were able to carry out their schemes while evading detection by law enforcement. Prosecutors stated that Wang sometimes sold access to IP addresses based on specific geographic requirements requested by the criminals.

Leatherman cautioned that the malicious VPN services involved in this operation included Mask VPN, Dew VPN, Paladin VPN, Proxy Gate, Shield VPN, and Shine VPN. Charging documents reveal that cybercriminals exploited the 911 S5 service to bypass fraud detection systems, resulting in the theft of billions of dollars from financial institutions, credit card issuers, account holders, and even federal lending programs since 2014. Notably, the IP addresses tied to Wang's botnet were also responsible for potential pandemic relief fraud losses amounting to over $5.9 billion.

The investigation highlighted Wang's ability to infect victims' devices without their knowledge, bypassing traditional virus detection software. Prosecutors estimate that Wang made over $99 million from selling hijacked IP addresses and engaged in money laundering activities through U.S. banks.

With the majority of the fraud stemming from fraudulent pandemic relief fund applications, Leatherman emphasized the significance of Wang's arrest as a deterrent to cybercriminals taking advantage of those in desperate need of financial relief during challenging times.

FBI Director Christopher Wray commended the joint effort with international partners and declared the dismantlement of the 911 S5 Botnet, likely the largest in history. The arrest of Wang was made possible through critical assistance from authorities in Singapore and Thailand, who conducted searches, interviews, and asset seizures. U.S. officials are currently working with Singapore's government to extradite Wang to the United States.

As part of the operation, law enforcement seized 23 domains and over 70 servers, effectively dismantling the network of infected devices that Wang and his co-conspirators built between 2014 and 2022. While acknowledging that complete network dismantlement is challenging, Leatherman emphasized that Wang's capture marks a significant milestone. He further stated that the investigation will continue, with physical search warrants, interviews, and seizures aimed at identifying other individuals who exploited this service to target innocent Americans and corporations.

At the time of reporting, no attorney has been identified for Wang. The FBI has set up a webpage to assist potential victims in determining if their device has been compromised and to guide them through a self-remediation process.