In a major international law enforcement operation, led by the U.S. Justice Department, a prolific botnet used for cyber attacks, fraud, child exploitation, harassment, bomb threats, and export violations has been dismantled. The operation resulted in the arrest of YunHe Wang, a Chinese national and St. Kitts and Nevis citizen, on criminal charges related to his creation and operation of the botnet.

According to court documents, Wang and his associates allegedly developed and disseminated malware that compromised millions of residential Windows computers worldwide. These compromised devices were linked to over 19 million unique IP addresses, including more than 600,000 in the United States. Wang then offered cybercriminals access to these infected IP addresses for a fee, generating millions of dollars in illicit profits.

Attorney General Merrick B. Garland stated, "This Justice Department-led operation brought together law enforcement partners from around the globe to disrupt 911 S5, a botnet that facilitated cyber-attacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations." Garland emphasized that cybercriminals will be held accountable, no matter where they operate, and that the Justice Department will continue to fight against these illegal activities.

FBI Director Christopher Wray acknowledged the significance of the joint operation, stating, "Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet - likely the world's largest botnet ever." Wray emphasized the FBI's commitment to protecting American businesses and individuals, and their determination to apprehend those who profit from cybercrime.

The indictment alleges that Wang propagated his malware through various Virtual Private Network (VPN) programs and pay-per-install services, allowing cybercriminals to conceal their identities and commit a wide range of offenses such as financial fraud, stalking, bomb threats, and child exploitation. The 911 S5 botnet also enabled cybercriminals to bypass financial fraud detection systems, resulting in billions of dollars in stolen funds.

The United States estimates that the botnet was utilized to engage in fraudulent activities related to pandemic relief programs, resulting in significant losses. For instance, 560,000 fraudulent unemployment insurance claims, totaling over $5.9 billion, were linked to compromised IP addresses associated with 911 S5. Additionally, over 47,000 applications for the Economic Injury Disaster Loan program were identified as originating from compromised IP addresses.

Wang, who allegedly received approximately $99 million in illicit proceeds from the botnet, used the funds to purchase assets and properties worldwide, including real estate and luxury vehicles. The government has identified multiple assets subject to forfeiture, including luxury cars, bank accounts, cryptocurrency wallets, residential properties, and domains.

The operation involved a coordinated effort between law enforcement agencies from the United States, Singapore, Thailand, and Germany. Residences were searched, assets valued at approximately $30 million were seized, and additional forfeitable properties worth around $30 million were identified. Furthermore, dozens of domains and servers linked to the botnet were seized, effectively shutting down Wang's operations and preventing further victimization.

In response to this major cybercriminal operation, the Treasury Department's Office of Foreign Assets Control (OFAC) issued financial sanctions against Wang, as well as two other individuals and three entities associated with 911 S5.

The U.S. Department of Defense's Office of Inspector General Defense Criminal Investigative Service (DCIS) Cyber Field Office commended the success of the operation, emphasizing the importance of identifying and pursuing emerging threats in the cybercrime arena.

Wang is facing multiple charges, including computer fraud, wire fraud, and money laundering, with a maximum prison sentence of 65 years if convicted.

The U.S. Justice Department expressed gratitude to international law enforcement partners, including the Attorney-General's Chambers of Singapore and the Royal Thai Police, for their crucial assistance in the operation. The department also acknowledged the support of the Treasury Department's OFAC, as well as the contributions from Chainalysis, the Shadowserver Foundation, and Microsoft during the investigation.

Individuals affected by the 911 S5 malware can find more information and assistance at www.fbi.gov/911S5. The investigation into this cybercriminal enterprise remains ongoing, as law enforcement agencies continue to target and dismantle similar operations worldwide.