US DOJ: Chinese Hacker Behind Highly Destructive 911 S5 ‘Cloud Router’ Botnet Arrested and Threat Neutralized

The U.S. Justice Department announced this week the takedown of the extensive 911 S5 proxy botnet and the arrest of its alleged operator, a Chinese national. Earlier in the week, the Treasury Department sanctioned three Chinese individuals, Yunhe Wang, Jingping Liu, and Yanni Zheng, linked to the botnet's creation and operation. These sanctions also extended to three companies in Thailand purportedly owned or controlled by Wang.

The Justice Department's announcement confirmed that Wang, believed to be the botnet's administrator, was arrested on May 24, and the botnet was successfully dismantled. Cybersecurity expert Brian Krebs had highlighted the 911 S5 botnet in 2022, identifying Wang as its owner. Although the 911 S5 was shut down shortly after Krebs' report, it resurfaced in October 2023 as Cloud Router, only to cease operations again just before the U.S. government's intervention.

The disruption of the botnet was part of an international law enforcement effort involving agencies from the U.S., Germany, Singapore, and Thailand. This operation led to the seizure of 23 domains and over 70 servers used by both the 911 S5 and Cloud Router botnets. Described by the FBI director as "likely the world’s largest botnet," 911 S5 compromised 19 million Windows devices across more than 190 countries between 2014 and 2022. The botnet's malware was distributed through ‘free’ VPN applications, covertly converting the infected devices into proxies for various illicit activities.

These compromised proxies facilitated numerous malicious operations, including cyberattacks, fraud, bomb threats, child exploitation, and export violations. According to the Department of Justice, the 911 S5 client interface software, hosted on U.S.-based servers, enabled cybercriminals abroad to use stolen credit cards and other criminally obtained proceeds to purchase and illegally export goods.

Wang faces charges of conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering, potentially resulting in a 65-year prison sentence. The indictment states that Wang earned approximately $99 million from selling proxied IP addresses between 2018 and 2022, with part of the proceeds used to acquire real estate in multiple countries and several luxury vehicles. Authorities have seized assets worth around $30 million and identified additional forfeitable property valued at another $30 million. Wang was apprehended in Singapore and is awaiting extradition to the United States.

In response to this crackdown, the FBI has provided guidelines for users to detect and remove the malicious VPN applications from their devices through their investigate link here.