The United States Department of Justice announced the takedown of the 911 S5 botnet Wednesday, marking the end of what was “likely the world’s largest botnet ever” at more than 19 million unique IP addresses, according to FBI Director Christopher Wray.
Following a DOJ-led investigation aided by international partners including the Singapore Police Force and Royal Thai Police, the botnet’s alleged operator YunHe Wang was arrested last Friday and charged with four federal counts: conspiracy, computer fraud, conspiracy to commit wire fraud and conspiracy to commit money laundering.
Wang, a 35-year-old Chinese national and citizen-by-investment of Saint Kitts and Nevis in the West Indies, faces up to 65 years in prison if convicted. Authorities say Wang and accomplices ran 911 S5 from as early as 2011 through July 2022, infecting millions of devices with backdoor malware and selling access to the compromised IPs for customers to commit crimes ranging from cyberattacks to child exploitation.
“Cybercriminals should take note. Today’s announcement sends a clear message that the Criminal Division and its law enforcement partners are firm in their resolve to disrupt the most technologically sophisticated criminal tools and hold wrongdoers to account,” Principal Assistant Attorney General Nicole M. Argentieri, head of the DOJ’s Criminal Division, said in a statement.
What was 911 S5?
The massive botnet 911 S5 was created by spreading malware through free VPN programs with names such as ProxyGate, Mask VPN and Dew VPN, as well as by bundling the backdoor software with other software, such as pirated versions of legitimate programs, an unsealed indictment reveals.
Residential Windows-based computers were mostly targeted, although devices connected to enterprise and school networks were also affected. Unbeknownst to the owners of the compromised devices, their IP addresses would be leased out to others for a fee, enabling 911 S5 customers to mask their own IP and location while engaging in online criminal activity.
At least 200,000 of the 19 million unique IP addresses in 911 S5 were accessible at a time for use by 911 S5 customers, and customers could select specific IP addresses to appear as though their internet activity was coming from a particular location or through a specific internet service provider.
Infected devices were located across nearly 200 countries, with more than 613,000 hijacked IP addresses in the United States alone. Additionally, about 76 of the approximately 150 dedicated servers allegedly managed by Wang to run the botnet operation were leased from U.S.-based providers.
Crimes committed through the use of 911 S5 included cyberattacks, financial fraud, online harassment and bomb threats, export violations and child exploitation, according to the DOJ. For example, investigators estimated that $5.9 billion was lost through 560,000 fraudulent unemployment insurance claims coming from IP addresses compromised by 911 S5, and more than 47,000 fraudulent Economic Injury Disaster Loan (EIDL) applications are also suspected to have come through the botnet.
Authorities allege Wang raked in nearly $100 million by selling access to compromised IPs, and the unsealed indictment includes a long list of luxury items and vehicles, cryptocurrency wallets, bank accounts, web domains and properties in multiple countries to be forfeited as part of the criminal action against Wang.
How did authorities dismantle 911 S5?
The indictment, along with seizure warrants, released by the DOJ revealed details about the investigation that led to Wang’s arrest and the shutdown of the 911 S5 botnet.
The investigation began in December 2020, first led by the Defense Criminal Investigative Service, and was later joined by the FBI in February 2022.
In 2021, investigators conducted an undercover operation, purchasing 60 proxy connections on the 911 S5 website and using their access to the botnet’s client software to monitor the service. Authorities were also able to obtain and analyze a sample of the botnet malware after tracing one of the compromised IP addresses to the infected computer of a high school student in Texas.
Authorities were also able to gain information from the domains leveraged to spread and manage 911 S5 by obtaining records from the domain registrar GoDaddy. These records led them to identify Wang as their suspect.
During the investigation, Wang reportedly shut down 911 S5 in July 2022, shortly after an article published in Krebs on Security named Wang as the botnet’s operator. Wang cited a cyberattack on the 911 S5 service and deletion of botnet customer records as the reason for the shutdown, according to the published seizure warrants.
Despite the shutdown, the millions of compromised devices remained available for hijacking, leading to a revival and rebranding of the botnet to CloudRouter sometime around early 2023. The unsealed warrants indicate authorities sought seizure of all CloudRouter-related remains along with those associated with 911 S5.
Botnets, illicit residential proxy services pose widespread threat
The 911 S5 botnet served as a malicious residential proxy service leveraging millions of illegally hijacked IP addresses around the world by targeting residential computers with malware. However, devices connected to enterprise, school or other organizational networks can also be compromised, such as when a computer is used for both work and personal tasks in a work-from-home scenario.
The malware distributed as part of the 911 S5 operation was developed to evade detection by common antivirus programs and establish persistent backdoor access to the compromised device. With the increase in remote workers following the COVID-19 pandemic, organizations should ensure security of remote worker endpoints is not neglected.
The botnet was also leveraged by threat actors for a range of cybercrimes, including large-scale fraud and cyberattacks. Even with the fall of 911 S5, other botnets will undoubtedly continue to be leveraged for campaigns ranging from state-sponsored espionage, large-scale phishing and distributed denial-of-service (DDoS) attacks.
With bot traffic likely to overtake human internet activity in the near future, and generative AI adding an extra bite to “bad bots,” organizations should stay prepared with robust measures against DDoS attacks, automated credential stuffing and other attacks facilitated by malicious botnets.
