Chinese national charged with operating ‘world’s largest botnet’ linked to billions in cybercrimes

A Chinese national has been arrested for his role in operating a residential proxy service that was used to defraud billions of dollars from the U.S. government and fund his lavish lifestyle, which included buying luxury cars and property around the world, the Department of Justice announced Wednesday.

YunHe Wang, 35, was arrested on May 24 and charged with creating a massive network of hijacked computer devices, also known as a “botnet,” that was used to conduct cyber attacks, fraud, child exploitation, bomb threats, and export violations, the department alleged. Wang administered the botnet, called “911 S5,” through about 150 servers worldwide from 2014 to 2022, according to an indictment unsealed last week.

About 76 of the servers were leased from online service providers based in the United States, the indictment said. The botnet infected over 19 million IP addresses in nearly 200 countries, including over 613,000 IP addresses located in the United States, according to prosecutors.

The Justice Department announcement comes after Wang and his two co-conspirators, Jingping Liu and Yanni Zheng, were sanctioned by the Department of Treasury for their alleged involvement with the malicious botnet. The department also imposed sanctions on three luxury companies Wang owned or controlled.

Authorities also searched Wang’s residences and seized assets valued at about $30 million as well as identifying other property valued at roughly an additional $30 million, prosecutors said.

“The conduct alleged here reads like it’s ripped from a screenplay,” Matthew Axelrod, assistant secretary for export control at the Department of Commerce, said in a statement Wednesday. “A scheme to sell access to millions of malware-infected computers worldwide, enabling criminals over the world to steal billions of dollars, transmit bomb threats, and exchange child exploitation materials — then using the scheme’s nearly $100 million in profits to buy luxury cars, watches, and real estate.”

The Department of Justice partnered with the FBI and international law enforcement agencies in Singapore, Thailand, and Germany to dismantle the botnet and arrest Wang. The case is the latest in the federal government’s ongoing effort to thwart global cybercrime, which has become increasingly widespread.

These crimes can range from intellectual property theft to ransomware and can cost businesses billions of dollars in losses in addition to threatening critical sectors across the country, according to the Department of State. In recent years, federal authorities have expanded their international operations and country-to-country partnerships in order to better address cyber threats.

‘Urgency and severity of cyberattacks’: EPA urges water utilities to protect nation’s drinking water amid heightened cyberattacks

911 S5 Botnet ‘likely the world’s largest botnet ever’

FBI Director Christopher Wray said in a statement Wednesday that 911 S5 is “likely the world’s largest botnet ever.” According to the indictment, Wang allegedly spread his malware through Virtual Private Network programs and pay-per-install services, which allowed him to manage and control the roughly 150 servers.

Paying customers were then given access to proxied IP addresses that were linked to the hacked devices, the indictment said. Cybercriminals used those addresses to hide their locations and “anonymously commit a wide array of offenses,” the Department of Justice alleged.

“These offenses including financial crimes, stalking, transmitting bomb threats and threats of harm, illegal exportation of goods, and receiving and sending child exploitation materials,” according to the department. “Since 2014, 911 S5 allegedly enabled cybercriminals to bypass financial fraud detection systems and steal billions of dollars from financial institutions, credit card issuers, and federal lending programs.”

Specifically, the botnet targeted COVID-19 pandemic relief programs and filed an estimated 560,529 fraudulent unemployment insurance claims, according to the indictment. Federal authorities confirmed that more than $5.9 billion was stolen as a result.

The indictment further alleged that Wang had amassed about $99 million — either in cryptocurrency or fiat currency — from his sales of the infected proxied IP addresses. He used the illicit proceeds to purchase luxury assets and property.

Wang bought property in the United States, St. Kitts and Nevis, China, Singapore, Thailand, and the United Arab Emirates, according to the indictment. He also had dozens of other assets, such as luxury cars, watches, international bank accounts, and cryptocurrency wallets.

Wang was charged with conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. He faces a maximum of 65 years in prison.

Cybercrime, COVID fraud in the U.S.

Cybercrime is a “significant and growing threat” to the country’s national and economic security, according to the State Department. As people become more dependent on information and communication technologies, the department said more criminals continue to shift online.

Wang’s arrest also comes amid a push from federal officials for organizations to update and follow cybersecurity guidelines. Federal agencies have issued multiple advisories for cyberattacks committed by foreign groups in recent years.

In January, the FBI and Department of Justice announced that they had “disrupted a botnet of hundreds of U.S.-based small office/home office routers hijacked” by China-linked hackers. The group, known as “Volt Typhoon,” targeted critical infrastructure organizations in the United States, such as water systems and electric grids.

The surge in malicious cyber incidents coincides with the rise in online communication during the COVID-19 pandemic, according to a 2023 cyberthreat study. Citing FBI data, the study said cybercrime increased by 400% during the pandemic.

“Cybercriminals find the uncertainty brought by changing daily habits opportune and the increased virtual existence is converted into available attack vectors,” the study noted.

In the four years since the onset of the pandemic, the Internal Revenue Service has investigated over 1,600 tax and money laundering cases related to COVID-19 fraud potentially worth about $8.9 billion, the agency said in March. Cases included fraudulently obtained loans, credits and payments meant for U.S. workers, families and small businesses under the Coronavirus Aid, Relief and Economic Security, or CARES, Act.

Contributing: Josh Meyer, USA TODAY