"Largest botnet ever" 911 S5: Suspect arrested
For almost a decade, a huge VPN was secretly running on around 20 million Windows computers. The operator became rich, but is now in custody.
(Image: ronstik/Shutterstock.com)
According to the FBI, the "probably largest botnet in history" is said to have infected Windows computers behind 19 million IP addresses and misused them for VPN services under various brand names. US authorities call the botnet "911 S5". It ran from 2014 to 2022 and YunHe W., the suspected operator, is now in custody. This is reported by the US Department of Justice, which is bringing the man to trial. The accused is presumed innocent.
IT security researcher Brian Krebs analyzed 911 S5 back in 2022 and identified W. as the prime suspect at the time. Shortly after Krebs' publication, 911 S5 went offline, citing ongoing attacks, stolen accounts and destroyed data. According to the US authorities, the suspect infected Windows computers in almost 200 countries and controlled them with around 150 control servers distributed around the world. He then rented out internet access via these foreign computers, payable with Bitcoin and Chinese and Russian payment services.
Anyone who accessed and installed the VPN software also made their computer part of the network. However, the suspect is said not to have disclosed this. He also paid third parties to distribute his botnet software via other programs and Flash files. W. is said to have earned over 99 million US dollars and invested it in real estate, luxury cars and expensive watches.
Videos by heise
Resurgence stifled
This February, SPUR reported that someone had reactivated a small part of 911 S5; around 140,000 IP addresses of the old botnet were bookable under the name Cloud Router. This time, customers were not told that their device would also become part of the network if they installed the VPN software. The FBI has published recommendations for detecting and removing the software.
In a joint operation, authorities in Germany, Singapore, Thailand, and the USA have now seized cloud router control servers, Internet domains and assets attributed to W. worth around 30 million US dollars. In addition, they have identified assets worth a further 30 million dollars that they still want to seize. It is not clear from the US Department of Justice's announcement where YunHe W. was arrested. The defendant is a citizen of St. Kitts and Nevis and the People's Republic of China.
In addition, the US Treasury Department has imposed economic sanctions against the defendant, three companies attributed to him and two suspected accomplices. In particular, the two other individuals are alleged to have helped launder the proceeds and invest them in real estate in several countries.
Litany of misdeeds
US Attorney General Gerrick Marland accuses the operator of facilitating criminal activities by third parties through its service, including fraud, bomb threats, IT attacks, violations of export restrictions and the transmission of images of abuse of minors. Fraudulent applications for unemployment insurance benefits in the USA alone, which were submitted via the Internet access of unsuspecting Americans, are said to have caused damage amounting to 5.9 billion US dollars. The perpetrators used personal data from inadequately secured databases, such as those published or sold on an ongoing basis.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externes YouTube-Video (Google Ireland Limited) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (Google Ireland Limited) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
Perpetrators are also said to have used 911 S5s to enrich themselves from other people's bank accounts and credit cards. Especially when using foreign credit card data, access via IP addresses assigned to households is a means of choice to undermine the defense systems of payment service providers. In the USA alone, investigators count around 614,000 IP addresses that were used to run 911 S5.
The criminal case is called [i]United States of America v YunHe W. [/i9] and is pending in the US Federal District Court for Eastern Texas under case number 4:23-cr-101. The charges are computer fraud and conspiracy to commit computer fraud, money laundering and fraud involving telecommunications. If W. is found guilty, he faces up to 65 years in prison.
(ds)
