Bottom line: The US Treasury Department has slapped sanctions on the shady individuals behind the notorious 911 S5 botnet hacking operation. This malicious network of compromised residential computers was a key resource for cybercriminals looking to cover their tracks.
The Treasury's Office of Foreign Assets Control (OFAC) designated three individuals – Yunhe Wang, Jingping Liu, and Yanni Zheng – as the ringleaders of the 911 S5 botnet scheme. They also blacklisted three Thailand-based companies owned by Wang that were involved in laundering the proceeds of the criminal activities.
The 911 S5 was essentially a massive network of hacked computers that cybercriminals could rent out to mask their true location and identity online. By piggybacking on these compromised residential IP addresses, the crooks could make it appear their nefarious activities were originating from an innocent victim's device rather than their own systems.
In 2022, security firm KrebsOnSecurity published a deep dive into how this network was operating. It notes that since 2015, 911 S5 built its vast proxy network by offering seemingly innocuous "free" VPN services that stealthily conscripted users' Windows PCs into routing illicit traffic.
The firm observed that the network's huge footprint of compromised systems close to potential victims made it the premier option for cybercriminals seeking that "last mile" connection to pull off various online frauds and heists.
Now, the US Treasury notes that a staggering 19 million IP addresses were ensnared globally. The botnet's users submitted tens of thousands of fraudulent applications for pandemic relief funds like the Coronavirus Aid, Relief, and Economic Security Act programs, swindling the US government out of billions. The network's hijacked IP addresses were even linked to a wave of bomb threat hoaxes across the country in July 2022.
Wang was the primary administrator running 911 S5, a review of records from network providers utilized by the botnet showed. The virtual currency payments from 911 S5's criminal users were converted to US dollars by Liu and then laundered through bank accounts in her name. These funds were used to purchase luxury real estate properties for Wang.
Zheng facilitated many of these shady transactions as he acted as the power of attorney and legal representative for Wang and his company Spicy Code. Zheng participated in business transactions, made payments, and acquired real estate like a beachfront Thai condo on Wang's behalf.
Wang, Liu, and Zheng are all Chinese nationals. The three sanctioned companies are based in Thailand. The bust was coordinated with the FBI, Defense Criminal Investigative Service, the Commerce Department's export enforcement arm, and law enforcement partners in Singapore and Thailand.