The U.S. Treasury Department sanctioned three Chinese nationals on Tuesday for their alleged involvement in operating the 911 S5 proxy botnet widely used for fraudulent activities, including credit card theft and Coronavirus Aid, Relief, and Economic Security program frauds.
The sanctions are aimed at curbing the operations linked to the botnet, which caused major financial losses amounting to “billions” of dollars to the U.S. government.
The Rise and Demise of 911 S5 Botnet
The botnet in question played a critical role in executing numerous fraudulent schemes through stolen residential IP addresses.
“The 911 S5 botnet compromised approximately 19 million IP addresses and facilitated the submission of tens of thousands of fraudulent applications related to the Coronavirus Aid, Relief, and Economic Security Act programs by its users, resulting in the loss of billions of dollars to the U.S. government.”
911 S5 is a residential proxy botnet that allows its paying users, often cybercriminals, to select the IP addresses they can use to connect to the internet using intermediary, internet-connected computers that have been compromised without the computer owners’ knowledge. 911 S5 essentially enables cybercriminals to conceal their originating location, effectively defeating fraud detection systems, the U.S. Treasury explained.
The 911 S5 botnet was also implicated in a series of bomb threats made in July 2022, according to the Treasury. Investigators found links of IP addresses within the proxy botnet network being used in this incident. The network was connected to 911 S5, a residential proxy service that allowed users to mask their IP addresses by routing their web activity through compromised devices.
The 911 S5 service went offline in July 2022, following a purported hacking incident that damaged essential data. The disruption was reported by independent journalist Brian Krebs. Despite its shutdown, the impacts of its previous operations continued to reverberate, leading to the current sanctions.
The Individuals and Businesses Sanctioned
The sanctioned individuals include Yunhe Wang, allegedly the administrator of the botnet; Jingping Liu, accused of laundering proceeds for Wang; and Yanni Zheng, who reportedly acted as power of attorney for Wang and facilitated business transactions on his behalf through the company Spicy Code Company Limited.
The men are believed to reside in Singapore and Thailand, countries that were acknowledged as partners in the sanctions announcement.
Three businesses registered in Thailand were also sanctioned for their connections to Wang. These sanctions require that any property and interests owned by the three men within the U.S. be reported to the Treasury, and prohibit U.S. citizens or residents from engaging in business with them.
Only these three individuals and the businesses implicated in their fraudulent schemes were sanctioned by the Treasury, but no indictments or legal actions were revealed by the U.S. Department of Justice (DOJ), as is the case in many other instances.
Broader Ongoing Cybersecurity Concerns
The sanctions against these individuals are part of a broader effort by the U.S. government to address cybersecurity threats linked to state-sponsored hacking groups.
Google-owned cybersecurity firm Mandiant warned last week that Chinese state hackers are increasingly using vast proxy server networks, built from compromised online devices and virtual private servers, to evade detection during their cyberespionage campaigns.
In January, the DOJ announced the takedown of a botnet associated with Volt Typhoon, a hacking group with ties to the Chinese government. This group was known for infecting home and office routers with malware to obscure its hacking activities.
The concerted actions by U.S. authorities and private defenders highlight the ongoing challenges and complexities in combating cybercrime and protecting critical financial and infrastructural systems from sophisticated malicious actors.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
