US Strikes Back: Sanctions Imposed on “911 S5” Botnet Operators
The U.S. Department of the Treasury has imposed sanctions on a cybercriminal network involving three Chinese nationals and three companies from Thailand. These entities are connected to a major botnet that controls a residential proxy service called “911 S5.”
Discovery and Activities of 911 S5
In June 2022, researchers from the University of Sherbrooke in Canada discovered that 911 S5 lured victims by offering a free VPN. The VPN was used to install malware, which added the victims’ IP addresses to the 911 S5 botnet. At that time, the botnet controlled approximately 120,000 residential proxy nodes worldwide, each interacting with multiple command-and-control (C2) servers located abroad or hosted on cloud servers.
Suspension and Resurrection of the Botnet
A month later, investigative journalist Brian Krebs reported that 911 S5 had ceased operations after key components of its business operations were destroyed following a security breach. However, the botnet was resurrected a few months later under the name CloudRouter, according to a report by Spur Intelligence in February.
OFAC Measures and Damages
The Office of Foreign Assets Control (OFAC) at the U.S. Department of the Treasury stated that the 911 S5 botnet was a malicious service that compromised victims’ computers, allowing cybercriminals to proxy their internet connections through infected computers.
Infected devices enabled criminals to mask their activities, shifting the blame to the victims’ computers. The botnet compromised approximately 19 million IP addresses, which allowed cybercriminals to file tens of thousands of fraudulent applications for programs related to the CARES Act, resulting in billions of dollars in losses.
Sanctions Against Participants
OFAC has imposed sanctions on the following individuals and companies:
- Yunhe Wang (administrator of 911 S5)
- Jingping Liu (money launderer)
- Yanni Zheng (trusted associate of Yunhe Wang)
- Spicy Code Company Limited
- Tulip Biz Pattaya Group Company Limited
- Lily Suites Company Limited
According to OFAC documents, “these individuals leveraged their malicious botnet technology to compromise personal devices, enabling cybercriminals to fraudulently secure economic assistance intended for those in need and to terrorize our citizens with bomb threats.”
As a result of the sanctions, all operations involving U.S. interests and the property of the listed individuals and entities are prohibited. Any transactions with these individuals and companies are also subject to sanctions or enforcement actions.
