Three Chinese citizens and three Thailand-based companies they owned ended up sanctioned Tuesday for operating a malicious botnet tied to residential proxy service known as 911 S5, said officials at the Department of Treasury.

Yunhe Wang, Jingping Liu, and Yanni Zheng, face the sanctions as do Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited, all owned or controlled by Wang.

“These individuals leveraged their malicious botnet technology to compromise personal devices, enabling cybercriminals to fraudulently secure economic assistance intended for those in need and to terrorize our citizens with bomb threats,” said Under Secretary Brian E. Nelson.

As it turns out, the 911 S5 botnet was a malicious service that compromised victims and allowed attackers to proxy their Internet connections through these compromised computers. Furthermore, once a cybercriminal disguised their digital tracks through the 911 S5 botnet, their cybercrimes appeared to trace back to the victim’s computer instead of their own, officials said.

Additionally, the 911 S5 botnet compromised approximately 19 million IP addresses and facilitated the submission of tens of thousands of fraudulent applications related to the Coronavirus Aid, Relief, and Economic Security Act programs by its users, resulting in the loss of billions of dollars to the U.S. government, officials said.

Schneider Bold

Furthermore, the 911 S5 service enabled users to commit widespread cyber-enabled fraud using compromised victim computers associated to residential IP addresses. Moreover, the IP addresses compromised by the 911 S5 service also linked to a series of bomb threats made throughout the United States in July 2022.

In the investigation, Treasury partnered with the Federal Bureau of Investigation, Defense Criminal Investigative Service, U.S. Department of Commerce’s Office of Export Enforcement, as well as partners in Singapore and Thailand.

Cybercriminals covet stolen residential IP addresses to obfuscate malicious activity, particularly when carrying out credit card theft. Additionally, 911 S5 is a residential proxy botnet that allows its paying users, often cybercriminals, to select the IP addresses through which they connect to the Internet using intermediary, Internet-connected computers compromised without the computer owners’ knowledge. 911 S5 essentially enables cybercriminals to conceal their originating location, effectively defeating fraud detection systems.

Yunhe Wang is the primary administrator of the 911 S5 service, officials said. Additionally, a review of records from network infrastructure service providers known to be utilized by 911 S5 and two Virtual Private Networks (VPN) specific to the botnet operation (MaskVPN and DewVPN) showed Yunhe Wang as the registered subscriber to those providers’ services.

Jingping Liu was Yunhe Wang’s co-conspirator in the laundering of criminally derived proceeds generated from 911 S5, mainly virtual currency, officials said. The virtual currency that 911 S5 users paid to Yunhe Wang ended up converted into U.S. dollars using over-the-counter vendors who wired and deposited funds into bank accounts held by Jingping Liu.

Yanni Zheng acted as the power of attorney for Yunhe Wang and his company, Spicy Code Company Limited, officials said. In addition, Yanni Zheng participated in numerous business transactions, made multiple payments, and purchased real estate property on behalf of Yunhe Wang, including a luxury beachfront condominium in Thailand.

Spicy Code Company Limited purchased additional real estate properties by Yunhe Wang.
Tulip Biz Pattaya Group Company Limited and Lily Suites Company Limited were both purchased by Yunhe Wang.


Pin It on Pinterest

Share This