FBI busts alleged mastermind behind massive network of hijacked devices

An international law enforcement operation led by the Department of Justice (DOJ) has disrupted a botnet known as 911 S5, which exploited free VPNs to facilitate various cybercrimes, including fraud, harassment and child exploitation.

YunHe Wang, 35, a citizen of China as well as St. Kitts and Nevis, was arrested on May 24 for allegedly creating and running this whole botnet scheme. The feds say he used malware to infect millions of personal Windows computers around the world, building a network with more than 19 million unique IP addresses.


Cybercriminal at work (Kurt “CyberGuy” Knutsson)

The impact of the botnet scheme

Wang allegedly created a system that allowed cybercriminals to mask their identities and commit crimes. He did that by creating and disseminating a botnet called 911 S5 to compromise and amass a network of millions of residential Windows computers worldwide from 2014 through July 2022, according to the DOJ. These devices were associated with more than 19 million unique IP addresses, including 613,841 IP addresses located in the U.S.

FBI Director Christopher Wray called 911 S5 the world’s largest botnet. It lets cybercriminals bypass financial fraud detection systems and steal billions of dollars from banks, credit card companies and federal lending programs. The government estimates that 560,000 fake unemployment insurance claims came from compromised internet addresses, leading to over $5.9 billion in confirmed losses.

“Additionally, in evaluating suspected fraud loss to the Economic Injury Disaster Loan (EIDL) program, the United States estimates that more than 47,000 EIDL applications originated from IP addresses compromised by 911 S5,” the DOJ wrote. “Millions of dollars more were similarly identified by financial institutions in the United States as loss originating from IP addresses compromised by 911 S5.”

The DOJ alleges that from 2018 until July 2022, Wang made about $99 million from selling hijacked proxied IP addresses through his 911 S5 operation, receiving payments in both cryptocurrency and fiat currency. Wang used this money to buy real estate in the United States, St. Kitts and Nevis, China, Singapore, Thailand and the United Arab Emirates.


Windows laptop on desk (Kurt “CyberGuy” Knutsson)


How the botnet operated

According to the DOJ, the malware was spread through free VPN programs like MaskVPN and DewVPN, which were distributed via torrent sites. It was also bundled with other programs, including pirated software, using pay-per-install services.

The operator managed around 150 dedicated servers globally, with 76 rented from U.S. online service providers. These servers were allegedly used to deploy and manage the malicious applications, control the infected devices, run the 911 S5 service and provide paying customers with access to the IP addresses of the compromised devices.

Essentially, the operator hijacked devices by infecting them with malware, the DOJ said. The infected devices then became part of the botnet, allowing their IP addresses to be rented out to cybercriminals. These cybercriminals could then use the hijacked IP addresses to anonymously carry out various offenses while concealing their true locations and identities.

A woman working on her laptop (Kurt “CyberGuy” Knutsson)


Why free VPNs should be avoided

Wang’s arrest serves as a cautionary tale against using free VPN services. As discussed, he allegedly exploited free VPNs like MaskVPN and DewVPN to distribute malware and enable cybercriminals to misuse the IP addresses of infected devices. However, this is not the only drawback of free VPNs.

Free VPN services often lack robust data protection measures, as they typically do not undergo third-party audits to verify their security practices. Users of free VPNs may also experience sluggish internet speeds and an increased risk of phishing attacks.

Instead of relying on free VPNs, you should consider investing in reputable, paid VPN services that prioritize user privacy, security and performance. Paid VPN providers are more likely to implement robust encryption protocols, maintain strict no-logging policies and offer faster connection speeds.


6 proactive measures to take to protect yourself from such frauds

You can easily protect cybercriminals from misusing your data or personal devices by following these steps:

1) Invest in a reputable paid VPN service: Paid VPN services offer robust encryption protocols, strict no-logging policies and faster connection speeds, ensuring enhanced privacy and security when browsing the internet or accessing online services. A paid VPN service can also protect against being tracked and identify your potential location on websites that you visit. Many sites can read your IP address and, depending on their privacy settings, may display the city from which you are corresponding. A VPN will disguise your IP address to show an alternate location. For the best VPN software, see my expert review of the best VPNs for browsing the web privately on your Windows, Mac, Android & iOS devices.

2) Have strong antivirus software: The best way to protect yourself from clicking malicious links that install malware that may get access to your private information is to have antivirus protection installed on all your devices. This can also alert you of any phishing emails or ransomware scams. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android & iOS devices.

3) Invest in personal data removal services: While no service promises to remove all your data from the internet, having a removal service is great if you want to constantly monitor and automate the process of removing your information from hundreds of sites continuously over a longer period of time. Remove your personal data from the internet with my top picks here.

4) Use strong and unique passwords: Create strong passwords for your accounts and devices and avoid using the same password for multiple online accounts. Consider using a password manager to securely store and generate complex passwords. It will help you to create unique and difficult-to-crack passwords that a hacker could never guess. Second, it also keeps track of all your passwords in one place and fills passwords in for you when you’re logging into an account so that you never have to remember them yourself. The fewer passwords you remember, the less likely you will be to reuse them for your accounts.

5) Enable two-factor authentication: Enable two-factor authentication whenever possible. This adds an extra layer of security by requiring a second form of verification, such as a code sent to your phone, in addition to your password.

6) Keep software and operating systems up-to-date: Regularly update software, applications and operating systems to benefit from the latest security patches and vulnerability fixes, reducing the risk of exploitation by malware or cybercriminals.


Kurt’s key takeaways

Cybercriminals come up with new ways to exploit you, your data and your electronic devices. While it’s hard to predict which new tactic they have in store, you can protect yourself by being extra careful when navigating the web, dealing with phishing calls and clicking on links. The current cybercrime situation also teaches us not to use free VPN services, even if they sound very tempting.

Do you use a free VPN or a paid VPN service? What do you like about either of these services? Let us know by writing us at Cyberguy.com/Contact.

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.

Ask Kurt a question or let us know what stories you’d like us to cover.

Follow Kurt on his social channels:

Answers to the most asked CyberGuy questions:

Copyright 2024 CyberGuy.com. All rights reserved.

Kurt “CyberGuy” Knutsson is an award-winning tech journalist who has a deep love of technology, gear and gadgets that make life better with his contributions for Fox News & FOX Business beginning mornings on “FOX & Friends.” Got a tech question? Get Kurt’s free CyberGuy Newsletter, share your voice, a story idea or comment at CyberGuy.com.

Read More