A Thailand-based Chinese man who created a cybercrime operation that seized control of Americans’ computers and led to $5.9 billion in fraudulent claims from the U.S. COVID-19 relief program was arrested in Singapore, according to the Justice Department.
The U.S. Treasury Department on Tuesday issued sanctions against YunHe Wang, 35, and two associates based in the Thai beach resort of Pattaya, alleging that they created a "botnet" – or robot network – called 911 S5 that took control of 19 million computers so criminals could use their internet connections.
On Wednesday, the Justice Department said Wang was arrested in Singapore last week following an international law enforcement effort led by the FBI and including Thai and Singaporean authorities.
U.S. Attorney General Merrick Garland said Wang made “more than $99 million” selling access to his network of hijacked computers, which he gained control of by offering victims free access to virtual private networks, or VPNs, which people use to hide their online activity.
What the free VPN users did not know, he said, was that their internet connections were being hijacked by Wang’s operation and sold on to “customers” who used their I.P. addresses to commit crimes.
"We estimate that 911 S5 customers are responsible for more than $5.9 billion in losses due to fraud against pandemic relief programs," he said at a press conference. "We and our partners have seized over $29 million dollars in criminal assets tied to the botnets operation."
“This case makes clear that the long arm of the law stretches across borders and into the deepest shadows of the dark web, and the Justice Department will never stop fighting to hold cybercriminals to account.”
FBI Director Christopher Wray said 911 S5 was “likely the world’s largest botnet ever,” and had provided its users with a veil that also facilitated identity theft and child exploitation crimes.
Stolen credit cards
An analysis by Krebs on Security, an online security news website, said users of Wang's free VPN services – including MaskVPN, DewVPN, PaladinVPN, Proxygate, Shield VPN, and ShineVPN – would have had few clues about the ways their connections were being used.
“911’s VPN performed largely as advertised for the user — allowing them to surf the web anonymously — but it also quietly turned the user’s computer into a traffic relay for paying 911 S5 customers,” the article says, adding that the service was a lucrative one.
The botnet’s “reliability and extremely low prices quickly made it one of the most popular services” available on “the cybercrime underground,” with criminals able to use the service to make it appear as if they were nearly anywhere in the United States, according to the article.
That was useful, it explains, because it let a criminal route “malicious traffic” through a connection that is “geographically close to the consumer whose stolen credit card is about to be used, or whose bank account is about to be emptied” and thereby avoid fraud detection.
Besides the $5.9 billion in fraudulent COVID-19 relief losses sustained because of the 911 S5 botnet, U.S. financial institutions identified "millions of dollars more" in losses due to fraudulent credit applications, according to a statement issued by the Justice Department.
With the proceeds of the botnet, Wang bought property in the United States, China, Singapore, Thailand, the United Arab Emirates and the Caribbean nation of St. Kitts and Nevis, where he also gained citizenship through investment in May 2022, the statement says.
An unsealed indictment says “dozens of assets and properties” have also been seized, including a Ferrari F8 Spider, a BMW i8, a BMW X7, a Rolls Royce, several luxury wristwatches, 21 properties, more than a dozen bank accounts and two dozen cryptocurrency wallets.
Wang was charged with conspiracy to commit computer fraud, conspiracy to commit wire fraud and conspiracy to commit money laundering and faces up to 65 years in prison if found guilty.
Edited by Malcolm Foster.