Skip to content

Botnet Bust: How International Cooperation Dismantled 911 S5

Bola Ogbara
Bola Ogbara Connect on LinkedIn
3 min. read

A coordinated effort involving multiple countries dismantled the 911 S5 botnet global cybercrime network, which compromised 19 million IP addresses.

Botnet Bust (1)

On May 29, 2024, the US Department of Justice (DoJ) announced that they had successfully disrupted the 911 S5 botnet, with the help of international law enforcement. 911 S5 was a keystone of global cybercrime infrastructure, providing a backdoor past fraud-detection defenses for a wide range of threat actors.


911 S5 compromised more than 19 million IP addresses globally, with more than 600,000 in the U.S. The creators of this network sold the IP addresses to cybercriminals who were able to hide their identity and frame the original owners of those IP addresses as they participated in illegal activities.

The botnet spread malware through VPNs (Virtual Private Networks), like Mask VPN and DewVPN. To control the infected devices - an immense task with computers in over 200 countries holding the malware - the creators used almost 150 servers worldwide, with the majority (76) being located in the United States. 


According to the DoJ, the botnet wreaked a wide range of havoc on its targets, including “financial crimes, stalking, transmitting bomb threats and threats of harm, illegal exportation of goods, and receiving and sending child exploitation materials.” The cybercriminals even took advantage of U.S. pandemic relief programs, amounting to billions of dollars in fraudulent loans. 


The enforcement action began with an investigation into a money laundering and smuggling conspiracy: cybercriminals in Ghana used IP addresses from the botnet to place orders using stolen credit cards on ShopMyExchange, an online e-commerce platform for the Department of Defense’s largest retailer the - Army and Air Force Exchange Service (AAFES). The fraudulent orders were valued at $5.5 million but federal investigators were able to block a large portion of the purchases, reducing the real loss to about $254,000. 


The takedown required coordination between law enforcement in the U.S., Singapore, Thailand, and Germany. They searched residences and seized many luxury assets, servers, and 23 domains which allowed them to successfully shut down the malicious backdoors and prevent more crimes through the recently made service. 


On May 24, 2024, YunHe Wang was arrested for creating and deploying 911 S5. He made nearly $99 million by selling the hijacked IP addresses, and used the money to purchase property all over the world (including the U.S., St. Kitts and Nevis, China, Singapore, Thailand, and the UAE). He also used the money to open several domestic and international bank accounts, more than 20 cryptocurrency wallets, luxury cars (a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, and a Rolls Royce), luxury watches, and 20 domains – all seized in the bust. 


If convicted on all counts of “conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering”, Wang could face up to 65 years in prison. The Office of Foreign Assets Control (OFAC) issued sanctions against Wang, Jingping Liu, Yanni Zheng and three entities controlled by Wang (Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited). 


This operation is proof that the US is getting a better grasp on botnets and how accessing single vulnerabilities (like the domains in this case) can easily turn the tides in the fight against malware. Defense Criminal Investigative Service (DCIS) Director Kelly P. Mayo expressed similar sentiments in the press release: “The disruption, seizure, and arrest of the perpetrator(s) responsible for the 911 S5 cybercriminal enterprise demonstrates the forward leaning posture of the Department of Defense Office of Inspector General Defense Criminal Investigative Service (DCIS) Cyber Field Office. This investigation showcases the critical import of identifying and pursuing emerging threats and technologies targeting our warfighters, and the industrial base that supports them. Today’s announcement illustrates the magnitude of cooperation within federal law enforcement and our foreign partners pursuing criminals in the rapidly evolving cybercrime arena.” 


The 911 S5 takedown is just one of many recent botnet disruptions. Europol’s Operation Endgame targeted droppers like IceID, System BC, Pikabot, Smokeloader, Bumblebee and Trickbot in the largest ever operation against botnets. Droppers are part of the first step of a malware attack, allowing hackers to deploy all types of malware by side stepping cybersecurity measures. Operation Endgame will cut down on spyware, viruses, and ransomware spearheaded by these programs. 


While the fight against botnets is far from over, the success of operations like these offers hope for a more secure digital future. Through continued vigilance, collaboration, and innovation, we can stay one step ahead of cybercriminals and safeguard the integrity of the online ecosystem for generations to come.