Cyber crimes are starting to become commonplace recently.
First, it was the Mustafa data leak and JUMBO Group ransomware, that happened earlier this year. Then, it was the Ticketmaster data breach.
Now, it was reported that a man had operated a botnet and used it to sell IP addresses that could allow other cybercriminals to steal billions of dollars.
That’s not all. The criminal activities involved computers and establishments from many countries.
According to the US Department of Justice (DOJ), law enforcement in the US, Singapore, Thailand and Germany worked together to arrest the man-in-charge.
It sounds like an Avengers-level team-up. It’s true because this was a large-scale crime that included financial fraud, identity theft, child exploitation, and so much more.
What Happened?
In a press release by the US DOJ on Wednesday (29 May 2024), they announced that the cyber attack mastermind was a 35-year-old Chinese national.
Mr Wang YunHe was arrested on 24 May in Singapore, for the mass deployment of malware that resulted in 19 million computers being “infected”.
Known as the “911 S5” Botnet, Wang managed to infiltrate 19 million Windows computers and get their IP addresses.
After gaining access to the IP addresses, Wang allegedly sold them to cyber criminals who committed a slew of crimes involving billions of dollars.
So, Wang earns money from selling IP addresses to interested cyber criminals, while the cybercriminals earned money from doing crimes with the stolen IP addresses.
Win-win, right?
Wang YunHe: The 911 S5 Botnet And Its Associated Crimes
The idea of many computers being infected by malware is known as a botnet (see, bot is the computer, and net is short for network).
The network of infected computers is controlled by the attacker without the owners knowing.
An example such an attack is the one on our public healthcare platform back in November 2023. You can watch this video to know more:
According to Principal Deputy Assistant Attorney-General Nicole Argentieri, who is also head of the DOJ’s Criminal Division, Wang and his team “used the hijacked computers to conceal their identities and commit a host of crimes, from fraud to cyber stalking”.
Wang managed to distribute the malware through free Virtual Private Network (VPN) programs. in other words, when unsuspecting people go to use the VPNs, Wang takes their IP address and sells it off.
In the DOJ statement, FBI Director Christopher Wray said this case, the network of 19 million infected computers, is the “world’s largest botnet ever”.
He added that the FBI managed to seize Wang’s assets and imposed restrictions on Wang and his team of co-conspirators.
I guess it was hard to do all of this alone.
Director Wray also mentioned that the 911 S5 Botnet infected computers “in nearly 200 countries and facilitated a whole host of computer-enabled crimes, including financial frauds, identity theft, and child exploitation”.
The cyber criminals who obtained the IP addresses from Wang allegedly committed “financial crimes, stalking, transmitting bomb threats and threats of harm, illegal exportation of goods, and receiving and sending child exploitation materials”.
This had been allegedly happening since 2014.
What Did Wang Do With the Money?
Wang is not only a Chinese national. He also holds a St Kitts and Nevis citizenship.
Then how did he land himself in Singapore?
According to the DOJ, he managed to “earn” US$99 million from selling the IP addresses to cyber criminals between 2018 and 2022.
With that money, he purchased 21 properties in the US, St Kitts and Nevis, Singapore, Thailand, China and the United Arab Emirates.
The Singapore Police Force told CNA that Wang was arrested in his Singapore home for his suspected crimes in the US.
The DOJ mentioned that the authorities are seizing a bunch of his assets, including his Ferrari, two BMWs, a Rolls Royce, many luxury watches and about 20 internet domains.
He also owned more than a dozen domestic and international bank accounts, and more than 24 cryptocurrency wallets that are subject to forfeiture.
Looks like he was playing Monopoly IRL but eventually got hit with the Go To Jail card.
As mentioned, Wang’s 911 S5 Botnet allegedly allowed cybercriminals to do whatever. Namely, the authorities found that they had bypassed detection systems and stolen billions of dollars from financial institutions, credit card issuers and federal lending programs like the US pandemic relief program.
So, how did Wang and his team get caught?
The DOJ said that law enforcement initially investigated 911 S5 when it was involved in money laundering and smuggling schemes.
Apparently, cyber attackers from Ghana and the US used the stolen IP addresses from 911 S5 and stolen credit cards to make fake orders on e-commerce platform ShopMyExchange.
Then it was reported that the police from the US, Germany, Thailand, and our very own Singapore Police Force searched the properties and seized Wang’s assets, including the domains that were linked to 911 S5.
The FBI, the Defense Criminal Investigative Service (DCIS) Cyber Field Office, and the Bureau of Industry and Security (BIS) Office of Export Enforcement in Dallas are reportedly still investigating the case, said the DOJ.
So far, Wang is charged with “conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering”.
If Wang is convicted of all of his crimes on all counts, he will face a maximum of 65 years in a US prison.
