Chinese National Accused of Running the Biggest Botnet in the World Arrested

A Chinese national has been arrested for allegedly running a botnet of 19 million infected IP addresses in nearly 200 countries, amassing at least $99 million by leasing his network to criminals for cybercrimes including COVID-19 pandemic relief scams.

The Department of Justice (DOJ) said Wang Yunhe, 35, offered customers the use of his network of compromised IP addresses for a fee from 2014 until July 2022, according to a statement issued on May 29. The service, named “911 S5,” allowed cybercriminals to conceal their digital footprint when engaging in nefarious online activities.

Those offenses included financial crimes, stalking, transmitting bomb threats and threats of harm, illegal exportation of goods, and receiving and sending child exploitation materials.

The network was “likely the world’s largest botnet ever,” the DOJ stated, quoting FBI Director Christopher Wray.

Related Stories

Authorities also seized $29 million in cryptocurrency, according to Mr. Leatherman.

To build up his botnet, Mr. Wang allegedly began developing malicious virtual private network (VPN) programs, such as MaskVPN, DewVPN, and Shine VPN, as early as 2011, according to the indictment. He then allegedly distributed his malware “with the intent to infect residential computers worldwide.”

A VPN is a service that typically hides a user’s IP address and encrypts an internet connection, diverting traffic through a remote server.

“Wang then managed and controlled approximately 150 dedicated servers worldwide, approximately 76 of which he leased from U.S.-based online service providers,” the statement reads.

As of July 2022, Mr. Wang amassed more than 19 million unique IP addresses by spreading his malware to computers worldwide. “Cybercriminals using the 911 S5 service were able to select by city, state, zip code, or country exactly the IP addresses through which they wanted to connect to the internet,” the indictment reads.

Of the 19 million IP addresses, Mr. Wang’s botnet included about 613,841 IP addresses in the United States, according to the indictment, and his malware infected about 346 computers in the Eastern District of Texas between April 2020 and July 2022.

Mr. Wang’s botnet ceased operations in July 2022, but infected computers “remain actively compromised,” the indictment states, and so “the botnet remains available to be reconstituted into a new illicit proxy service at any time.”

Cooperation

According to the DOJ, law enforcement agencies in Singapore, Thailand, and Germany worked with U.S. officials on the case. The joint operation led to the seizure of 23 domains and more than 70 servers.

“As today’s case makes clear, the long arm of the law stretches across borders and into the deepest shadows of the dark web,” Mr. Garland said.

Mr. Wang allegedly used the proceeds received from customers of his botnet to buy property in the United States, St. Kitts and Nevis, China, Singapore, Thailand, and the United Arab Emirates.

Mr. Wang is facing charges of conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering, with a maximum prison sentence of 65 years.

Authorities are seeking to seize dozens of assets and properties allegedly owned by Mr. Wang, according to the indictment. These include a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, a Rolls Royce, more than a dozen domestic and international bank accounts, more than two dozen cryptocurrency wallets, several luxury wristwatches, and 21 residential or investment properties.

The Associated Press contributed to this report.