US Treasury Department today he introduced sanctions against three Chinese people suspected of working 911 S5, an online anonymous service that for years was the easiest and cheapest way to direct Web traffic through malware-infected computers around the world. KrebsOnSecurity identified one of the three men in the July 2022 investigation of the 911 S5, which was badly hacked and closed after ten days.
Proxy service enabled by the 911 S5 botnet, circa July 2022.
From 2015 to July 2022, the 911 S5 sold reached hundreds of thousands Microsoft Windows computers every day, as “proxies” that allowed customers to route their Internet traffic through PCs to almost any country or city in the world – but mostly in the United States.
911 built its proxy network primarily by offering “free” virtual private network (VPN) services. 911’s VPN worked pretty much as advertised to the user – allowing them to surf the web anonymously – but it also quietly turned the user’s computer into a traffic relay for paying 911 S5 customers.
The reliability of the 911 S5 and very low prices quickly made it one of the most popular services among the citizens of the cybercriminal underground, and the service almost reached the connection to that “last mile” of cybercriminals. That is, the ability to send malicious human traffic through a computer in close proximity to a consumer who is about to use a stolen credit card, or whose bank account is about to be emptied.
In July 2022, KrebsOnSecurity published a deep dive into 911 S5, which found that the people running this business have a history of promoting the installation of their proxy malware by any means available. That included paying affiliates to distribute their proxy software by secretly bundling it with other software.
Flashupdate dot net backup, a pay-per-view affiliate program that has inspired the silent installation of 911 proxy software.
That story called Yunhe Wang from Beijing as the official owner or representative service manager of 911 S5. In today’s Treasury action, Mr. Wang has been named as the main controller of the bot that powers the 911 S5.
“A review of records from network infrastructure service providers known to be used by 911 S5 and two Virtual Private Networks (VPNs) specific to botnet operations (MaskVPN and DewVPN) identified Yunhe Wang as a registered subscriber to those providers’ services,” it read like this. Treasury announcement.
The penalties are Jingping Liu was Yunhe Wang’s co-conspirator in the laundering of the proceeds of crime obtained from the 911 S5, mainly virtual currency. The government alleges that physical fees paid by 911 S5 users were converted into US dollars by wire brokers and deposited into bank accounts controlled by Liu.
“Jingping Liu assisted Yunhe Wang by laundering proceeds of crime through bank accounts held in his name which were then used to purchase luxury properties for Yunhe Wang,” the document continued. “These people have used their malicious botnet technology to put their personal assets at risk, enabling cybercriminals to fake economic aid meant for those in need and to terrorize our citizens with bomb threats.”
Third party authorized by him Yanni Zhenga Chinese citizen the U.S. Treasury says acted as an attorney for Wang and his company – Spicy Code Company Limited – and helped channelize business income into residential properties. The Spicy Code Company was also approved, along with properties controlled by Wang Tulip Company Biz Pattaya Group Limitedagain Rating of the company Lily Suites Company Limited.
Ten days after the July 2022 story here on 911 S5, the proxy network suddenly closed shop, citing a data breach that destroyed key parts of its business.
In the following months, however, the 911 S5 will resurrect itself under a different name: Cloud Router. That being said encourage.us, a US-based startup tracking proxy and VPN services. In February 2024, Spur published a study showing that Cloud Router operators reused many of the same features from the 911 S5, making it easy to draw connections between the two.
The Cloud Router home page, according to Spur, has been inaccessible since last weekend.
Spur discovered that the Cloud Router is enabled by a new VPN service called PaladinVPN, which made it very obvious to users that their internet connection would be used to forward traffic to others. At the time, Spur found Cloud Router had more than 140,000 Internet addresses to rent.
Founder Spur Riley Kilmer he said the Cloud Router seems to have stopped or stopped working last weekend. Kilmer said the number of lawyers advertised by the service had been declining recently before the website went offline.
The Cloud Router home page is currently full of a message from Cloudflare saying that the domain servers are pointing to a “banned IP.”
Source link