I US Department of Justice (DOJ) today said they arrested the alleged operator 911 S5, a decade-old online anonymity service based on what the FBI director called “probably the largest botnet the world has ever seen.” The arrests coincided with the seizure of the 911 S5 database and supporting infrastructure, which the government says turned computers using various “free VPN” products into Internet relays that facilitate billions of dollars in online fraud and cybercrime.
Cloud Router home page, seized by the FBI this past weekend. The Cloud Router was previously called the 911 S5.
On May 24, authorities in Singapore arrested the designer and operator of the 911 S5, a 35-year-old Chinese national. YunHe Wang. In a statement announcing his arrest today, the DOJ said the 911 S5 enabled cybercriminals to bypass financial fraud detection systems and steal billions of dollars from financial institutions, credit card issuers, and government lending programs.
For example, the government estimates that 560,000 fraudulent insurance claims originated from compromised Internet addresses, resulting in verified fraudulent losses exceeding $5.9 billion.
“Additionally, in investigating suspected fraud losses in the Economic Injury Disaster Loan (EIDL) program, the United States estimated that more than 47,000 EIDL applications originated from IP addresses compromised by 911 S5,” the DOJ wrote . “Millions of dollars more have been identified in the same way by financial institutions in the United States as losses from the Internet domain addresses damaged by 911 S5.”
From 2015 to July 2022, the 911 S5 sold reached hundreds of thousands Microsoft Windows computers every day, as “proxies” that allowed customers to route their Internet traffic through PCs to almost any country or city in the world – but mostly in the United States.
The 911 S5 has built its own proxy network mainly by offering “free” virtual private network (VPN) services. 911’s VPN worked pretty much as advertised to the user – allowing them to surf the web anonymously – but it also quietly turned the user’s computer into a traffic relay for paying 911 S5 customers.
The reliability of the 911 S5 and very low prices quickly made it one of the most popular services among the citizens of the cybercriminal underground, and the service almost reached the connection to that “last mile” of cybercriminals. That is, the ability to send malicious human traffic through a computer in close proximity to a consumer who is about to use a stolen credit card, or whose bank account is about to be emptied.
911 S5 pricing page, circa July 2022. $28 will allow users to cycle through 150 proxies on this popular service.
KrebsOnSecurity first identified Mr. Wang as the owner of a popular service in depth on the 911 S5 published in July 2022. That story showed that the 911 S5 has a history of paying people to install its software by secretly bundling it with other software – including fake security updates for standard programs like Flash Player, and commercial software ” cracked” or deprecated distributed on file sharing networks.
Ten days later, the 911 S5 closed shop, saying it had been broken into. But experts quickly tracked the resurgence of the proxy network with another name: Cloud Router.
The announcement of Wang’s arrest came less than 24 hours after his arrest US Department of Treasury authorized Wang and two of his associates, along with several companies the men are said to have used nearly 100 million in money received by customers for the 911 S5 and the Cloud Router.
The Cloud Router home page now has a notice saying that the site has been seized by the US government. In addition, the DOJ says it worked with authorities in Singapore, Thailand and Germany to search the defendant’s jailed residences, and seized an estimated $30 million in assets.
The Cloud Router home page now includes an arrest notice from the FBI in multiple languages.
Those assets included a 2022 Ferrari F8 Spider SA, a BMW i8, a BMW X7 M50d, a Rolls Royce, more than a dozen domestic and international bank accounts, more than a dozen cryptocurrency wallets, several watches luxury, and 21 residential or investment properties.
The government says Wang is charged with conspiracy to commit computer fraud, computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. If convicted of all charges, he faces a maximum sentence of 65 years in prison.
Brett Leathermandeputy director of the FBI’s Cyber Division, said the DOJ is working with the Singapore government to extradite Wang to face charges in the United States.
Leatherman encouraged Internet users to visit a new FBI webpage that can help people identify whether their computers may be part of the 911 S5 botnet, which the government says includes more than 19 million computers in at least 190 countries.
Leatherman said the 911 S5 and Cloud Router use several types of “free VPN” to entice consumers to install a proxy service, including. MaskVPN, DewVPN, PaladinVPN, Proxygate, Shield VPNagain ShineVPN.
“American citizens who didn’t know their IP address was being used to attack US businesses or defraud the US government, didn’t know,” Leatherman said. “But these kinds of activities raise that awareness.”
Source link