TLDR
- U.S. law enforcement dismantled the 911 S5 botnet, which provided residential proxy services to cybercriminals, and arrested its alleged administrator, Chinese national Yunhe Wang.
- The botnet, consisting of 19 million infected devices across 190 countries, was used for various criminal activities, including financial fraud, identity theft, and child exploitation.
- Chainalysis assisted in the investigation by tracing $169 million in Bitcoin linked to 911 S5’s on-chain infrastructure, including cold storage wallets and exchange deposit addresses.
- Investigators employed advanced tactics, such as querying blockchain transaction data to identify addresses matching 911 S5’s service prices, revealing previously unknown wallets on the TRON blockchain.
- The U.S. Treasury Department’s OFAC sanctioned Wang and his associates, flagging 49 cryptocurrency addresses, while law enforcement seized assets worth approximately $30 million.
U.S. law enforcement agencies have dismantled the 911 S5 botnet, a massive network of 19 million infected devices spanning across 190 countries.
The botnet, which functioned as a residential proxy service, was allegedly administered by Chinese national Yunhe Wang, who was arrested in Singapore on May 24, 2024.
The 911 S5 botnet provided cybercriminals with access to compromised IP addresses, enabling them to carry out a wide range of illegal activities, such as financial fraud, identity theft, child exploitation, and cyber attacks.
Criminals paid for these services using cryptocurrencies like Bitcoin, allowing the botnet’s administrators to generate substantial revenue.
Blockchain forensics firm Chainalysis played a crucial role in the investigation, assisting law enforcement agents in tracing $169 million in Bitcoin linked to 911 S5’s on-chain infrastructure.
By analyzing transaction data and applying advanced investigative techniques, Chainalysis helped agents uncover a network of wallets, including cold storage addresses and exchange deposit addresses, associated with the botnet.
One of the key findings was a cold storage wallet containing 4,322.25 BTC, worth approximately $169 million at the time of reception.
This wallet showed connections to various crypto mixers and a Russian bulletproof hosting provider previously linked to ransomware strains.
Investigators also discovered that funds from this wallet were transferred to addresses controlled by Wang, some of which were later flagged by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC).
Investigators employed innovative tactics to identify previously unknown addresses on the TRON blockchain.
By querying transaction data and searching for specific prices charged by 911 S5 for its services, they uncovered a new network of wallets connected to the botnet.
The takedown of the 911 S5 botnet resulted from a coordinated effort between U.S., Singapore, Thailand, and Germany. Law enforcement disrupted 23 domains and over 70 servers critical to the botnet’s operations, while seizing assets worth approximately $30 million.
OFAC also sanctioned Wang and his associates, flagging 49 cryptocurrency addresses linked to their illicit activities.
Although Wang allegedly still controls over $136.4 million in Bitcoin, the flagging of these addresses by OFAC ensures that law enforcement and compliance professionals can monitor any movement of funds.