The U.S. Department of Justice, in collaboration with international law enforcement agencies, says it has taken down a large botnet and arrested its administrator, YunHe Wang.

The botnet, called 911 S5, was allegedly used to commit cyberattacks, large-scale fraud, child exploitation, harassment, bomb threats and export violations. The Justice Department claims that Wang and others disseminated malware to compromise and amass a network of millions of residential Windows computers worldwide.

The botnet is to have had 19 million unique IP addresses, including 613,841 IP addresses in the U.S. An IP address does not specifically indicate individual computers — computers on a network can share an IP address — but the figure does point to the size of the botnet.

Wang, who is a Chinese national who also holds citizenship of St. Kitts and Nevis through investment, is alleged to have propagated the malware used to build the 911 S5 botnet through virtual private network programs, such as MaskVPN and DewVPN and pay-per-install services. In addition, the malware was also bundled with other program files, including pirated versions of licensed software and copyrighted materials.

The court documents allege that Wang managed and controlled approximately 150 dedicated servers worldwide, including 76 of which he leased from U.S.-based online service providers. Using the dedicated servers, Wang deployed and managed applications, commanded and controlled the infected devices, operated his 911 S5 service and provided paying customers with access to proxied IP addresses associated with the infected devices.

“As a result of this operation, YunHe Wang was arrested on charges that he created and operated the botnet and deployed malware,” U.S. Attorney General Merrick Garland said in a statement. “This case makes clear that the long arm of the law stretches across borders and into the deepest shadows of the dark web, and the Justice Department will never stop fighting to hold cyber criminals to account.”

The takedown of 911 S5 comes after U.S. authorities took down the infamous hacking site BreachForums on May 15. Not only did BreachForums return two weeks later, the site is now advertising 560 million stolen user credentials from Ticketmaster Entertainment LLC.

Botnets are not the same as hacking forums, but law enforcement attempts to take them down are similar, in that- every takedown has two possible outcomes: The same site or botnet returns after a certain amount of time or it’s replaced by a new service. The Qakbot botnet, another botnet “taken down” by a multinational task force led by the Federal Bureau of Investigation in August 2023, was back up and running by early October.

Image: Wikimedia Commons