Connect with us

Hi, what are you looking for?


Malware & Threats

Massive 911 S5 Botnet Dismantled, Chinese Mastermind Arrested

The US announced that the 911 S5 (Cloud Router) botnet, likely the world’s largest, has been dismantled and its administrator arrested.

911 S5 botnet dismantled

The US Justice Department announced on Wednesday that the massive 911 S5 proxy botnet has been dismantled and its alleged administrator, a Chinese national, has been arrested.

The Treasury Department earlier this week announced sanctions against three Chinese nationals accused of being involved in the creation and operation of the 911 S5 botnet. 

The sanctions targeted Yunhe Wang, Jingping Liu, and Yanni Zheng, as well as three Thailand-based companies that are allegedly owned or controlled by Wang.  

One day later, the Justice Department announced that 35-year-old Wang, who is allegedly the administrator of the botnet, was in fact arrested on May 24 and the botnet was dismantled

Cybersecurity blogger Brian Krebs detailed the 911 S5 botnet back in 2022, naming Wang as the owner. 911 S5 was shut down by its operators shortly after, but reemerged in October 2023 as Cloud Router, which also ceased operations just days before the US government announced targeting the botnet and its administrators. 

The Justice Department revealed on Wednesday that the botnet was disrupted as part of an international law enforcement operation involving agencies from the US, Germany, Singapore and Thailand. The operation included the seizure of 23 domains and over 70 servers used by the 911 S5 botnet and its successor, Cloud Router. 

911 S5 (and Cloud Router), described by the FBI’s director as “likely the world’s largest botnet”, ensnared 19 million Windows devices across over 190 countries between 2014 and 2022. The malware that powered the botnet was delivered alongside ‘free’ VPN applications, enabling the botnet’s operators to use compromised devices as proxies without their owners’ knowledge. 

These proxies were used to disguise the origin of a wide range of malicious activities, including cyberattacks, fraud, bomb threats, child exploitation, and export violations. 

Advertisement. Scroll to continue reading.

“The 911 S5 client interface software, which was hosted on U.S.-based servers, enabled cybercriminals located outside of the United States to purchase goods with stolen credit cards or criminally derived proceeds, and illegally export them outside of the United States,” the DoJ said.

Wang has been charged with conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering, and faces up to 65 years in prison.

According to the indictment, the Chinese national received roughly $99 million from the sale of proxied IP addresses between 2018 and 2022. He allegedly used some of the money to buy real estate in the United States, St. Kitts and Nevis, China, Singapore, Thailand, and the United Arab Emirates, as well as several luxury vehicles. Authorities have seized approximately $30 million worth of assets and identified forfeitable property valued at an additional $30 million. 

Wang was arrested in Singapore and is awaiting extradition to the United States. 

The FBI has provided instructions on how users can check their devices for the presence of the malicious VPN applications and how to remove them. 

Related: Botnet Disrupted by FBI Still Used by Russian Spies, Cybercriminals

Related: US Says It Disrupted a China Cyber Threat, but Warns Hackers Could Still Wreak Havoc for Americans

Related: 400,000 Linux Servers Hit by Ebury Botnet

Related: Researchers Discover 40,000-Strong EOL Router, IoT Botnet 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

CISA has appointed Jeff Greene as Executive Assistant Director for Cybersecurity and Trent Frazier as Assistant Director for Stakeholder Engagement.

David Chétrit has been appointed the CEO of Kudelski Security.

More People On The Move

Expert Insights