Key Takeaways
- The US Department of Justice (DOJ) announced the takedown of the world’s largest botnet, infecting over 19 million IP addresses across 190 countries.
- The botnet, dubbed “911 S5,” generated billions of dollars for its operators through pandemic fraud, unemployment fraud, and selling access to child exploitation materials.
- A Chinese national, YunHe Wang, was arrested as the alleged proprietor of the botnet service, which offered cybercriminals access to infected residential IP addresses.
- The botnet was set up using free, illegitimate VPN applications that secretly installed proxy backdoors, allowing users’ devices to be part of the 911 S5 botnet.
- The FBI has released guidance to help users identify and remove malicious VPN applications associated with the 911 S5 botnet.
Dismantling the Massive Cybercrime Operation
In a major crackdown on cybercrime, the US Department of Justice (DOJ) announced on May 29, 2024, the dismantling of what is likely the world’s largest botnet ever uncovered. Dubbed “911 S5,” this vast network of compromised systems infected over 19 million IP addresses spanning more than 190 countries.
The botnet’s operators, who amassed billions of dollars over a decade through their illicit activities, primarily generated revenue by committing pandemic and unemployment fraud, as well as selling access to child exploitation materials. Additionally, the botnet operator generated millions of dollars by offering cybercriminals access to these infected IP addresses, effectively creating a massive residential proxy service.
Residential Proxy Service and Cybercriminal Exploitation
According to the DOJ, the 911 S5 botnet functioned as a residential proxy service, allowing someone in control to rent out residential IP addresses, which could then be used as relays for internet communications, effectively concealing the true location of the user behind the residential proxy.
Cybercriminals exploited this service to engage in various nefarious activities, including cyberattacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations. Of the infected Windows devices, a staggering 613,841 IP addresses were located within the United States.
Botnet Setup and Malicious VPN Applications
To establish the 911 S5 botnet, Wang and his associates provided users with free, illegitimate VPN applications designed to connect to the botnet service. Unaware of the proxy backdoor, users who downloaded and installed these VPN applications unknowingly became part of the 911 S5 botnet network.
In some cases, the malicious VPN applications were bundled with games and other software, installed without user consent. The FBI has published a public service announcement (PSA) to help users identify and remove these malicious VPN applications associated with the 911 S5 botnet, including MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN.
Removal and Protection
The FBI’s PSA provides step-by-step instructions for users to uninstall the identified malicious VPN applications and ensure they are no longer running on their systems. This includes checking for and ending related processes in the Windows Task Manager.
By taking these necessary steps, users can protect themselves from being unwittingly part of this massive cybercrime operation and safeguard their systems from further exploitation. As cybersecurity threats continue to evolve, vigilance and proactive measures are crucial in maintaining a secure online environment.