Multibillion Dollar Botnet Scam Traced Back to a Single Person

Zombie Army

In what stands to be a major cybersecurity win for US law enforcement, the Department of Justice announced the arrest of Yunhe Wan — a 35-year-old Chinese national accused of perpetrating what the FBI says is likely the biggest botnet scheme in history.

According to a DOJ press release, officials allege that Wan and his co-conspirators used pop-ups advertising alleged VPN services to distribute malware that infected "millions" of residential Windows computers in nearly 200 countries, creating an extensive residential proxy service (basically, a secret communication highway that hides users behind the IP addresses of real people.)

Wan sold access to the network — known as "911 S5" — to other cybercriminals, who used it to commit "a whole host of computer-enabled crimes, including financial frauds, identity theft, and child exploitation," according to a statement by FBI director Christopher Wray.

The illicit scheme was massively successful. According to the DOJ, 911 S5 raked in an eye-watering $99 million since its inception in 2014. Wan spent much of that income on luxury properties, cars, watches, and more.

"The conduct alleged here reads like it's ripped from a screenplay," said Department of Commerce official Matthew Axelrod in a statement. "A scheme to sell access to millions of malware-infected computers worldwide, enabling criminals over the world to steal billions of dollars, transmit bomb threats, and exchange child exploitation materials — then using the scheme's nearly $100 million in profits to buy luxury cars, watches, and real estate."

Finders Keepers

Now in custody, Wan has been charged with "conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering," per the release. He faces up to 65 years in prison.

Wan must've enjoyed an extremely lavish lifestyle. According to the DOJ, his "2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, a Rolls Royce, more than a dozen domestic and international bank accounts, over two dozen cryptocurrency wallets, several luxury wristwatches, 21 residential or investment properties (across Thailand, Singapore, the [United Arab Emirates], St. Kitts and Nevis, and the United States), and 20 domains," are all up for forfeiture.

One of the more striking allegations in the indictment against Wan is that 911 S5 allowed foreign actors to pose as unemployed US citizens during the coronavirus pandemic. Together, these actors drained nearly $6 billion in COVID aid funding from the US government.

911 S5 was also used for cyberstalking purposes and facilitated the passage of child sexual abuse materials.

Where the case goes next, and what a conviction would mean for victims of 911 S5-related crimes in terms of retribution, remains to be seen.

More on cybersecurity: Researchers Create AI-Powered Malware That Spreads on Its Own