Chinese national arrested for operating proxy service linked to billions in cybercrime
A Chinese national was arrested Friday for his alleged role in administering and operating a residential proxy service that compromised millions of computers worldwide and was utilized in criminal operations that prosecutors linked to billions of dollars in losses.
Prosecutors say YunHe Wang, 35, created the service known as “911 S5” in 2014 that aided cybercriminals in carrying out a wide range of activities — including ransomware, fraud, cyber attacks, child exploitation and bomb threats. Using various virtual private network services and pirated versions of other software, Wang installed malware on users’ computers and then sold access to the compromised IP addresses of those devices to cybercriminals for a fee, generating roughly $99 million for himself between 2018 and July 2022.
In 2022, 911 S5 was publicly exposed, prompting Wang to reconstitute the service as “CloudRouter.”
Wang’s proxy service compromised millions of Windows computers worldwide, according to the Department of Justice, resulting in 19 million unique IP addresses, including nearly 614,000 in the United States, being made available to Wang’s clients. Using compromised IP addresses within the U.S., especially, is an important facilitator for cybercrime given that U.S. infrastructure is more trusted than some other countries’, a senior FBI official told reporters Wednesday.
Brett Leatherman, the deputy assistant director for the FBI’s Cyber Division, said that it is generally much easier to log into the online accounts of financial institutions in the United States using an American IP address, and by making American IP addresses available to cybercriminals, 911 S5 helped facilitate a wide range of criminal activity. “American citizens didn’t know that their IP space was being utilized to attack U.S. businesses or defraud the U.S. government,” Leatherman said.
The FBI has not determined whether any state-backed hackers used the 911 S5 service, but Leatherman said that as both a law enforcement and intelligence agency, the FBI is “always concerned and looking to remove infrastructure from both criminal actors and nation states.”
Wang was arrested May 24 in Singapore, and U.S. authorities are working with their local counterparts to extradite him, Leatherman said. Wang faces charges of conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud and conspiracy to commit money laundering, according to the DOJ. He faces a maximum sentence of 65 years in prison.
Wang, along with two associates — Jingping Liu and Yanni Zheng — were sanctioned by the U.S. Treasury Department on Tuesday for their roles in the operation.
U.S. authorities seized 20 domains associated with the service’s operation, according to a warrant filed in the case. The Defense Criminal Investigative Service began probing 911 S5 in December 2020 when a suspected criminal residing in Ghana used the service to place fraudulent orders using stolen credit cards on the Army and Air Force Exchange Service’s e-commerce platform, ShopMyExchange, according to the warrant.
Investigators eventually determined that more than 47,000 fraudulent Economic Injury Disaster Loan applications originated from IP addresses compromised by 911 S5, exceeding $2.3 billion in loan payments, according to the warrant.
Authorities also seized roughly $4 million worth of luxury watches, and roughly $30 million in real estate in Singapore, Thailand, Dubai and elsewhere, Leatherman said. Authorities also seized a number of high-priced cars, including one Ferrari, the DOJ said in a statement, along with more than two dozen cryptocurrency wallets.
The FBI also created a page where users can determine whether their computers had been infected.