The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on three Chinese nationals, Yunhe Wang, Jingping Liu, and Yanni Zheng, accused of operating a residential proxy botnet known as 911 S5, which officials allege was used to conduct a variety of cybercrimes and to facilitate bomb threats across the United States. Additionally, three entities associated with Yunhe Wang—Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited—were also sanctioned.
The 911 S5 botnet infected user devices with proxy malware, allowing cybercriminals to route their malicious traffic through compromised devices, masking their true locations. The botnet compromised approximately 19 million IP addresses and was instrumental in facilitating tens of thousands of fraudulent applications for Coronavirus Aid, Relief, and Economic Security (CARES) Act programs, leading to billions of dollars in losses for the US government. The compromised IP addresses were also connected to a series of bomb threats made throughout the United States in July 2022.
The 911 S5 service was shut down in July 2022 after hackers breached the service and leaked user data. Following its closure, security firm Spur reported that the service attempted to rebrand and relaunch as CloudRouter.
Yunhe Wang is identified as the primary administrator of the 911 S5 service. Investigations revealed that he was the registered subscriber for network infrastructure service providers and two VPN services, MaskVPN and DewVPN, utilized by the botnet.
Jingping Liu, a co-conspirator, was responsible for laundering the proceeds from the botnet, primarily through virtual currency. The virtual currency payments made by 911 S5 users were converted into US dollars and wired into bank accounts controlled by Liu. These funds were then used to purchase luxury real estate for Wang. Yanni Zheng's specific role in the operation was not detailed in the announcement.
As a result of the sanctions, all property and interests in property of the designated individuals and entities within the United States or controlled by US persons must be blocked and reported to OFAC. The sanctions also prohibit US persons from engaging in transactions involving the blocked entities.
OFAC's regulations also stipulate that individuals or entities conducting certain transactions with the sanctioned parties may themselves face designation.