SINGAPORE: An international law enforcement team has successfully arrested a Chinese national and dismantled a major botnet operation that has been active for nearly a decade.

The U.S. Department of Justice (DOJ) announced that Yunhe Wang, 35, was apprehended on May 24 in Singapore. The botnet, known as “911 S5,” is believed to be the largest of its kind, comprising a network of malware-infected computers across nearly 200 countries.

“Bots” in such cases refer to the computers being controlled by malware, while a botnet refers to a network of such compromised computers.

FBI Director Christopher Wray highlighted the scale and impact of the operation, noting that the botnet facilitated various criminal activities including identity theft, child exploitation, and financial fraud. Wang allegedly accumulated at least USD $99 million by selling access to the botnet to other cybercriminals.

In a statement on May 29, the DOJ said Wang had allegedly worked with others between 2014 and July 2022 to create and disseminate the 911 S5 Botnet to millions of home-based Windows computers across the world.

Wang allegedly created malware that compromised millions of residential computers around the world, and then sold access to the infected computers to cybercriminals.

“These criminals used the hijacked computers to conceal their identities and commit a host of crimes, from fraud to cyber stalking,” according to Principal Deputy Assistant Attorney-General Nicole Argentieri, head of the DOJ’s Criminal Division.

The FBI’s deputy assistant director for cyber operations, Brett Leatherman, revealed in a LinkedIn post that search warrants were executed in both Singapore and Thailand, leading to the seizure of $29 million in cryptocurrency.

According to an indictment filed in the Eastern District of Texas, Wang’s botnet was responsible for stealing billions of dollars from financial institutions, credit card issuers, accountholders, and federal lending programs since its inception in 2014.

The DOJ said more than 19 million internet protocol (IP) addresses – unique characters that identify each computer – ended up in what is likely to be the “world’s largest botnet ever.”

“The 911 S5 Botnet infected computers in nearly 200 countries and facilitated a whole host of computer-enabled crimes, including financial frauds, identity theft, and child exploitation,” Mr Wray said.

Wang distributed VPN (virtual private network) software, luring unsuspecting victims by pretending to be a free VPN service while cybercriminals were allowed access to the internet from the IP addresses of unsuspecting victims. This allowed the cybercriminals to bypass geographical restrictions and security checks to commit various acts of fraud.

An archived version of one of Wang’s websites selling IP addresses showed that it costs $28 to purchase 150 addresses. Payment options included Bitcoin, Alipay, and WeChat Pay. The most expensive option was $674, providing access to 9,000 IP addresses from 190 countries.

The DOJ revealed that Wang, who also holds St. Kitts and Nevis citizenship, allegedly used the $99 million he received from cybercriminals who tapped his network from 2018 to July 2022 to purchase 21 properties across the US, St. Kitts and Nevis, Singapore, Thailand, China, and the United Arab Emirates.

US court documents showed he resided in properties he owned in Singapore, Thailand, and China, and operated several companies in various jurisdictions.

Court documents also described the two firms Wang registered in Singapore as “shell companies he used to conceal the identity and illegitimate nature of his 911 S5 service and its related proceeds.”

Dozens of his assets and properties may be seized, the DOJ said. They include a Singapore-registered 2022 Ferrari F8 Spider, bank accounts with CIMB Bank, Citibank Singapore, and banks in Thailand, a condominium unit in Angullia Park, and Patek Philippe and Audemars Piguet watches.

The DOJ’s news release praised the collaborative effort of law enforcement agencies across different countries, emphasizing the critical role of global partnerships in disrupting complex cybercrime operations. The investigation is ongoing, and authorities are working to identify and apprehend other individuals involved in the botnet’s operations.