US Department of Justice Dismantles World’s Largest Zombie Network, Arrests Chinese Ringleader

The U.S. Department of Justice announced on Wednesday (29th) that it had dismantled what could be the “world’s largest zombie network” and arrested a Chinese suspect. The suspect had been selling the zombie network to criminals, making profits of nearly $100 million.

According to various media reports, three Chinese suspects, including the ringleader Yunhe Wang, as well as Jingping Liu and Yanni Cheng, were involved in the operation.

In early 2011, Yunhe Wang and his associates implanted malware on devices of numerous users through distributing VPN applications with hidden backdoor programs (including MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN).

Once users downloaded these VPN applications, they unknowingly became victims of the 911 S5 zombie network. Through the zombie network, criminals could carry out crimes such as bomb threats, financial fraud, identity theft, and child exploitation using the victims’ devices. These criminal activities appeared to originate from the victims’ devices.

From 2014 to 2022, they operated the zombie network named “911 S5” on approximately 150 dedicated servers worldwide. This zombie network invaded over 19 million IP addresses in 190 countries and regions globally, with around 614,000 IP addresses located in the United States. These compromised IP addresses were involved in a series of bomb threats across the U.S. in July 2022.

Confirmed victims have suffered losses amounting to billions of dollars. Additionally, the zombie network submitted around 560,000 fraudulent unemployment insurance claims to the federal government’s Covid-19 relief program, stealing $5.9 billion.

Ringleader Yunhe Wang sold hijacked proxy IP addresses to cybercriminals, amassing around $99 million. He used this money to purchase luxury cars, watches, real estate, and more worldwide.

The Department of Justice has arrested 35-year-old ringleader Yunhe Wang. He faces a maximum of 65 years in prison on charges that include conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering.

The U.S. Office of Foreign Assets Control (OFAC) imposed financial sanctions on the three suspects and activities related to 911 S5, as well as sanctioned three companies owned or controlled by the ringleader.

This operation was a multi-agency coordinated effort involving law enforcement departments from the U.S., Singapore, Thailand, and Germany. Attorney General Merrick Garland stated in a release that the zombie network “facilitated cyberattacks, large-scale fraud, child exploitation, harassment, bomb threats, and other criminal activities.”

FBI Director Christopher Wray stated in a release that this joint operation “dismantled what could be the world’s largest zombie network. We arrested the administrators, seized the infrastructure and assets, and imposed sanctions on the conspirators.”

Matthew S. Axelrod, Assistant Secretary for Export Enforcement at the U.S. Commerce Department’s Bureau of Industry and Security, commented, “The conduct alleged here is like something out of a movie script… What the movie won’t show is the persistent, painstaking efforts of domestic and international law enforcement agencies and industry partners working closely together to foil such brazen schemes.”

The FBI issued a guide for users on how to identify if their devices have been targeted by 911 S5 attacks and how to remove malicious software.