A global malware network responsible for the theft of $5.9 billion in Covid relief funds and tied to other crimes like child exploitation and bomb threats has been shut down, Department of Justice officials announced Wednesday.
The DOJ arrested 35-year-old YunHe Wang, a Chinese national who was charged with creating the "botnet," a kind of malware that connects a network of hacked devices, which criminals can then use remotely to launch cyberattacks.
Federal Bureau of Investigation Director Christopher Wray said it is "likely the world's largest botnet ever."
From 2014 to 2022, Wang launched and operated the botnet, called "911 S5," from roughly 150 servers worldwide, including some in the U.S., according to the indictment. The botnet hacked into over 19 million IP addresses in nearly 200 countries, the DOJ announcement said. About 614,000 IP addresses were in the U.S., according to the indictment.
The FBI released a how-to guide for users to identify if their devices had been targets of a 911 S5 attack and if so, how to remove the malware.
Wang allegedly sold access to the compromised IP addresses to cybercriminals and amassed at least $99 million, which he used to buy luxury cars, watches and property around the world, the DOJ announcement said.
911 S5 was also used for fraud, stalking, harassment, illegal exportation of goods and other crimes, the DOJ said. In particular, the botnet targeted Covid relief programs and filed an estimated 560,000 false unemployment insurance claims, stealing $5.9 billion.
"The conduct alleged here reads like it's ripped from a screenplay," said Assistant Secretary for Export Enforcement Matthew S. Axelrod of the U.S. Department of Commerce's Bureau of Industry and Security.
"What they don't show in the movies though is the painstaking work it takes by domestic and international law enforcement, working closely with industry partners, to take down such a brazen scheme and make an arrest like this happen," Axelrod added.
The DOJ partnered with the FBI and other law enforcement agencies internationally to dismantle the botnet and arrest Wang.
The arrest comes a day after Treasury Department sanctioned Wang and two others for their alleged involvement with 911 S5. Treasury also imposed sanctions on three companies that Wang owned or controlled: Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited.
Wang is facing a maximum 65-year prison sentence with four criminal counts: conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud and conspiracy to commit money laundering.
The charges come as U.S. law enforcement agencies try to update protocols to keep up with more sophisticated cybersecurity threats.
In recent years, the U.S. has expressed particular concern for China-backed hackers looking to subvert American infrastructure.
In January, the FBI announced that it had dismantled the Chinese "Volt Typhoon" hacking group, which had been targeting U.S. water plants, electric grids and more.
"Today, and literally every day, they're actively attacking our economic security, engaging in wholesale theft of our innovation, and our personal and corporate data," Wray said at a January hearing.