close
close
blog

The Treasury sanctions a cybercrime network associated with the 911 S5 botnet

WASHINGTON — Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated three individuals, Yunhe Wang, Jingping Liu, and Yanni Zheng, for their activities associated with the malicious botnet linked to the proxy service residential known as 911 S5. . OFAC also sanctioned three entities (Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited) for being owned or controlled by Yunhe Wang.

“These individuals leveraged their malicious botnet technology to compromise personal devices, allowing cybercriminals to fraudulently obtain financial assistance to those in need and terrorize our citizens with bomb threats,” said Deputy Secretary Brian E. Nelson. “Treasury, in close coordination with our law enforcement colleagues and international partners, will continue to take action to disrupt cybercriminals and other illicit actors seeking to steal from American taxpayers.”

The 911 S5 zombie network was a malicious service that compromised victims’ computers and allowed cybercriminals to use their Internet connections through these compromised computers. Once a cybercriminal had disguised his fingerprints through the 911 S5 botnet, his cybercrimes appeared to be traced back to the victim’s computer rather than his own. The 911 S5 botnet compromised approximately 19 million IP addresses and facilitated the submission of tens of thousands of fraudulent applications related to Coronavirus Aid, Relief, and Economic Security Act programs by its users, resulting in the loss of billions of dollars to the US government. The 911 S5 service allowed users to commit widespread cyber fraud using compromised victim computers that were associated with residential IP addresses. The IP addresses compromised by the 911 S5 service were also linked to a series of bomb threats made across the United States in July 2022.

Today’s action was taken in partnership with the Federal Bureau of Investigation, the Defense Criminal Investigative Service, the U.S. Department of Commerce’s Office of Export Control, as well as partners in Singapore and Thailand.

911 S5: A KEY RESOURCE FOR CYBERCRIMINALS

Cybercriminals covet stolen residential IP addresses to hide malicious activity, especially when stealing credit cards. 911 S5 is a residential proxy botnet that allows its paying users, often cybercriminals, to select the IP addresses through which they connect to the Internet using intermediary Internet-connected computers that have been compromised without the knowledge of the owners of the Internet. computers. Basically, 911 S5 allows cybercriminals to hide their origin location, effectively defeating fraud detection systems.

Yun He Wang is the main administrator of the 911 S5 service. A review of the records of network infrastructure service providers known to use 911 S5 and two virtual private networks (VPNs) specific to the botnet’s operation (MaskVPN and DewVPN) showed Yunhe Wang as the registered subscriber of the services of those providers.

Jingping Liu was Yunhe Wang’s accomplice in laundering proceeds derived from criminal activities generated by the 911 S5, primarily virtual currency. The virtual currency that 911 S5 users paid to Yunhe Wang was converted to US dollars using over-the-counter vendors who transferred and deposited funds into Jingping Liu’s bank accounts. Jingping Liu helped Yunhe Wang launder criminal proceeds through bank accounts in his name that were then used to purchase luxury real estate properties for Yunhe Wang.

OFAC designates Yunhe Wang pursuant to Section 1(a)(ii)(D) of Executive Order (EO) 13694, as amended by EO 13757, for being responsible for, complicit in, or having participated, directly or indirectly, in a Cyber ​​activity identified in section 1(a)(ii)(D) of EO 13694, as amended by EO 13757.

OFAC is designating Jingping Liu pursuant to EO 13694, as amended by EO 13757, for having materially assisted, sponsored, or provided financial, material, or technological support, or goods or services to, or in support of, Yunhe Wang, a person whose property and interests in the property are blocked pursuant to EO 13694, as amended by EO 13757.

Yunhe Wang’s luxury properties

Today’s sanctions designations illustrate the illicit financing and money laundering risks associated with the real estate industry. The US Treasury Department’s 2024 National Money Laundering Risk Assessment warns that purchases of high-value assets, such as real estate, through shell companies (particularly when made with cash and without financing) They can be an attractive avenue for criminals to launder illegal profits while masking their identities.

Yanni Zheng acted as attorney-in-fact for Yunhe Wang and his company, Spicy Code Company Limited. Additionally, Yanni Zheng engaged in numerous business transactions, making multiple payments and purchasing real estate on behalf of Yunhe Wang, including a luxury beachfront condominium in Thailand. OFAC is designating Yanni Zheng as having acted or purported to act for or on behalf of, directly or indirectly, Yunhe Wang, a person whose property and interests in property are blocked pursuant to EO 13694, as amended by EO 13757.

Spicy Code Company Limited was used to purchase additional real estate properties by Yunhe Wang. Spicy Code Company Limited is being designated pursuant to EO 13694, as amended by EO 13757, for being owned or controlled by, or having acted or purported to act for or on behalf of , directly or indirectly, Yunhe Wang.

Tulip Biz Pattaya Group Company Limited and Lily Suites Company Limited Both were purchased by Yunhe Wang. Tulip Biz Pattaya Group Company Limited and Lily Suites Company Limited are designated pursuant to EO 13694, as amended by EO 13757, for being owned or controlled by, or having acted or purported to act for or on behalf of, directly or indirectly, Yunhe Wang.

The three people sanctioned today are Chinese citizens. The three entities sanctioned today are based in Thailand.

IMPLICATIONS OF SANCTIONS

As a result of today’s action, all property and interests in property of designated persons and entities located in the United States or in the possession or control of US persons must be blocked and reported to OFAC. OFAC regulations generally prohibit all transactions by U.S. persons or within the United States (including transactions transiting through the United States) that involve any property or interest in property of a blocked or designated entity.

Additionally, persons who engage in certain transactions with the designated entity today may themselves be exposed to the designation.

The power and integrity of OFAC sanctions derives not only from OFAC’s ability to designate and add individuals to the SDN List, but also from its willingness to remove individuals from the SDN List in accordance with law. The ultimate goal of sanctions is not to punish, but to provoke a positive change in behavior. For information about the process for requesting removal from an OFAC list, including the SDN List, see OFAC FAQ 897. For detailed information on the process for submitting a request for removal from an OFAC sanctions list.

For information on sanctions compliance applicable to virtual currency, see OFAC’s Sanctions Compliance Guide for the Virtual Currency Industry here.

For more information on the individuals and entities designated today, click here.

###

Related Articles

Back to top button