Summary:
A US-led law enforcement operation has dismantled the 911 S5 botnet, believed to be the world's largest. The botnet consisted of millions of compromised residential Windows computers used for cyber-attacks, fraud, child exploitation, and other serious crimes. It included over 19 million unique IP addresses, with 613,841 in the US. Cybercriminals could buy access to these IP addresses for illegal activities. The US Department of Justice announced the arrest of YunHe Wang, a 35-year-old Chinese national, accused of creating and operating the 911 S5 botnet. Wang faces charges of computer fraud, wire fraud, and money laundering, with a potential sentence of up to 65 years if convicted. He allegedly earned approximately $99 million from selling access to hijacked IP addresses from 2018 to 2022.

An indictment revealed that Wang and his associates created and spread malware via VPN programs and pay-per-install services to build the botnet from 2014 to July 2022. Wang controlled about 150 servers worldwide, including 76 in the US, to manage the botnet and provide paying customers access to the compromised IP addresses for various crimes, including cybercrime, fraud, and child exploitation.

Analyst Comment:
The 911 S5 botnet enabled criminals to steal billions from financial institutions and target COVID-19 relief programs, resulting in over $5.9 billion in fraudulent unemployment insurance claims. The botnet's client interface software, hosted on US-based servers, allowed international cybercriminals to purchase goods with stolen credit cards or criminal proceeds. The US government, along with law enforcement from Singapore, Thailand, and Germany, seized 23 domains and over 70 servers related to the botnet. This operation effectively ended Wang's ability to use the botnet. Authorities also confiscated assets worth approximately $30 million, with additional property valued at around $30 million.

Suggested Corrections:
Users should be wary of IoT devices that lack traditional security features. Many IoT devices do not have multi-factor authentication or even the ability to change default usernames and passwords. Cybercriminal will continue to target the ever growing IoT device market.

If IoT devices must be used, users should consider segmenting them from sensitive networks.

Once a device has been compromised by a botnet, users may notice slow or sluggish systems and/or unusual traffic on the network.

Link(s):
https://www.infosecurity-magazine.com/news/us-operation-world-largest-botnet/