Two major operations against botnets have been carried out this week, including a U.S. takedown of what the Department of Justice called “likely the world’s largest botnet ever”.
Europol, meanwhile, has carried out what it calls its “largest ever operation against botnets”, arresting four people and taking down 100 servers.
The botnet taken down by the U.S. infected more than 19 million IP addresses, and led to billions of dollars in pandemic and unemployment fraud, along with access to child exploitation materials, harassment, bomb threats, and export violations.
YunHe Wang, 35, a Chinese national and St. Kitts and Nevis citizen-by-investment, has been arrested for deploying malware, and creating and operating a residential proxy service known as 911 S5.
Cybercriminals used proxied IP addresses bought from 911 S5 to conceal their true originating IP addresses and locations, and commit a wide range of offenses.
“Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet—likely the world’s largest botnet ever,” said FBI director Christopher Wray.
“The 911 S5 botnet infected computers in nearly 200 countries and facilitated a whole host of computer-enabled crimes, including financial frauds, identity theft, and child exploitation.”
Since 2014, 911 S5 has reportedly allowed cybercriminals to bypass financial fraud detection systems and steal billions of dollars from financial institutions, credit card issuers, and federal lending programs.
911 S5 customers are also believed to have targeted certain pandemic relief programs. For example, the U.S. estimates that well over half a million fraudulent unemployment insurance claims were made this way, at a cost of more than $5.9 billion. Meanwhile, more than 47,000 Economic Injury Disaster Loan applications are believed to originated from IP addresses compromised by 911 S5.
Following the operation, property bought by Wang has been seized, including several luxury cars, more than a dozen domestic and international bank accounts, over two dozen cryptocurrency wallets, several luxury wristwatches, 21 residential or investment properties and 20 domains.
“The conduct alleged here reads like it’s ripped from a screenplay: a scheme to sell access to millions of malware-infected computers worldwide, enabling criminals over the world to steal billions of dollars, transmit bomb threats, and exchange child exploitation materials—then using the scheme’s nearly $100 million in profits to buy luxury cars, watches, and real estate,” said assistant secretary for export enforcement Matthew Axelrod of the U.S. Department of Commerce’s Bureau of Industry and Security.
Meanwhile, over the last few days, Europol’s Operation Endgame has targeted malware droppers including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot, arresting the ringleaders, dismantling their criminal infrastructure and freezing illegal proceeds. Eight fugitives have been added to Europe’s Most Wanted list.
The malware paved the way for attacks with ransomware and other malicious software, with one of the main suspects netting more than €69 million in cryptocurrency by renting out criminal infrastructure sites to deploy ransomware.
SystemBC facilitated anonymous communication between an infected system and a command-and-control servers, while Bumblebee, distributed mainly via phishing campaigns or compromised websites, was designed to enable the delivery and execution of further payloads on compromised systems.
SmokeLoader was mainly used as a downloader to install additional malicious software onto the systems it infected. IcedID, also known as BokBot, was initially categorised as a banking trojan, but has since been expanded to carry out other crimes as well as the theft of financial data.
Pikabot, meanwhile, is a trojan used to get initial access to infected computers, enabling ransomware deployments, remote computer take-over and data theft.
Europol says that Operation Endgame isn’t over, and that new actions will be announced, with more suspects in its sights.
