On May 29, 2024, the US Department of Justice (DOJ) announced it had dismantled what was likely the world’s largest botnet ever. This botnet, called “911 S5,” infected systems at over 19 million IP addresses across more than 190 countries. The main sources of income for the operators, who stole a billions of dollars across a decade, came from committing pandemic and unemployment fraud, and by selling access to child exploitation materials.

The botnet operator generated millions of dollars by offering cybercriminals access to these infected IP addresses. As part of this operation, a Chinese national, YunHe Wang, was arrested. Wang is reportedly the proprietor of the popular service.

Of the infected Windows devices, 613,841 IP addresses were located in the United States. The DOJ also called the botnet a residential proxy service. Residential proxy networks allow someone in control to rent out a residential IP address which then can be used as a relay for their internet communications. This allows them to hide their true location behind the residential proxy. Cybercriminals used this service to engage in cyberattacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.

To set up this botnet, Wang and his associates provided users with free, illegitimate VPN applications that were created to connect to the 911 S5 service. Unaware of the proxy backdoor, once users downloaded and installed these VPN applications, they unknowingly became part of the 911 S5 botnet.

Sometimes the VPN applications were bundled with games and other software and installed without user consent.

For this reason, the FBI has published a public service announcement (PSA) to help users find out if they have been affected by this botnet.

Users can start by going over this list of malicious VPN applications associated with the 911 S5 botnet:

• MaskVPN
• DewVPN
• PaladinVPN
• ProxyGate
• ShieldVPN
• ShineVPN

If you have one of these VPN applications installed, sometimes you can find an uninstaller located under the Start menu option of the VPN application. If present, you can use that uninstall option.

If the application doesn’t present you with an uninstall option, then follow the steps below to attempt to uninstall the application:

• Click on the Start menu (Windows button) and type “Add or remove programs” to bring up the “Add and Remove Programs” menu.
• Search for the name of the malicious VPN application.
• Once you find the application in the list, click on the application name, and select the “Uninstall” option.

Once you have uninstalled the application, you will want to make sure it’s no longer active. To do that, open the Windows Task manager. Press Control+Alt+Delete on the keyboard and select the “Task Manager” option or right-click on the Start menu (Windows button) and select the “Task Manager” option.

In Task Manager look under the “Process” tab for the following processes:

• MaskVPN (mask_svc.exe)
• DewVPN (dew_svc.exe)
• PaladinVPN (pldsvc.exe)
• ProxyGate (proxygate.exe, cloud.exe)
• ShieldVPN (shieldsvc.exe)
• ShineVPN (shsvc.exe)

If found, select the service related to one of the identified malicious software applications running in the process tab and select the option “End task” to attempt to stop the process from running.

Or, download Malwarebytes Premium (there is a free trial) and run a scan.

Whether you’re using the free or paid version of the app, you can manually run a scan to check for threats on your device. 

1. Open the app.
2. On the main dashboard, click the Scan button.
3. A progress page appears while the scan runs.
4. After the scan finishes, it displays the Threat scan summary.
   • If the scan detected no threats: Click Done.
   • If the scan detected threats on your device: Review the threats found on your computer. From here, you can manually quarantine threats by selecting a detection and clicking Quarantine.
5. Click View Report or View Scan Report to see a history of prior scans. After viewing the threat report, close the scanner window.

If neither of these options, including the Malwarebytes scan, resolve the problem, the FBI has more elaborate instructions. You can also contact the Malwarebytes Support team to assist you.

---

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

The U.S. Department of Justice (DOJ) today said they arrested the alleged operator of 911 S5, a ten-year-old online anonymity service that was powered by what the director of the FBI called “likely the world’s largest botnet ever.” The arrest coincided with the seizure of the 911 S5 website and supporting infrastructure, which the government says turned computers running various “free VPN” products into Internet traffic relays that facilitated billions of dollars in online fraud and cybercrime.

On May 24, authorities in Singapore arrested the alleged creator and operator of 911 S5, a 35-year-old Chinese national named YunHe Wang. In a statement on his arrest today, the DOJ said 911 S5 enabled cybercriminals to bypass financial fraud detection systems and steal billions of dollars from financial institutions, credit card issuers, and federal lending programs.

For example, the government estimates that 560,000 fraudulent unemployment insurance claims originated from compromised Internet addresses, resulting in a confirmed fraudulent loss exceeding $5.9 billion.

“Additionally, in evaluating suspected fraud loss to the Economic Injury Disaster Loan (EIDL) program, the United States estimates that more than 47,000 EIDL applications originated from IP addresses compromised by 911 S5,” the DOJ wrote. “Millions of dollars more were similarly identified by financial institutions in the United States as loss originating from IP addresses compromised by 911 S5.”

From 2015 to July 2022, 911 S5 sold access to hundreds of thousands of Microsoft Windows computers daily, as “proxies” that allowed customers to route their Internet traffic through PCs in virtually any country or city around the globe — but predominantly in the United States.

911 S5 built its proxy network mainly by offering “free” virtual private networking (VPN) services. 911’s VPN performed largely as advertised for the user — allowing them to surf the web anonymously — but it also quietly turned the user’s computer into a traffic relay for paying 911 S5 customers.

911 S5’s reliability and extremely low prices quickly made it one of the most popular services among denizens of the cybercrime underground, and the service became almost shorthand for connecting to that “last mile” of cybercrime. Namely, the ability to route one’s malicious traffic through a computer that is geographically close to the consumer whose stolen credit card is about to be used, or whose bank account is about to be emptied.

KrebsOnSecurity first identified Mr. Wang as the proprietor of the popular service in a deep dive on 911 S5 published in July 2022. That story showed that 911 S5 had a history of paying people to install its software by secretly bundling it with other software — including fake security updates for common programs like Flash Player, and “cracked” or pirated commercial software distributed on file-sharing networks.

Ten days later, 911 S5 closed up shop, claiming it had been hacked. But experts soon tracked the reemergence of the proxy network by another name: Cloud Router.

The announcement of Wang’s arrest came less than 24 hours after the U.S. Department of the Treasury sanctioned Wang and two associates, as well as several companies the men allegedly used to launder the nearly $100 million in proceeds from 911 S5 and Cloud Router customers.

Cloud Router’s homepage now features a notice saying the domain has been seized by the U.S. government. In addition, the DOJ says it worked with authorities in Singapore, Thailand and Germany to search residences tied to the defendant, and seized approximately $30 million in assets.

Those assets included a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, a Rolls Royce, more than a dozen domestic and international bank accounts, over two dozen cryptocurrency wallets, several luxury wristwatches, and 21 residential or investment properties.

The government says Wang is charged with conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. If convicted on all counts, he faces a maximum penalty of 65 years in prison.

Brett Leatherman, deputy assistant director of the FBI’s Cyber Division, said the DOJ is working with the Singaporean government on extraditing Wang to face charges in the United States.

Leatherman encouraged Internet users to visit a new FBI webpage that can help people determine whether their computers may be part of the 911 S5 botnet, which the government says spanned more than 19 million individual computers in at least 190 countries.

Leatherman said 911 S5 and Cloud Router used several “free VPN” brands to lure consumers into installing the proxy service, including MaskVPN, DewVPN, PaladinVPN, Proxygate, Shield VPN, and ShineVPN.

“American citizens who didn’t know that their IP space was being utilized to attack US businesses or defraud the U.S. government, they were unaware,” Leatherman said. “But these kind of operations breed that awareness.”