Chainalysis Assists in Takedown of 911 S5 Botnet, Leading to Major Arrest
The U.S. Department of Justice (DoJ) has announced the arrest of Yunhe Wang, a Chinese national, for his alleged involvement in operating the notorious 911 S5 botnet. This arrest comes as a result of a coordinated effort involving the Defense Department’s Defense Criminal Investigative Service (DCIS), the Federal Bureau of Investigation (FBI), and the Department of Commerce’s Office of Export Enforcement (OEE).
What is the 911 S5 Botnet?
The 911 S5 botnet was a service providing residential proxy services, often utilized by cybercriminals who paid for these services using cryptocurrencies like Bitcoin (BTC). The botnet operated by deceptively distributing free VPN services, which in reality, contained backdoors that hijacked the IP addresses of millions of victims globally. These compromised IP addresses were then used for various cybercrimes, including financial fraud, identity theft, and child exploitation.
In July 2022, the 911 S5 service voluntarily ceased its operations, yet it retained substantial funds on-chain. According to Chainalysis, their tools played a crucial role in the investigation, helping law enforcement identify numerous wallets connected to the botnet's on-chain infrastructure.
Mapping 911 S5’s On-Chain Infrastructure
DCIS agents, leveraging Chainalysis’ blockchain analysis solutions, traced the initial set of addresses used by 911 S5 for customer payments. By following the trail of funds from these addresses to others, including those at centralized exchanges, investigators expanded their understanding of the botnet's network.
The investigation uncovered a comprehensive network of wallets associated with 911 S5, including personal wallets, exchange deposit addresses, and cold storage wallets. Notably, a cold storage wallet likely controlled by the 911 S5 team held 4,322.25 BTC, valued at approximately $169 million at the time. This wallet exhibited connections to cryptocurrency mixers and a Russian bulletproof hosting provider linked to ransomware strains such as Dharma and Phobos.
Further analysis revealed that funds from this cold storage wallet were transferred to wallets controlled by Wang, as identified by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC). Some of these funds were then moved to a mainstream exchange, with $136.4 million in Bitcoin still residing in Wang’s OFAC-flagged wallets.
Advanced Investigative Techniques
Investigators employed sophisticated data-driven tactics to uncover additional 911 S5 addresses that were not initially apparent. By understanding the pricing tiers for 911 S5’s spoofing services, investigators queried blockchain transaction data to find transactions matching these specific prices. This approach led to the discovery of a highly active TRON address connected to previously identified 911 S5 exchange deposit addresses, thereby mapping out a new network of wallets associated with the botnet.
This method highlights the importance of using advanced blockchain analysis tools that enable investigators to query on-chain data at scale, rather than merely following funds from one wallet to another.
Ongoing Monitoring of 911 S5’s Funds
Despite the arrest of Yunhe Wang, who still controls over $136.4 million in Bitcoin, the highlighted addresses by OFAC ensure that law enforcement and blockchain observers can monitor any movement of these funds. The arrest and subsequent investigation mark a significant victory in the fight against cybercrime and set a precedent for future blockchain analysis efforts.