US Sanctions 3 Chinese Nationals Accused of Malicious Botnet Involvement

The cybercrime network allegedly made bomb threats and enabled criminals to steal billions of dollars.
US Sanctions 3 Chinese Nationals Accused of Malicious Botnet Involvement
The Department of Treasury building in Washington, on April 10, 2023. Madalina Vasiliu/The Epoch Times
Frank Fang
Updated:
0:00

The U.S. Treasury Department has sanctioned three Chinese nationals and three Thailand-based companies for their involvement in a cybercrime network that allegedly made bomb threats and enabled criminals to steal billions of dollars in COVID-19 pandemic aid from the U.S. government.

Their network was linked to a residential proxy botnet known as “911 S5,” the Treasury Department said in a statement on May 28. The malicious botnet, which compromised about 19 million unique IP addresses, including 613,841 located in the United States, allowed cybercriminals to conceal their digital tracks, enabling them to commit cyber-enabled fraud.

“These individuals leveraged their malicious botnet technology to compromise personal devices, enabling cybercriminals to fraudulently secure economic assistance intended for those in need and to terrorize our citizens with bomb threats,” Brian Nelson, the Treasury’s under secretary for terrorism and financial intelligence, said in the statement.

“Treasury, in close coordination with our law enforcement colleagues and international partners, will continue to take action to disrupt cybercriminals and other illicit actors who seek to steal from U.S. taxpayers.”

Cybercriminals submitted “tens of thousands of fraudulent applications related to the Coronavirus Aid, Relief, and Economic Security Act programs by its users, resulting in the loss of billions of dollars to the U.S. government,” according to the Treasury Department.

The IP addresses were also “linked to a series of bomb threats” across the United States in July 2022.

One of the three Chinese nationals sanctioned was Wang Yunhe, 35, who the Treasury Department determined to be the primary administrator of the botnet service.

“A review of records from network infrastructure service providers known to be utilized by 911 S5 and two Virtual Private Networks (VPN) specific to the botnet operation (MaskVPN and DewVPN) showed Yunhe Wang as the registered subscriber to those providers’ services,” the statement said.

The department named Liu Jinping, 58, as Mr. Wang’s co-conspirator in the laundering of criminally derived proceeds, mainly in the form of “virtual currency,” generated from the botnet.

“The virtual currency that 911 S5 users paid to Yunhe Wang [was] converted into U.S. dollars using over-the-counter vendors who wired and deposited funds into bank accounts held by Jingping Liu,” the statement said. Ms. Liu then used the money in the bank accounts to buy luxury real estate properties for Mr. Wang.

Zheng Yanni, 50, was the third person sanctioned. According to the Justice Department, Mr. Zheng acted as an attorney for Mr. Wang and his company, Spicy Code Company Limited. He also helped to purchase real estate on behalf of Mr. Wang, including a luxury beachfront condominium in Thailand.

Spicy Code Company, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited are the names of the three Thailand-based companies sanctioned, according to the Treasury Department.

As a result of the sanctions, any assets held in the United States in their name are frozen, and U.S. citizens are prohibited from doing business with them.

“We are taking action today to disrupt these cybercriminals as part of a whole-of-government action and in coordination with international partners,” U.S. State Department spokesperson Matthew Miller said in a statement regarding the sanctions.

“The United States will continue to act against cybercriminals who seek to exploit our financial system and defraud U.S. taxpayers.”

In January, the FBI announced that a multiagency operation had dismantled Volt Typhoon, a major state-sponsored hacking group based in China, which began targeting a wide range of networks across U.S. critical infrastructure in 2021. According to the Justice Department, the Chinese hackers leveraged insecure privately owned routers by infecting them with “KV Botnet” malware to target critical infrastructure organizations in the United States.
Two months later, the Justice Department charged seven Chinese nationals for their alleged involvement in a China-based hacking group that had spent about 14 years targeting U.S. and foreign critics, businesses, and political officials. Two of the seven defendants were sanctioned by the Treasury Department.
Also in March, the Treasury Department announced the first-ever U.S. sanctions against Greece-based spyware vendor Intellexa. The firm’s commercial spyware technology was used to target journalists, dissidents, policy experts, and U.S. officials.
Frank Fang
Frank Fang
journalist
Frank Fang is a Taiwan-based journalist. He covers U.S., China, and Taiwan news. He holds a master's degree in materials science from Tsinghua University in Taiwan.
twitter