The U.S. Treasury Department has sanctioned three Chinese nationals and three Thailand-based companies for their involvement in a cybercrime network that allegedly made bomb threats and enabled criminals to steal billions of dollars in COVID-19 pandemic aid from the U.S. government.
Their network was linked to a residential proxy botnet known as “911 S5,” the Treasury Department said in a statement on May 28. The malicious botnet, which compromised about 19 million unique IP addresses, including 613,841 located in the United States, allowed cybercriminals to conceal their digital tracks, enabling them to commit cyber-enabled fraud.
“These individuals leveraged their malicious botnet technology to compromise personal devices, enabling cybercriminals to fraudulently secure economic assistance intended for those in need and to terrorize our citizens with bomb threats,” Brian Nelson, the Treasury’s under secretary for terrorism and financial intelligence, said in the statement.
“Treasury, in close coordination with our law enforcement colleagues and international partners, will continue to take action to disrupt cybercriminals and other illicit actors who seek to steal from U.S. taxpayers.”
Cybercriminals submitted “tens of thousands of fraudulent applications related to the Coronavirus Aid, Relief, and Economic Security Act programs by its users, resulting in the loss of billions of dollars to the U.S. government,” according to the Treasury Department.
The IP addresses were also “linked to a series of bomb threats” across the United States in July 2022.
One of the three Chinese nationals sanctioned was Wang Yunhe, 35, who the Treasury Department determined to be the primary administrator of the botnet service.
“A review of records from network infrastructure service providers known to be utilized by 911 S5 and two Virtual Private Networks (VPN) specific to the botnet operation (MaskVPN and DewVPN) showed Yunhe Wang as the registered subscriber to those providers’ services,” the statement said.
The department named Liu Jinping, 58, as Mr. Wang’s co-conspirator in the laundering of criminally derived proceeds, mainly in the form of “virtual currency,” generated from the botnet.
“The virtual currency that 911 S5 users paid to Yunhe Wang [was] converted into U.S. dollars using over-the-counter vendors who wired and deposited funds into bank accounts held by Jingping Liu,” the statement said. Ms. Liu then used the money in the bank accounts to buy luxury real estate properties for Mr. Wang.
Zheng Yanni, 50, was the third person sanctioned. According to the Justice Department, Mr. Zheng acted as an attorney for Mr. Wang and his company, Spicy Code Company Limited. He also helped to purchase real estate on behalf of Mr. Wang, including a luxury beachfront condominium in Thailand.
Spicy Code Company, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited are the names of the three Thailand-based companies sanctioned, according to the Treasury Department.
As a result of the sanctions, any assets held in the United States in their name are frozen, and U.S. citizens are prohibited from doing business with them.
“The United States will continue to act against cybercriminals who seek to exploit our financial system and defraud U.S. taxpayers.”
