May 31, 2024
SINGAPORE – A 35-year-old Chinese national has been arrested in Singapore for creating and operating malware, which resulted in a network of zombie computers that allowed cyber criminals to steal billions of dollars.
Wang Yunhe was arrested on May 24 in a multi-jurisdiction operation led by the United States Department of Justice (DOJ).
The Singapore Police Force (SPF) was among law enforcement agencies that took part in the international probe.
An SPF spokesman said on May 30 that Washington had made an extradition request for Wang after the arrest. The US has an extradition treaty with Singapore.
The spokesman said: “The Police and Attorney-General’s Chambers have been working with the DOJ and Federal Bureau of Investigation (FBI) since August 2022. On May 24, 2024, the police launched an operation to arrest Wang at his residence.”
In a statement on May 29, the DOJ said Wang had allegedly worked with others between 2014 and July 2022 to create and disseminate the 911 S5 Botnet to millions of home-based Windows computers across the world.
Mr Kevin Reed, chief information security officer at cyber-security firm Acronis, said the “bots” in this case refer to the computers being controlled by the malware. A botnet refers to a network of such computers.
Principal Deputy Assistant Attorney-General Nicole Argentieri, head of the DOJ’s Criminal Division, said Wang allegedly created malware that compromised millions of residential computers around the world, and then sold access to the infected computers to cyber criminals.
“These criminals used the hijacked computers to conceal their identities and commit a host of crimes, from fraud to cyber stalking,” she added.
The DOJ said more than 19 million internet protocol (IP) addresses – unique characters that identify each computer – ended up in the “world’s largest botnet ever”.
“The 911 S5 Botnet infected computers in nearly 200 countries and facilitated a whole host of computer-enabled crimes, including financial frauds, identity theft and child exploitation,” said Mr Christopher Wray, director of the FBI.
An archived version of one of the websites selling IP addresses showed that it costs US$28 (S$38) to purchase 150 addresses. Payment is made through several options, including Bitcoin, Alipay and WeChat Pay.
The most expensive option would cost US$674, and provide access to 9,000 IP addresses, with users able to choose from 190 countries.
Mr Reed said: “In this case of VPN (virtual private network) software being distributed by Wang, it provided an encrypted tunnel for victims by pretending to be a free VPN service.
“But the tunnel also worked in reverse, allowing Wang’s customers to access the internet from the IP addresses of unsuspecting victims.”
He added that this allowed Wang’s customers to bypass geographical restrictions and security checks to commit various acts of fraud.
Ms Joanne Wong, interim chief marketing officer at cyber-security firm LogRhythm, said botnet attacks are disruptive and can cause extensive and severe damage.
Ms Wong said: “Devices can be unknowingly co-opted into a botnet, leading to degraded performance, increased data usage, and potential legal ramifications if those devices are traced back to cyber-criminal activities.”
Botnet attacks, especially distributed denial-of-service (DDoS) attacks, can disrupt critical online services and expose users to elevated risks of phishing and ransomware.
During DDoS attacks, attackers spam servers with internet traffic to prevent users from accessing online services.
Ms Wong added that safeguards against botnets include the adoption of proactive cyber-security measures, including tools with advanced threat detection and analytics capabilities. Maintaining good cyber-security hygiene, such as regularly patching software and implementing strong encryption, authentication and access controls, is essential “to mitigate the risks associated with botnets”, she said.
The DOJ said that Wang, who also holds a St Kitts and Nevis citizenship, allegedly received US$99 million from cyber criminals who tapped his network from 2018 to July 2022.
He used the money to purchase 21 properties across the US, St Kitts and Nevis, Singapore, Thailand, China and the United Arab Emirates.
US court documents showed he resided in the properties he owned in Singapore, Thailand and China, and owned and operated several companies in various jurisdictions.
Records from Singapore’s business registry show that Wang was appointed as director in two active firms on Jan 15, 2022 – Gold Click, a holding company, and Universe Capital Management, a management consultancy firm.
He was also the sole shareholder in Eternal Code, a now-defunct wholesaler of computer software. The company was incorporated on Dec 30, 2020, and struck off the registry on Jan 9, 2023.
Court documents described the firms Wang registered as “shell companies he used to conceal the identity and illegitimate nature of his 911 S5 service and its related proceeds”.
Dozens of his assets and properties may be seized, the DOJ said. They include a Singapore-registered 2022 Ferrari F8 Spider, bank accounts with CIMB Bank, Citibank Singapore and banks in Thailand, a condominium unit in Angullia Park, and Patek Philippe and Audemars Piguet watches.
Pandemic relief programmes
The DOJ said that Wang’s customers had also allegedly targeted Covid-19 relief programmes in the US, resulting in losses of more than US$5.9 billion due to fraudulent claims made from compromised IP addresses.
It added that Wang’s arrest was a multi-agency effort led by law enforcement agencies in the US, Singapore, Thailand and Germany.
They had searched residences and seized assets valued at about US$30 million, and identified more forfeitable property valued at another US$30 million.
Law enforcement agencies also seized 23 internet domains and more than 70 servers located worldwide that functioned as the backbone of Wang’s criminal activities.
The US Treasury Department has also placed Wang on its sanctions list, along with two other Chinese nationals and three Thai-based businesses tied to him.
The two – Liu Jingping and Zheng Yanni – also hold passports from St Kitts and Nevis, both of which were issued on May 13, 2022, according to the department’s specially designated nationals list.
Liu, who is said to be Wang’s co-conspirator in laundering the proceeds from his criminal activities, shares a common address with Wang – the condominium in Angullia Park.
Zheng does not have an address in Singapore, according to the Treasury Department.
In a separate statement, it described Zheng as someone who made several business transactions and purchased real estate property on behalf of Wang.
The three firms linked to Wang are all based in Chonburi, which is south of Thai capital Bangkok.
The Straits Times has contacted the FBI and SPF for more information.
For his alleged crimes, Wang faces a maximum of 65 years in a US prison if convicted on all counts.