Why the Singapore arrest of alleged botnet king Wang Yunhe is a major blow to cybercrime

Authorities say Wang ran the “911 S5” botnet, a network of malware-infected computers spread across nearly 200 countries
Cybersecurity experts say his recent arrest in Singapore will deal serious damage to the criminals that used his botnet for child exploitation and financial fraud

Singapore

Jean Iau

Published: 9:37pm, 30 May 2024

Why you can trust SCMP

The arrest in Singapore of 35-year-old Chinese national Wang Yunhe, who officials said ran a massive botnet for nearly a decade, was a major bust that cybersecurity experts say will cause serious damage to other criminal enterprises.

“Bringing down a botnet is a big thing, it means cutting off access to other cybercriminals who would have used this network of zombie residential computers for nefarious purposes,” said David Siah, the executive vice-president for Southeast Asia-Australia at the Centre of Strategic Cyberspace & International Studies think tank.

The United States’ Department of Justice (DOJ) said in a statement on Wednesday that Wang had amassed at least US$99 million in profits by reselling access to criminals who used the botnet for identity theft, child exploitation and financial fraud.

The DOJ quoted FBI Director Christopher Wray as saying on Wednesday that the “911 S5” botnet – a network of malware-infected computers in nearly 200 countries – was likely the world’s largest.

Wang was arrested on May 24 at his residence in Singapore, with help from authorities in the city state, the US, Thailand, and Germany.

The Singapore Police Force said on Thursday night that it and the Attorney General’s Chambers have been working with the DOJ and the FBI since August 2022.

Wong had an employment pass in Singapore from 2022 to 2024.

06:18

‘It’s scary’: Asian cryptocurrency scams bilk tens of thousands of ‘brainwashed’ victims

The DOJ cited an indictment, unsealed on May 24, alleging Wang and associates created and disseminated the malware to compromise and amass a network of millions of residential Windows computers worldwide from 2014 through July 2022.

These devices were associated with more than 19 million unique IP addresses, and Wang generated millions of dollars by offering cybercriminals access to these infected IP addresses for a fee.

Anthony Lim, a cybersecurity governance and fintech fellow at the Singapore University of Social Sciences, called the discovery of the 19 million compromised IP addresses “huge”.

“It’s 19 million different pieces of equipment. This is surely a big arrest, but unfortunately I think it’s not unique because there have been and probably are other botnets in the world,” he said.

The dismantling of the malware network reinforced the “importance of keeping security protocols and software updated to protect against evolving cyber threats”, said Joanne Wong, interim chief marketing officer at cybersecurity firm LogRhythm.

“The takedown of this botnet underscores the critical need for robust cybersecurity measures and international cooperation.”

Lim explained that the kind of malware used to create these botnets goes into a computer without necessarily causing damage or stealing data. Instead, it takes control of the computer, often without the user’s knowledge, after which it can be used for malicious activities that are managed by a remote server operated by the botnet’s controller.

“The bot infects thousands of computers across geographies, giving the perpetrator a whole interconnected army of computers to manipulate and orchestrate,” said Lim.

“A lot of these victims don’t even know they are involved, it might just be their computers running hot or intermittently slower, or they may be away from their computer, which nowadays we don’t power down,” he added.

Wong said botnet-infected devices can experience reduced performance and increased data usage, and their users could face potential legal ramifications if those machines are traced back to cybercriminals.

She added that the cost for criminals to buy IP addresses illegally from dark web forums or encrypted messaging apps like Telegram varies significantly on the quality, legitimacy and intended use of the domain information.

01:48

Notorious ex-hacker hired by Vietnam’s cybersecurity agency to teach others on dangers of hacking

Siah said that compromised IP addresses are commonly used for distributed denial-of-service (DDoS) attacks, which involves overwhelming a target with massive amounts of traffic to render it inaccessible; spam distribution through sending large volumes of unsolicited emails; and data theft.

They are also used for generating false clicks on online advertisements to generate revenue for the attacker and cryptocurrency mining.

Siah gave the example of the Mirai botnet, which was primarily used for launching DDoS attacks.

It targeted Internet of Things devices, such as cameras and routers, by exploiting default usernames and passwords.

In 2016, the Mirai botnet was used to launch one of the largest DDoS attacks in history, affecting major websites and services like Twitter, Reddit, and Netflix.

To protect computers from malware, the experts recommended keeping software updated, being vigilant about opening unknown emails and links, and downloading antivirus and anti-malware software from reputable companies.

“These tools can detect and remove malicious software that might turn your device into part of a botnet,” said Siah.

The indictment alleged that Wang used the illicitly gained proceeds to purchase property in the US, St Kitts and Nevis, China, Singapore, Thailand, and the United Arab Emirates.

The indictment identifies dozens of assets and properties subject to forfeiture, including a 2022 Ferrari F8 Spider S-A, over two dozen cryptocurrency wallets and several luxury wristwatches.

The Associated Press reported on Thursday morning that the US is now awaiting Wang’s extradition.

Post