The US has arrested 35-year-old YunHe Wang, a Chinese national, for distributing free VPN programs that secretly installed malware on millions of Windows PCs. The Justice Department alleges that Wang used the malware to build a massive botnet, granting cybercriminals access for a fee.
Since 2011, Wang allegedly spread MaskVPN, DewVPN, Shine VPN, and ProxyGate, which, while functional, contained backdoors allowing control over infected computers. This botnet, potentially the largest ever, included 19 million IP addresses across nearly 200 countries, with 613,841 in the US.
Wang allegedly monetized the botnet through a proxy service called “911 S5,” launched in 2014. This service enabled cybercriminals to rent IP addresses, disguising their activities and bypassing financial fraud detection systems. The Justice Department estimates that 911 S5 facilitated the theft of billions of dollars from financial institutions and government programs. Notably, 560,000 fraudulent unemployment insurance claims linked to 911 S5 caused over $5.9 billion in losses.
The proxy service remained operational until 2022, when researchers and journalist Brian Krebs linked it to Wang. Despite attempts to restart the service under the name Cloud Router, Wang’s operation generated at least $99 million from 150 servers worldwide.
Wang, who also holds citizenship in Saint Kitts and Nevis and owns US property, faces up to 65 years in prison for charges including computer fraud, money laundering, and wire fraud. The US Treasury Department has sanctioned Wang, his associates, and four companies connected to the 911 S5 botnet.
