US government sanctions massive proxy botnet operation that offered free VPN services


The United States Department of Treasury has sanctioned three Chinese nationals and three of their companies for running a major proxy botnet operation that infected consumer devices with malware and facilitating cybercrime at global scale.

According to the Office of Foreign Assets Control (OFAC), the three individuals are Yunhe Wang, Jingping Liu, and Yanni Zheng, while the companies are called Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited, all owned by Yunhe Wang and registered in Thailand. 

The three set up and operated 911 S5, a massive botnet controlling a residential proxy service known as “911 S5”.

Painful sanctions

A residential proxy botnet is a network of compromised devices, typically PCs, smartphones, and similar, located in residential areas. They are usually hijacked through malware, and controlled to offer other cybercriminals ways to route internet traffic and thus remain anonymous while conducting illegal activities online. 

"These individuals leveraged their malicious botnet technology to compromise personal devices, enabling cybercriminals to fraudulently secure economic assistance intended for those in need and to terrorize our citizens with bomb threats," said Under Secretary Brian E. Nelson. "Treasury, in close coordination with our law enforcement colleagues and international partners, will continue to take action to disrupt cybercriminals and other illicit actors who seek to steal from U.S. taxpayers."

These sanctions mean US companies, banks, and other entities, are not allowed to do business with these people, or these companies. Also, US companies are not allowed to do business with other firms who do service these individuals, so the result can be quite painful for the ones on the receiving end.

Apparently, the three were offering people a free VPN service, which came with a piece of malware that added their devices to the botnet. The botnet was later used by cybercriminals for different things, including bomb threats that were made across the US two years ago, BleepingComputer reported. 

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.