[An energetic track featuring pulsating synthesizers begins.]

Narrator: Downloading pirated content of any kind comes with inherent risks.  

By doing so, you’re not only stealing. You’re also blindly trusting the source—such as a video game developer—not to include malicious code or other digital backdoors that could leave you and your device susceptible to cybercrime. 

The FBI and our partners recently caught bad cyber actors doing just that: using infected video games and software to hijack victims’ machines and commit cybercrimes—and then make it appear as though victims were the ones responsible for that illegal activity. 

On this episode of our podcast, we’ll explain how the 911 S5 residential proxy service and botnet worked and why it was so dangerous.  

We’ll also share guidance for determining if your devices were infected by the malware and, if so, how to remove it from infected machines.  

Finally, we’ll explain how you can seek the Bureau’s help if you’ve been victimized by 911 S5. 
 
This is Inside the FBI. 

[The Inside the FBI jingle kicks in. It's a bright and driving track.]

[The initial energetic track featuring pulsating synthesizers restarts, and repeats until the end of the episode.]

Narrator: According to court documents, YunHe Wang—one of the masterminds behind 911 S5—allegedly distributed his malware in multiple ways.  
 
First, he allegedly used virtual private network (or VPN) programs to connect to the 911 S5 service. The six VPNs were:  

• MaskVPN 
• DewVPN 
• PaladinVPN 
• ProxyGate 
• ShieldVPN; and
• ShineVPN 

He also stands accused of distributing his malware through pay-per-install services. He allegedly did this by bundling the malware with other program files, including pirated versions of licensed software or copyrighted materials—such as video games.

When unsuspecting users downloaded these infected programs or other files, their devices were infected by the 911 S5 malware. As a result, their devices became part of the botnet. 

Wang allegedly managed and controlled about 150 dedicated servers around the globe. He is believed to have used those servers to command and control infected devices, operate the proxy service, and give paying customers access to the hijacked IP addresses.  

After customers paid for a hijacked IP address, Wang then allegedly re-routed customer’s traffic through the victims’ devices. That way, his customers could engage in illegal activity—such as committing cyberattacks, making bomb threats, and engaging in fraud, child exploitation, harassment, and export violations—knowing that the digital breadcrumbs would point back to the IP address of one of the botnet’s victims. In this way, Wang’s victims appeared to be bad actors, while his customers seemingly got away with their crimes.  

The U.S. Department of Justice doesn’t charge people with crimes based on their IP address alone.  An IP address being tied to a crime, though, can lead to search warrants and other investigative steps. 

Wang allegedly administered the 911 S5 proxy service from May 2014 until July 2022. 

911 S5 was likely the largest-ever residential proxy service and botnet. It compromised more than 19 million IP addresses in over 190 countries—including more than half a million IP addresses based in the U.S. The proxy service and botnet also allowed Wang’s customers to steal billions of dollars from financial institutions, credit card issuers, and federal lending programs.  

Wang was arrested for his alleged crimes on May 24. He’s charged with conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. If convicted on all counts, he faces a maximum penalty of 65 years in prison. 

The good news is that here’s an easy way to check your Windows machine to see if you’ve been compromised. Visit fbi.gov/911s5. That’s fbi.gov slash nine, one, one, the letter “s,” and the number 5. 

There, you can find a step-by-step guide to help you determine whether your device has been infected by VPN software that the 911 S5 cybercriminals were using to access victims’ machines. The guide also includes guidance for removing the malicious VPN software from your device. 

Before electing to use this information, users may want to consult with legal counsel and cybersecurity professionals, potentially including an incident response firm if they deem necessary, to explore all options and assist with any remediation efforts to avoid further harm by malicious software applications or botnets. The FBI makes no warranties or representations regarding the efficacy of this information.   

Finally, the webpage includes a link to a simple yes-or-no survey you can use to tell the FBI whether you found one of the malicious VPN applications used by 911 S5 on your device. The survey is anonymous, but the more responses we get, the more we can gauge how widespread the 911 S5 risk really is. 

If you suspect that your device has been infected by 911 S5 malware and is part of the botnet, you should report it to the FBI’s Internet Crime Complaint Center (or IC3). You can do this by visiting ic3.gov and then clicking on “File a Complaint” in the website menu at the top of the screen. Be sure to include as many pertinent details as possible in your complaint.  

Botnets are complex cyber threats, but you can avoid becoming their next victim by taking a few simple steps. 

First, steer clear of websites and advertisements that you don’t trust.  

Next, avoid downloading free or untrusted software—including seemingly “safe” things like virtual private network applications. VPNs do play an important role in securing communications, but like all tools, untrusted VPNs can be weaponized. Likewise, don’t click on pop-up ads from websites you don’t trust, since you can accidentally download and install malware by doing so. 

Thirdly, if an email or other direct message looks suspicious, ignore it—especially if it asks you to open an attachment or click on a link. Cybercriminals commonly use phishing emails to infect devices with malware. 

Fourth, use antivirus software and keep it current, since this kind of application can detect and remove the malware that helps power botnets. 

Lastly, change default administrative passwords for internet-connected devices in your home, such as routers and IP cameras. 

And if you lead cybersecurity for a private or public sector organization, you can protect yourself from botnets by ensuring that your software and systems are up to date, evaluating your institution’s Bring Your Own Device policies, and encouraging your personnel to create strong passwords and use multi-factor authentication. 

Visit ic3.gov to stay on the pulse of internet crime and access timely resources to help protect your digital devices, networks, and wallet from cybercriminals and other scammers. 

You can also visit fbi.gov/cyber to learn more about the FBI Cyber Division’s commitment to collaborating and sharing timely threat intelligence with our partners in the public and private sectors. By working together before cyber crisis strikes, we can better protect our networks and data—and, by extension, our national and economic security.  

This has been another production of Inside the FBI. You can follow us on your favorite podcast player, including Spotify, Apple Podcasts, and YouTube. You can also subscribe to email alerts about new episodes at fbi.gov/podcasts.     

On behalf of the FBI’s Office of Public Affairs, thanks for listening.