On May 16, 2024, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated three individuals and three entities associated with the malicious botnet tied to the residential proxy service known as 911 S5. The individuals sanctioned are Yunhe Wang, Jingping Liu, and Yanni Zheng. The entities include Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited.
“These individuals leveraged their malicious botnet technology to compromise personal devices, enabling cybercriminals to fraudulently secure economic assistance intended for those in need and to terrorize our citizens with bomb threats,” stated Under Secretary Brian E. Nelson. “Treasury, in close coordination with our law enforcement colleagues and international partners, will continue to take action to disrupt cybercriminals and other illicit actors who seek to steal from U.S. taxpayers.”
The 911 S5 botnet compromised approximately 19 million IP addresses and facilitated fraudulent applications related to the Coronavirus Aid, Relief, and Economic Security Act programs by its users. This resulted in significant financial losses for the U.S. government. Additionally, the compromised IP addresses were linked to a series of bomb threats made throughout the United States in July 2022.
Today’s actions were coordinated with several agencies including the Federal Bureau of Investigation, Defense Criminal Investigative Service, U.S. Department of Commerce’s Office of Export Enforcement, as well as partners in Singapore and Thailand.
Yunhe Wang is identified as the primary administrator of the 911 S5 service. Records show that he was a registered subscriber to network infrastructure services used by 911 S5 and two VPNs specific to its operation—MaskVPN and DewVPN.
Jingping Liu collaborated with Yunhe Wang in laundering proceeds generated from 911 S5 operations through virtual currency transactions converted into U.S. dollars using over-the-counter vendors.
Yanni Zheng acted on behalf of Yunhe Wang in business transactions and real estate purchases including a luxury beachfront condominium in Thailand.
Spicy Code Company Limited was utilized by Yunhe Wang for purchasing additional real estate properties while Tulip Biz Pattaya Group Company Limited and Lily Suites Company Limited were also acquired by him.
As a result of these sanctions, all property within U.S jurisdiction or controlled by U.S persons must be blocked and reported to OFAC. The regulations prohibit dealings involving any property or interests in property of blocked or designated entities.
Persons engaging in certain transactions with these designated entities may also face exposure to sanctions themselves.
For more information on compliance with sanctions applicable to virtual currency or seeking removal from an OFAC list, refer to OFAC’s guidance documents available online.
___
