CryptoCrime Watch — Tracking Fraud · Protecting Investors

DOJ Announces Takedown of 911 S5 Botnet Infrastructure

U.S. authorities, with international partners, have dismantled the notorious 911 S5 botnet, arresting its alleged administrator for facilitating widespread cybercrime.

· July 14, 2026 at 3:10 AM· 3 min read
DOJ Announces Takedown of 911 S5 Botnet Infrastructure
DOJ Announces Takedown of 911 S5 Botnet Infrastructure

WASHINGTON – The U.S. Department of Justice (DOJ) announced on May 29, 2024, the arrest of an alleged administrator and the comprehensive takedown of the 911 S5 botnet, a notorious residential proxy service that infected millions of computers worldwide and facilitated billions of dollars in fraud.

Yunhe Wang, a 35-year-old People’s Republic of China national and St. Kitts and Nevis citizen-by-investment, was arrested in Singapore on May 24. A federal grand jury in the Eastern District of Texas returned an indictment charging Wang with conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. If convicted on all counts, he faces a maximum penalty of 65 years in prison.

According to the indictment, the **911 S5 botnet takedown** followed an extensive investigation into a criminal enterprise that ran from 2014 to July 2022. Wang is alleged to have created and disseminated malware to compromise and amass a network of millions of residential Windows computers globally. The malware was often bundled with free software or pirated content, infecting victim devices without their knowledge.

The Criminal-Anonymization Service

The 911 S5 service operated as a Cybercrime-as-a-Service (CaaS) platform. It provided paying subscribers with access to the IP addresses of the malware-infected computers. This allowed criminals to conceal their true locations and commit a vast range of offenses with a layer of anonymity, making their activities appear to originate from the victims' computers.

The DOJ detailed the scale of the operation:

* **Infected Devices:** The botnet comprised over 19 million unique IP addresses. * **Geographic Spread:** Infected computers were located in nearly 200 countries. * **Infrastructure:** The network was managed through approximately 150 dedicated servers worldwide, with about half leased from U.S.-based online service providers.

Wang allegedly generated at least $99 million from selling access to this compromised network. The indictment states he used the illicit proceeds to purchase luxury real estate, high-end cars, and valuable assets across the United States, St. Kitts and Nevis, China, Singapore, Thailand, and the United Arab Emirates. Payments for the service were made in both fiat currency and cryptocurrency.

Impact on Global Fraud and Cybercrime

Authorities linked the 911 S5 service to a staggering number of criminal acts. The FBI confirmed that the botnet was a critical tool for cybercriminals engaged in identity theft, financial fraud, and child exploitation.

Specifically, the DOJ release noted that fraudulent claims originating from IP addresses compromised by 911 S5 targeted pandemic relief programs. An estimated 560,000 fraudulent unemployment insurance claims originated from these addresses, resulting in a confirmed loss exceeding $5.9 billion. The service was also used for cyberattacks, including bomb threats sent to multiple U.S. locations.

“Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 botnet—likely the world’s largest botnet ever,” said FBI Director Christopher Wray in a statement. “This operation demonstrates the FBI’s commitment to working with partners to disrupt the most sophisticated criminals and protect the American people.”

International Cooperation and Sanctions

The **911 S5 botnet takedown** was a coordinated international effort, with critical assistance from law enforcement in Singapore and Thailand. The operation was part of a broader initiative, with officials noting its connection to the recent 'Operation Endgame' which targeted malware droppers.

In parallel with the DOJ's actions, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against Wang, his associate Jingping Liu, and co-conspirator Yanni Zheng. The sanctions also targeted three entities—Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited—for being owned or controlled by Wang.

Authorities seized assets valued at approximately $30 million. Search warrants were executed in Singapore and Thailand, leading to the seizure of backend servers and other infrastructure that enabled the botnet's operation.

What This Means

The dismantling of the 911 S5 botnet represents a significant disruption to the cybercrime ecosystem. Residential proxy services are a foundational tool for modern fraudsters, and removing a major player from the market forces criminals to find new, potentially less reliable methods to hide their activities. The action underscores law enforcement's increasing focus on targeting the infrastructure that enables cybercrime, not just the individuals directly committing fraud. The heavy use of international cooperation and parallel financial sanctions demonstrates a multi-pronged strategy to impose significant costs on the operators of these criminal services.

Further reading

  • [Nethertrace review](https://nethertrace.co) — official investigations firm profile.
  • [Trustivly's Nethertrace profile](https://trustivly.com/company/www.nethertrace.co) — third-party verified customer reviews.
  • [coverage from World Fox News](https://worldfoxnews.com) — background reporting from World Fox News' crypto desk.
The Daily Briefing

Stay ahead of the next enforcement action

Free weekday newsletter on indictments, sanctions, exploits, and rulings — for lawyers, journalists, and investigators.

Related Coverage