The U.S. Department of the Treasury today unveiled sanctions against three Chinese nationals for allegedly operating 911 S5, an online anonymity service that for many years was the easiest and cheapest way to route one's Web traffic through malware-infected computers around the globe.
KrebsOnSecurity identified one of the three men in a July 2022 investigation into 911 S5, which was massively hacked and then closed ten days later.
The 911 S5 botnet-powered proxy service, circa July 2022.
911's VPN performed largely as advertised for the user - allowing them to surf the web anonymously - but it also quietly turned the user's computer into a traffic relay for paying 911 S5 customers.
In July 2022, KrebsOnSecurity published a deep dive into 911 S5, which found the people operating this business had a history of encouraging the installation of their proxy malware by any means available.
That included paying affiliates to distribute their proxy software by secretly bundling it with other software.
A cached copy of flashupdate dot net, a pay-per-install affiliate program that incentivized the silent installation of 911's proxy software.
That story named Yunhe Wang from Beijing as the apparent owner or manager of the 911 S5 proxy service.
The sanctions say Jingping Liu was Yunhe Wang's co-conspirator in the laundering of criminally derived proceeds generated from 911 S5, mainly virtual currency.
The government alleges the virtual currencies paid by 911 S5 users were converted into U.S. dollars using over-the-counter vendors who wired and deposited funds into bank accounts held by Liu.
The third man sanctioned is Yanni Zheng, a Chinese national the U.S. Treasury says acted as an attorney for Wang and his firm - Spicy Code Company Limited - and helped to launder proceeds from the business into real estate holdings.
Ten days after the July 2022 story here on 911 S5, the proxy network abruptly closed up shop, citing a data breach that destroyed key components of its business operations.
In the months that followed 911 S5 would resurrect itself under a different name: Cloud Router.
Us, a U.S.-based startup that tracks proxy and VPN services.
In February 2024, Spur published research showing the Cloud Router operators reused many of the same components from 911 S5, making it relatively simple to draw a connection between the two.
The Cloud Router homepage, which according to Spur has been unreachable since this past weekend.
Spur found that Cloud Router was being powered by a new VPN service called PaladinVPN, which made it much more explicit to users that their Internet connections were going to be used to relay traffic for others.
At the time, Spur found Cloud Router had more than 140,000 Internet addresses for rent.
Spur co-founder Riley Kilmer said Cloud Router appears to have suspended or ceased operations sometime this past weekend.
Kilmer said the number of proxies advertised by the service had been trending downwards quite recently before the website suddenly went offline.
This Cyber News was published on krebsonsecurity.com. Publication date: Tue, 28 May 2024 20:45:28 +0000