{
	"id": "1e2f0184-b18d-4549-b4f7-52113e83af51",
	"created_at": "2026-04-06T00:13:03.701845Z",
	"updated_at": "2026-04-10T03:21:38.896618Z",
	"deleted_at": null,
	"sha1_hash": "4056bbec0917bb5f13b78129a70d3b5e07060727",
	"title": "Treasury Sanctions a Cybercrime Network Associated with the 911 S5 Botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55204,
	"plain_text": "Treasury Sanctions a Cybercrime Network Associated with the 911\r\nS5 Botnet\r\nPublished: 2026-02-13 · Archived: 2026-04-05 13:19:38 UTC\r\nWASHINGTON — Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC)\r\ndesignated three individuals, Yunhe Wang, Jingping Liu, and Yanni Zheng, for their activities associated with the\r\nmalicious botnet tied to the residential proxy service known as 911 S5. OFAC also sanctioned three entities—\r\nSpicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited—\r\nfor being owned or controlled by Yunhe Wang. \r\n““These individuals leveraged their malicious botnet technology to compromise personal devices, enabling\r\ncybercriminals to fraudulently secure economic assistance intended for those in need and to terrorize our citizens\r\nwith bomb threats,” said Under Secretary Brian E. Nelson. “Treasury, in close coordination with our law\r\nenforcement colleagues and international partners, will continue to take action to disrupt cybercriminals and other\r\nillicit actors who seek to steal from U.S. taxpayers.”\r\nThe 911 S5 botnet was a malicious service that compromised victim computers and allowed cybercriminals to\r\nproxy their internet connections through these compromised computers. Once a cybercriminal had disguised their\r\ndigital tracks through the 911 S5 botnet, their cybercrimes appeared to trace back to the victim’s computer instead\r\nof their own. The 911 S5 botnet compromised approximately 19 million IP addresses and facilitated the\r\nsubmission of tens of thousands of fraudulent applications related to the Coronavirus Aid, Relief, and Economic\r\nSecurity Act programs by its users, resulting in the loss of billions of dollars to the U.S. government. The 911 S5\r\nservice enabled users to commit widespread cyber-enabled fraud using compromised victim computers that were\r\nassociated to residential IP addresses. The IP addresses compromised by the 911 S5 service were also linked to a\r\nseries of bomb threats made throughout the United States in July 2022.\r\nToday’s action was taken in partnership with the Federal Bureau of Investigation, Defense Criminal Investigative\r\nService, U.S. Department of Commerce’s Office of Export Enforcement, as well as partners in Singapore and\r\nThailand.\r\n911 S5: A Key RESOURCE FOR CYBERCRIMINALS\r\nCybercriminals covet stolen residential IP addresses to obfuscate malicious activity, particularly when carrying out\r\ncredit card theft. 911 S5 is a residential proxy botnet that allows its paying users, often cybercriminals, to select\r\nthe IP addresses through which they connect to the internet using intermediary, internet-connected computers that\r\nhave been compromised without the computer owners’ knowledge. 911 S5 essentially enables cybercriminals to\r\nconceal their originating location, effectively defeating fraud detection systems.\r\nYunhe Wang is the primary administrator of the 911 S5 service. A review of records from network infrastructure\r\nservice providers known to be utilized by 911 S5 and two Virtual Private Networks (VPN) specific to the botnet\r\nhttps://home.treasury.gov/news/press-releases/jy2375\r\nPage 1 of 3\n\noperation (MaskVPN and DewVPN) showed Yunhe Wang as the registered subscriber to those providers’\r\nservices.  \r\nJingping Liu was Yunhe Wang’s co-conspirator in the laundering of criminally derived proceeds generated from\r\n911 S5, mainly virtual currency. The virtual currency that 911 S5 users paid to Yunhe Wang were converted into\r\nU.S. dollars using over-the-counter vendors who wired and deposited funds into bank accounts held by Jingping\r\nLiu. Jingping Liu assisted Yunhe Wang by laundering criminally derived proceeds through bank accounts held in\r\nher name that were then utilized to purchase luxury real estate properties for Yunhe Wang.\r\nOFAC is designating Yunhe Wang pursuant to section 1(a)(ii)(D) of Executive Order (E.O.) 13694, as amended by\r\nE.O. 13757, for being responsible for or complicit in, or having engaged in, directly or indirectly, a cyber-enabled\r\nactivity identified in section 1(a)(ii)(D) of E.O. 13694, as amended by E.O. 13757.\r\nOFAC is designating Jingping Liu pursuant to E.O. 13694, as amended by E.O. 13757, for having materially\r\nassisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in\r\nsupport of, Yunhe Wang, a person whose property and interests in property are blocked pursuant to E.O. 13694, as\r\namended by E.O. 13757.\r\nYunhe Wang’s luxury properties\r\nToday’s sanctions designations illustrate illicit finance and money-laundering risks associated with the real estate\r\nindustry. The U.S. Department of the Treasury’s 2024 National Money Laundering Risk Assessment warns that\r\npurchases of high-value assets such as real estate through shell companies – particularly when conducted with\r\ncash and no financing – can be an attractive avenue for criminals to launder illegal proceeds while masking their\r\nidentities.\r\nYanni Zheng acted as the power of attorney for Yunhe Wang and his company, Spicy Code Company Limited. In\r\naddition, Yanni Zheng participated in numerous business transactions, made multiple payments, and purchased\r\nreal estate property on behalf of Yunhe Wang, including a luxury beachfront condominium in Thailand. OFAC is\r\ndesignating Yanni Zheng for having acted or purported to act for or on behalf of, directly or indirectly, Yunhe\r\nWang, a person whose property and interests in property are blocked pursuant to E.O. 13694, as amended by E.O.\r\n13757.\r\nSpicy Code Company Limited was utilized to purchase additional real estate properties by Yunhe Wang.  Spicy\r\nCode Company Limited is being designated pursuant to E.O. 13694, as amended by E.O. 13757, for being owned\r\nor controlled by, or having acted or purported to act for or on behalf of, directly or indirectly, Yunhe Wang.\r\nTulip Biz Pattaya Group Company Limited and Lily Suites Company Limited were both purchased by Yunhe\r\nWang. Tulip Biz Pattaya Group Company Limited and Lily Suites Company Limited are being designated\r\npursuant to E.O. 13694, as amended by E.O. 13757, for being owned or controlled by, or having acted or\r\npurported to act for or on behalf of, directly or indirectly, Yunhe Wang.\r\nThe three individuals sanctioned today are Chinese nationals. All three entities sanctioned today are based in\r\nThailand.\r\nsANCTIONS IMPLICATIONS\r\nhttps://home.treasury.gov/news/press-releases/jy2375\r\nPage 2 of 3\n\nAs a result of today’s action, all property and interests in property of the designated individuals and entities that\r\nare in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC.\r\nOFAC’s regulations generally prohibit all dealings by U.S. persons or within the United States (including\r\ntransactions transiting the United States) that involve any property or interests in property of a blocked or\r\ndesignated entity.\r\nIn addition, persons that engage in certain transactions with the entity designated today may themselves be\r\nexposed to designation. \r\nThe power and integrity of OFAC sanctions derive not only from OFAC’s ability to designate and add persons to\r\nthe SDN List, but also from its willingness to remove persons from the SDN List consistent with the law. The\r\nultimate goal of sanctions is not to punish, but to bring about a positive change in behavior. For information\r\nconcerning the process for seeking removal from an OFAC list, including the SDN List, please refer to OFAC’s\r\nFrequently Asked Question 897.  For detailed information on the process to submit a request for removal from an\r\nOFAC sanctions list.\r\nFor information on complying with sanctions applicable to virtual currency, see OFAC’s Sanctions Compliance\r\nGuidance for the Virtual Currency Industry here. \r\nFor more information on the individuals and entities designated today, click here.\r\n###\r\nSource: https://home.treasury.gov/news/press-releases/jy2375\r\nhttps://home.treasury.gov/news/press-releases/jy2375\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://home.treasury.gov/news/press-releases/jy2375"
	],
	"report_names": [
		"jy2375"
	],
	"threat_actors": [],
	"ts_created_at": 1775434383,
	"ts_updated_at": 1775791298,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4056bbec0917bb5f13b78129a70d3b5e07060727.pdf",
		"text": "https://archive.orkl.eu/4056bbec0917bb5f13b78129a70d3b5e07060727.txt",
		"img": "https://archive.orkl.eu/4056bbec0917bb5f13b78129a70d3b5e07060727.jpg"
	}
}