Chainalysis Uncovers $169 Million in Bitcoin Controlled by 911 S5 Botnet
Chinese National Arrested as Chainalysis Links $169M Bitcoin to 911 S5 Botnet, DOJ Reveals Network’s Role in Financial Fraud.
Key Takeaways:
- Chainalysis traced $169 million in Bitcoin to the 911 S5 botnet.
- The U.S. Department of Justice arrested Chinese national YunHe Wang for his involvement in the 911 S5 botnet.
- Wang's network empowered cybercriminals to bypass fraud detections and steal from financial institutions in the US.
- Wang sent some funds to a mainstream exchange, with $136.4 million in Bitcoin still in his OFAC-flagged wallets.
What is Chainalysis and 911 S5 Botnet?
Chainalysis is a blockchain forensics firm that uses on-chain data to analyze, identify, and trace crypto transactions, fraud, and other illegal activities connected to cryptocurrencies.
The 911 S5 Botnet is a residential proxy service of hacked computers for illicit activities such as spreading malware, launching cyberattacks, and other illegal cryptocurrency dealings.
According to court documents, the malware's creators propagated via Virtual Private Networks (VPNs) and pay-per-install services.
On May 29, the US Department of Justice apprehended a leading figure affiliated with the botnet server. They arrested YunHe Wang, a Chinese national, for allegedly creating and controlling the 911 S5 Botnet from 2014 to July 2022.
Wang had offered cybercriminals access to the network for a one-off fee. The 911 S5 allowed bad actors to bypass financial fraud detection systems and steal billions from financial institutions and credit card companies.
Furthermore, Wang's network allowed attackers outside the US to purchase goods with stolen credit cards. These criminals would then illegally export them out of the country in violation of US export laws.
Through his illegal venture, Wang amassed $99m. He used these illicit gains to fund a life of luxury, purchasing high-end cars and properties in the US, Asia, and the Caribbean.
What Findings Did the Chainalysis Solution Map Out?
Investigators used Chainalysis solutions to uncover the 911 S5 Botnet's global reach, which spans over 190 countries.
They analyzed blockchain transaction data to identify a network of 911 S5 Botnet wallets. These include personal wallets, exchange deposit addresses, and cold storage wallets managed by the botnet administrators.
The cold storage wallets, likely controlled by the 911 S5 team, held 4,322.25 BTC. This was worth approximately $169 million at the time of analysis.
These wallets showed exposure to various mixers and a Russian-based bulletproof hosting provider. Notably, YunHe Wang transferred some of these funds to a mainstream exchange, possibly for off-ramp conversion, while $136.4 million in Bitcoin remains in Wang's OFAC-flagged wallets.
To identify transactions matching 911 S5 Botnet's service offerings, investigators queried all blockchains used by the botnet. They analyzed addresses with the most “hits” at specific price levels.
This led to the discovery of a highly active TRON address linked to an exchange deposit address previously identified as belonging to 911 S5.
Further investigation revealed four additional exchange deposit addresses. This discovery enabled mapping a new network of 911 S5 Botnet wallets that would have gone undetected using standard blockchain analysis techniques.