FBI Dismantles 911 S5 Residential Proxy Botnet and Arrests Alleged Operator
U.S. authorities disrupted the 911 S5 residential proxy service, a botnet-backed platform that allegedly compromised millions of Windows devices and sold their IP addresses as proxies to cybercriminals. The FBI and international partners seized infrastructure tied to the service, while prosecutors charged and arrested the alleged administrator, identified as Chinese national YunHe Wang. According to investigators, the service enabled fraud, bomb threats, child exploitation, harassment, and large-scale financial crime by letting users route malicious traffic through unsuspecting victims’ home internet connections.
The FBI’s IC3 warned that infected devices were commonly enrolled through VPN or pirated software bundles and urged users to scan for malware, remove suspicious applications, and reinstall operating systems if needed. The operation follows a broader U.S. strategy of court-authorized botnet disruption previously used against state-linked infrastructure, including the 2018 takedown of the APT28 router botnet, underscoring continued law-enforcement use of technical and legal measures to seize command infrastructure and cut off criminal proxy networks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
FBI and IC3 publish victim guidance on 911 S5 infections
The FBI and IC3 released public guidance explaining how 911 S5 infected Windows systems and how users could determine whether their devices were affected. The advisory included remediation steps and indicators related to malware linked to the proxy service.
Alleged 911 S5 administrator arrested and charged
Authorities announced the arrest of the alleged administrator of 911 S5 and unsealed charges tied to operating the botnet-backed proxy service. The case alleged the operation generated millions of dollars and enabled a wide range of criminal activity.
Authorities dismantle 911 S5 botnet infrastructure
U.S. authorities, working with international partners, disrupted the 911 S5 botnet and residential proxy infrastructure by seizing domains and servers associated with the service. The action targeted one of the largest known botnets built from infected consumer devices.
911 S5 residential proxy service operates through infected devices
Authorities said the 911 S5 service had for years sold access to residential proxy IP addresses by routing traffic through compromised Windows computers worldwide. The service was allegedly used to facilitate cybercrime including fraud, bomb threats, child exploitation, and sanctions evasion.
FBI warns owners of infected routers in APT28 botnet disruption
The Justice Department announced court-authorized action to disrupt an APT28 botnet made up of infected small office/home office routers and network-attached storage devices. The FBI seized a command-and-control domain and advised device owners to reboot vulnerable equipment to remove malware.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Botnet down and administrator arrested in 911 S5 case, FBI says | The Record from Recorded Future News
therecord.media
Open sourceInternet Crime Complaint Center (IC3) | Guidance on the 911 S5 Residential Proxy Service
ic3.gov
Open sourceOffice of Public Affairs | Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices | United States Department of Justice
justice.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Operation Lightning Takedown of SocksEscort Residential Proxy Botnet
An international law-enforcement operation dubbed **Operation Lightning** disrupted **SocksEscort**, a paid “residential proxy” service that routed criminal traffic through compromised home/small-business routers and IoT devices to provide anonymity for fraud and other cybercrime. Authorities from the US and multiple European countries (including Austria, France, and the Netherlands), supported by **Europol** and **Eurojust** and assisted by private-sector partners **Lumen’s Black Lotus Labs** and the **Shadowserver Foundation**, reported the botnet had leveraged exploited vulnerabilities in edge devices and was powered by **AVRecon** (Linux) malware. Officials said SocksEscort advertised access to roughly **369,000 IP addresses** since 2020, with Europol stating the infrastructure compromised **369,000+** routers/IoT devices across **163 countries** and offered customers tens of thousands of proxies; reporting also noted that, as of February 2026, the service listed about **8,000 infected routers**, including roughly **2,500 in the United States**. During the coordinated action, authorities **seized 34 domains and 23 servers** across **seven countries**, replaced the service’s website with a seizure notice, and the US froze approximately **$3.5 million in cryptocurrency** tied to the operation; officials also cited the service’s payment platform receiving about **$5.8 million** from customers. SocksEscort was described as enabling a wide range of downstream criminal activity—including large-scale fraud, account takeovers, identity theft, business email compromise, password spraying, and, per Europol, facilitation of **ransomware**, **DDoS**, and distribution of **CSAM**—with US reporting citing specific victim losses (including a **$1M** cryptocurrency theft and additional six-figure fraud impacts). Investigators indicated the seized infrastructure and customer data (reported as roughly **124,000 users**) will be used to pursue follow-on investigations into both operators and customers of the proxy service.
Mar 24, 2026
Dutch Police Takedown Hits 17 Million-Device Botnet Linked to Proxy Abuse
Dutch police and the Netherlands’ National Cyber Security Center disrupted a botnet spanning roughly **17 million infected devices** by taking offline about **200 servers** hosted in the Netherlands. Authorities said the network included compromised computers, mobile phones, IoT devices, and routers, and that the investigation began after a security researcher alerted NCSC-NL. While officials did not publicly name the botnet, reporting tied the infrastructure to **Asocks**, a commercial residential and mobile proxy service, and to prior research on covert proxy enrollment through the **PROXYLIB** library and **LumiApps SDK** ecosystem. The takedown highlights growing abuse of **residential proxy networks**, which can mask malicious traffic behind trusted consumer IP addresses and support operations including **DDoS attacks, spam, credential stuffing, brute-force attacks, click fraud, SMS pumping, phishing, online fraud, and malware delivery**. The action follows broader Dutch enforcement against malicious infrastructure, including the seizure of more than **800 servers** tied to **THE.Hosting**, a Russian-linked bulletproof hosting network associated with scanning, botnet recruitment, cryptomining, credential theft, and exploitation of exposed services; researchers said that operation had limited effect because much of the network’s routed infrastructure remained active across multiple countries.
Jun 1, 2026
Authorities Disrupt Four IoT Botnets Behind 30 Tbps DDoS Attacks
U.S., Canadian, and German authorities disrupted the command-and-control infrastructure of four major IoT botnets — **Aisuru, KimWolf, JackSkid, and Mossad** — that collectively compromised more than **three million** internet-connected devices worldwide. Investigators said the botnets, built largely from vulnerable **DVRs, IP cameras, web cameras, and enterprise Wi‑Fi routers**, were used in hundreds of thousands of distributed denial-of-service attacks, including operations targeting **U.S. Department of Defense** systems, other high-value networks, and critical infrastructure. Officials said the malware networks were capable of generating traffic above **30 Tbps**, with one attack reaching roughly **31.4 Tbps**, placing them among the largest DDoS threats recorded. The operators allegedly ran the infrastructure as a **DDoS-for-hire** service and also used it for extortion, threatening victims with sustained attacks unless they paid. The U.S. action, led by the Defense Criminal Investigative Service with support from the FBI Anchorage Field Office, included seizure warrants for domains and virtual servers, while Germany’s **BKA** and Canada’s **RCMP** carried out parallel enforcement steps. Private-sector partners including **Akamai, AWS, Cloudflare, Team Cymru, and The Shadowserver Foundation** supported the disruption. Authorities said the takedown degraded the botnets’ ability to operate, but warned that the underlying risk remains because millions of infected or insecure devices are still online with weak credentials or outdated firmware.
Mar 25, 2026