Europol and US seize website domains, luxury goods in $6bn cybercrime bust
US authorities announced on Thursday that they had dismantled the “world’s largest botnet ever”, allegedly responsible for nearly $6bn in Covid insurance fraud.
The Department of Justice arrested a Chinese national, YunHe Wang, 35, and seized luxury watches, more than 20 properties and a Ferrari. The networks allegedly operated by Wang and others, dubbed “911 S5”, spread ransomware via infected emails from 2014 to 2022. Wang allegedly accrued a fortune of $99m by licensing his malware to other criminals. The network allegedly pulled in $5.9bn in fraudulent unemployment claims from Covid relief programs.
“The conduct alleged here reads like it’s ripped from a screenplay,” said the US assistant secretary for export enforcement at the commerce department, Matthew Axelrod.
Wang faces up to 65 years in prison if convicted on the charges he faces: conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud and conspiracy to commit money laundering.
Police coordinated by the European Union’s justice and police agencies likewise called the operation the biggest ever international operation against the lucrative form of cybercrime.
The European Union’s judicial cooperation agency, Eurojust, said on Thursday that police arrested four “high value” suspects, took down more than 100 servers and seized control of more than 2,000 internet domains.
The huge takedown this week, codenamed Endgame, involved coordinated action in Germany, the Netherlands, France, Denmark, Ukraine, the United States and the United Kingdom, Eurojust said. Additionally, three suspects were arrested in Ukraine and one in Armenia. Searches were carried out in Ukraine, Portugal, the Netherlands and Armenia, the EU police agency Europol added.
It is the latest international operation aimed at disrupting malware and ransomware operations. It followed a massive takedown in 2021 of a botnet called Emotet, Eurojust said. A botnet is a network of hijacked computers typically used for malicious activity.
Europol pledged it would not be the last takedown.
“Operation Endgame does not end today. New actions will be announced on the website Operation Endgame,” Europol said in a statement.
Dutch police said that the financial damage inflicted by the network on governments, companies and individual users was estimated to run to
hundreds of millions of euros.
“Millions of people are also victims because their systems were infected, making them part of these botnets,” the Dutch statement said.
Eurojust said that one of the main suspects earned cryptocurrency worth at least €69m ($74m) by renting out criminal infrastructure for spreading ransomware.
“The suspect’s transactions are constantly being monitored and legal permission to seize these assets upon future actions has already been obtained,” Europol added.
The operation targeted malware “droppers” called IcedID, Pikabot, Smokeloader, Bumblebee and Trickbot. A dropper is malicious software usually spread in emails containing infected links or in attachments such as shipping invoices or order forms.
“This approach had a global impact on the dropper ecosystem,” Europol said. “The malware, whose infrastructure was taken down during the action days, facilitated attacks with ransomware and other malicious software.”
Dutch police cautioned that the actions should alert cybercriminals that they can be caught.
“This operation shows that you always leave tracks, nobody is unfindable, even online,” Stan Duijf of the Dutch national police said in a video statement.
The deputy head of Germany’s federal criminal police office, Martina Link, described it as “the biggest international cyber police operation so far”.
“Thanks to intensive international cooperation, it was possible to render six of the biggest malware families harmless,” she said in a statement.
German authorities are seeking the arrest of seven people on suspicion of being members of a criminal organization whose aim was to spread the Trickbot malware. An eighth person is suspected of being one of the ringleaders of the group behind Smokeloader.
Europol said it was adding the eight suspects being sought by Germany to its most-wanted list.