



WASHINGTON Today, the U.S. Department of Foreign Assets Control (OFAC) designated three individuals, Yunhe Wang, Jingping Liu, and Yanni Zheng, for their activities associated with the malicious botnet linked to the residential proxy service known as 911 S5. OFAC also sanctioned three entities Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited and Lily Suites Company Limited for being owned or controlled by Yunhe Wang.

These individuals leveraged their malicious botnet technology to compromise personal devices, allowing cybercriminals to fraudulently obtain economic relief intended for those in need and terrorize our citizens with bomb threats, said Deputy Secretary Brian E. Nelson. Treasury, in close coordination with our law enforcement colleagues and international partners, will continue to take action to disrupt cybercriminals and other illicit actors who seek to steal from American taxpayers.

The 911 S5 botnet was a malicious service that compromised victims' computers and allowed cybercriminals to proxy their Internet connections through these compromised computers. Once a cybercriminal had hidden his digital tracks via the 911 S5 botnet, his cybercrimes appeared to trace back to the victim's computer rather than his own. The 911 S5 botnet compromised approximately 19 million IP addresses and facilitated the submission of tens of thousands of fraudulent applications related to coronavirus aid, relief, and economic security programs by its users, resulting in a loss of billions dollars for the American government. . The 911 S5 service allowed users to commit widespread computer fraud using compromised victim computers associated with residential IP addresses. IP addresses compromised by 911 S5 were also linked to a series of bomb threats made across the United States in July 2022.

Today's action was undertaken in partnership with the Federal Bureau of Investigation, the Defense Criminal Investigative Service, the U.S. Department of Commerce's Bureau of Export Enforcement, as well as partners in Singapore and Thailand.

911 S5: A KEY RESOURCE FOR CYBERCRIMINALS

Cybercriminals covet stolen residential IP addresses to hide malicious activity, especially when stealing credit cards. 911 S5 is a residential proxy botnet that allows its paying users, often cybercriminals, to select the IP addresses through which they connect to the Internet using Internet-connected intermediary computers that have been compromised without the knowledge of computer owners. The 911 S5 essentially allows cybercriminals to disguise their original location, effectively defeating fraud detection systems.

Yunhe Wang is the main administrator of the 911 S5 service. A review of the records of network infrastructure service providers known to be used by the 911 S5 and two virtual private networks (VPNs) specific to the botnet's operation (MaskVPN and DewVPN) showed that Yunhe Wang was the registered subscriber to the services of these suppliers.

Jingping Liu was Yunhe Wang's co-conspirator in laundering criminal proceeds generated by 911 S5, primarily virtual currency. The virtual currency that 911 S5 users paid to Yunhe Wang was converted into US dollars through over-the-counter sellers who wired and deposited funds into bank accounts held by Jingping Liu. Jingping Liu assisted Yunhe Wang by laundering criminal proceeds through bank accounts held in his name which were then used to purchase luxury real estate properties for Yunhe Wang.

OFAC designates Yunhe Wang pursuant to Section 1(a)(ii)(D) of Executive Order (EO) 13694, as amended by EO 13757, for being responsible for or complicit in, or engaging in, directly or indirectly, in a cyber-enabled activity identified in section 1(a)(ii)(D) of EO 13694, as amended by EO 13757.

OFAC designates Jingping Liu pursuant to EO 13694, as amended by EO 13757, for materially assisting, sponsoring, or providing financial, material, or technological support, or goods or services to, or in support of, Yunhe Wang, a person whose property and real estate interests are blocked pursuant to EO 13694, as amended by EO 13757.

Yunhe Wang Luxury Properties

The sanctions imposed today illustrate the illicit financing and money laundering risks associated with the real estate sector. The United States Department of Treasury's 2024 National Money Laundering Risk Assessment warns that purchases of high-value assets such as real estate through shell companies, especially when made in cash and without financing, can provide an attractive way for criminals to launder illegal proceeds while hiding their identity. .

Yanni Zheng acted as agent for Yunhe Wang and his company, Spicy Code Company Limited. Additionally, Yanni Zheng participated in numerous business transactions, made several payments, and purchased real estate in Yunhe Wang's name, including a luxurious beachfront condominium in Thailand. OFAC designates Yanni Zheng for acting or purporting to act for or on behalf of, directly or indirectly, Yunhe Wang, a person whose property and real estate interests are blocked pursuant to EO 13694, as amended by EO 13757.

Spicy Code Company Limited was used to purchase additional real estate properties by Yunhe Wang. Spicy Code Company Limited is designated pursuant to EO 13694, as amended by EO 13757, to be owned or controlled by, or to have acted or purported to act for or on behalf of, directly or indirectly, Yunhe Wang.

Tulip Biz Pattaya Group Company Limited and Lily Suites Company Limited were both purchased by Yunhe Wang. Tulip Biz Pattaya Group Company Limited and Lily Suites Company Limited are designated pursuant to EO 13694, as amended by EO 13757, as being owned or controlled by, or having acted or purported to act for or on behalf of, directly or indirectly, Yunhe. Wang.

The three people sanctioned today are Chinese nationals. The three entities sanctioned today are based in Thailand.

IMPLICATIONS OF SANCTIONS

As a result of today's action, all property and interests in property of designated persons and entities that are in the United States or in the possession or control of United States persons must be blocked and reported to the OFAC. OFAC regulations generally prohibit all transactions by U.S. persons or within the United States (including transactions passing through the United States) that involve property or interests in property of a blocked or designated entity.

Additionally, individuals who engage in certain transactions with the designated entity today may themselves be exposed to the designation.

OFAC's sanctions power and integrity derive not only from OFAC's ability to designate and add individuals to the SDN List, but also from its willingness to remove individuals from the SDN List in accordance with the law. The ultimate goal of sanctions is not to punish, but to bring about positive change in behavior. For more information on the process for requesting delisting from an OFAC list, including the SDN list, please refer to OFAC Frequently Asked Questions 897. For detailed information on the process of submitting a request to be removed from an OFAC sanctions list.

For more information on compliance with virtual currency sanctions, see OFAC's Sanctions Compliance Guide for the Virtual Currency Sector here.

For more information on the individuals and entities designated today, click here.

