FBI Stops World's Largest Botnet

00:00

Yun he Wang allegedly the individual

00:02

behind the handle and Alias traffic carb

00:05

or traffic cash has been arrested in

00:08

alleged suspicion of being the

00:09

administrator of the notorious 911 S5

00:13

botn net the inner workings of the botn

00:15

net were that software published by

00:17

traffic carb was in fact malware

00:20

disguised as free virtual private

00:22

networks or VPN these malware scams were

00:25

made free for the public and they

00:27

infected each Windows device that would

00:29

install and use them ultimately that led

00:32

to over 19 million IP addresses being

00:35

part of the botnet all International

00:37

which meant billions of dollars in

00:39

pandemic and unemployment fraud and

00:42

access to child exploitation materials

00:44

by cyber criminals in that Syndicate you

00:47

can read more about it on the

00:48

justice.gov press release but I would

00:51

like to explore and see what other

00:53

chatter is out there out and about

00:55

following this arrest and the 911 S5

00:58

botnet as a whole I'm taking a look at

01:01

discussions across the dark web and to

01:03

do that I'm using flare now full

01:06

disclosure flare is the sponsor of this

01:08

video but I'm sure as you know I'm a

01:10

huge fan of their platform it's

01:12

seriously one of the best ways that you

01:14

and your organization can reduce risk

01:16

from threats ranging from leaked

01:18

credentials to information stealing

01:20

malware logs and manage your exposed

01:23

attack surface anyway let's see what

01:26

cyber criminals are chatting about

01:28

surrounding the 911 S5 botet this one

01:31

includes a link so we can go take a look

01:34

at the source this is a post on

01:37

xs. one of the known Russian hacking

01:39

forums so this isn't a language that I

01:42

can't read but I'll have it funneled

01:44

through Google translate the translation

01:46

might get mixed up and it might not be

01:48

the best English but you can kind of get

01:50

an idea and right away folks are asking

01:53

about what kind of mixer they use and oh

01:55

they hosting provider that's like riding

01:57

their coattails wanting to use whatever

01:59

they did there are about three pages

02:01

worth of discussion here and it's the

02:03

usual thread actor Antics right whatever

02:06

flaming Shenanigans they do and I won't

02:08

drag you down the rabbit hole here but I

02:11

would like to be scrolling through a bit

02:13

just so you get to see it bear in mind

02:15

this is just chatter on xss dois there's

02:18

certainly more in other forums or

02:21

telegram channels telegram is after all

02:24

like social media for cyber crime it's

02:26

the threat actor hangout spot in HQ and

02:29

just so you know how we're tracking all

02:30

this down flare has built their own

02:32

archived copy of the dark web and other

02:35

more questionable elicit websites

02:38

they've ingested over 6,000 telegram

02:41

channels and leaky S3 buckets and GitHub

02:43

repositories and all this wild stuff out

02:46

there on the internet and they've made

02:48

it searchable like Global Universal

02:51

search so you can look through the

02:53

entire historical archive that's updated

02:55

every single day looking through the

02:57

results we can see lots of disc

02:59

discussions around the arrest of the

03:01

alleged botnet administrator and

03:03

remember 911 S5 lured victims by

03:07

offering a free VPN that VPN installed

03:10

malware that added the victim's IP

03:12

address to the botn net at the time of

03:14

the arrest the botnet controlled about

03:18

120,000 residential proxy nodes all

03:21

around the world and each of them

03:23

interacted with several C2 or command

03:25

and control servers located abroad or

03:28

hosted on a Cloud Server

03:30

some of the known malicious vpns were

03:32

called mask VPN or do VPN shine VPN and

03:37

proxygate most were offered for free but

03:40

some cost some coin you can take a look

03:42

at the prices here man look at that

03:44

table that's a business and sales tactic

03:46

right there itemize hey compare and

03:48

contrast side by side what features are

03:51

doing what that is advertising and hey

03:53

cyber crime is an Enterprise and an

03:55

industry maybe you're doing just the

03:56

same thing to land a deal anyway the 911

04:00

S5 botnet was started way back in May

04:03

2014 but was actually taken offline by

04:06

the administrator in July of 2022 but it

04:09

was later revived and rebranded as Cloud

04:13

router in October of 2023 you could

04:15

actually find them online at Cloud

04:19

router. but that has been seized by law

04:22

enforcement and taken down this seizure

04:24

Banner is actually an animated gif that

04:27

Loops through the law enforcement notice

04:29

in in the different appropriate

04:30

languages and the link that they

04:32

reference on the page brings you to the

04:34

FBI notice on this takedown that

04:36

includes the names of some more

04:38

illegitimate and malicious VPN

04:41

applications and look at this the proxy

04:44

back door enabled the 911 S5 botnet

04:47

users to reroute their devices through

04:49

victim devices allowing criminals to

04:52

carry out crimes such as bomb threats

04:55

financial fraud identity theft child

04:57

exploitation and initial ACC brokering

05:00

by using a proxy back door criminals

05:02

made nefarious activity appear as though

05:05

it was coming from the victim's devices

05:08

themselves that's wild the page includes

05:12

some other tactical and technical

05:14

details about finding this malare and if

05:16

you're concerned I'd totally recommend

05:19

taking a look through it but the victims

05:21

that had their infected devices sold as

05:23

nodes were actually advertised in a

05:26

really surprising way cyber crime is a

05:29

business

05:30

after all but traffic carb again the

05:32

handle for the bot net administrator

05:34

here would just blatantly and almost

05:37

desperately sell his Services there are

05:39

some other dark web forums that I

05:41

haven't showcased in a video before like

05:44

no hide anti-chat and wicked fire and we

05:47

can use flare to see some of the

05:49

previous posts from threat carb and his

05:51

associates all on behalf of now Cloud

05:54

router here's a post on no hide selling

05:57

access to the victim machines in the

05:59

botnet to be used as a proxy look at all

06:02

the different SKS you can even get like

06:04

a test package for

06:06

$2 this exact same post was on the

06:09

anti-chat Forum but has since been

06:11

removed I don't know for sure but I'd

06:14

have to take a guess that account may

06:16

have been removed following the arrest

06:18

and all the threads went down with it on

06:21

that note we even see the cloud router

06:23

user post on Wicked fire but he realized

06:26

his own advertising might not have

06:28

followed the forum's community rules so

06:30

he says oh I wasn't supposed to post

06:32

this thread not sure how to delete it

06:35

that page won't even load I guess I

06:37

don't know I suppose Wicked fire is

06:38

changing up their website right now but

06:41

now we can follow through with whatever

06:43

this user account posted across whatever

06:46

Forum by tracking their username with

06:49

Flare they all come from cloud router or

06:52

cloud router. and it's hard to say that

06:54

that's some opsc failure because sure

06:57

it's all the same username and that

06:59

makes it easy for researchers and

07:01

analysts to track down but you got to

07:03

acknowledge that's their business in

07:05

branding all at the same time so what

07:07

about the victims there is some chatter

07:10

on dread the dark web equivalent of

07:12

Reddit where folks discuss that they use

07:15

some of the cloud router provided vpns

07:18

this is as recent as March of this year

07:21

and they say it shares the same user

07:23

interface as 911 granted it's the same

07:25

thing and it doesn't come at a terrible

07:28

price m that is just one individual

07:31

though out of what 19 million IP

07:34

addresses so it's hard to Gro the entire

07:37

impact here but we can get some

07:40

interesting tidbits with Flare noting

07:43

their infected devices or their Steeler

07:45

log section we can track down artifacts

07:48

from affected users that have session

07:50

data for cloud router. here are a couple

07:53

showcases for results in the past month

07:56

but that sort of detail is kind of wild

07:59

all in all I'm glad to see another cyber

08:02

criminal arrested huge props to law

08:04

enforcement for another takedown and

08:06

arrest and I said it before and I'll say

08:08

it over and over and over again don't do

08:10

this stuff don't be a cyber criminal be

08:13

on the good side of cyber security and

08:15

if you're keeping tabs on stuff like

08:17

this then make sure those vpns aren't

08:19

anywhere in your environment and you can

08:21

track a lot of this down with Flare just

08:24

as I've showcased for research but even

08:26

to know your own information exposure

08:29

like in case your employees or you your

08:32

co-workers anything in an organization

08:34

have some artifacts out and about in

08:36

Steeler logs or even like digital

08:39

infrastructure access for sale on the

08:41

dark Li flare has also like dramatically

08:44

simplified their free trial process so

08:46

you can sign up even without a sales

08:49

call with just the link in the video

08:50

description thanks so much for watching

08:52

please do all those YouTube algorithm

08:54

things like comment subscribe and with

08:56

that I'll see you in the next video