The recent imposition of sanctions by the United States government on operators of “free VPN” services highlights the issue of criminal activities being routed through personal computers via VPNs. These operators have been misusing the anonymity provided by VPNs to facilitate illegal actions such as hacking, fraud, and the distribution of illicit content. In response to these sanctions, users must now be more vigilant in selecting trustworthy VPN service providers to safeguard their online activities. This article explores the implications of these sanctions and emphasizes the significance of cybersecurity in the modern digital landscape.
Uncovering Malicious Botnet Technology
The US Treasury Department has taken action against three Chinese individuals involved in a VPN-powered botnet operation that utilized over 19 million residential IP addresses to enable cybercriminals in carrying out various illicit activities, including COVID-19 relief scams and bomb threats. This criminal operation was conducted through a residential proxy service known as 911 S5, which offers a pool of IP addresses belonging to regular users for routing internet connections. This practice disguises the origin of the connection, making it appear as if it is coming from the residential user.
Research conducted in 2022 by the University of Sherbrooke shed light on the precursor to 911 S5, known as 911[.]re, which operated with 120,000 residential IP addresses. This system was established using two free VPNs, MaskVPN and DewVPN, which not only functioned as legitimate VPN services but also operated as a botnet by converting users’ devices into proxy servers. The complexity of the infrastructure was designed to prevent reverse engineering and detection.
MaskVPN and DewVPN were responsible for linking devices to a server resembling that of traditional VPNs to mask the original IP address and encrypt traffic. Simultaneously, these services established a concealed mechanism that connected to a botnet command-and-control server. This connection allowed the botnet infrastructure to remain active and facilitated the passage of traffic without directly connecting to the infected node. The overall traffic routing occurred through US-based servers to minimize the risk of detection by intrusion detection systems.
Further investigations led by KrebsOnSecurity identified Yunhe Wang of Beijing as a key figure in registering domains associated with the 911[.]re infrastructure. Wang, along with two other individuals, was sanctioned by the Treasury Department for their involvement in the operation. Additionally, the sanctions extended to three companies based in Thailand that were linked to Wang’s illicit activities, including real estate investments and financial transactions.
The Treasury officials revealed that the 911 S5 botnet consisted of approximately 19 million IP addresses, which were exploited in numerous fraudulent schemes, resulting in significant financial losses and security threats. The sanctions imposed block any assets held by the sanctioned individuals or companies within the US jurisdiction and prohibit any dealings involving these entities. Failure to comply with these restrictions could lead to further legal consequences.
In a related development, researchers from Mandiant, a cybersecurity company owned by Google, highlighted the challenges posed by the use of residential proxy networks, such as operational relay box networks, by threat actors associated with China. This approach complicates traditional methods of tracking and defending against cyberattacks, necessitating a shift towards novel strategies to counter these evolving threats effectively.
The recent sanctions and ongoing cybersecurity challenges underscore the critical need for individuals and organizations to prioritize robust security measures and exercise caution when engaging with online services to mitigate the risks posed by malicious actors exploiting technological vulnerabilities.
