Total Tests:
Blog Filters reset x
By Incident
By Jurisdiction
Show More


Legal Advisory
Learn More

Over 100 Servers Worldwide Shutdown In “Largest Ever” Action Against Dropper Malware

Read also: the US dismantles the 911 S5 proxy botnet, a T-Mobile hacker arrested in Turkey, and more.

Thursday, May 30, 2024
Views: 2.8k Read Time: 3 min.

Over 100 Servers Worldwide Shutdown In “Largest Ever” Action Against Dropper Malware

The police shut down over 100 servers involved in the distribution of IcedID, Smokeloader, and other malware

An international police operation has led to the shutdown of more than 100 servers across the world involved in the distribution of well-known malware droppers, including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot.

The coordinated efforts, involving a coalition of countries, including Denmark, the UK, the US, Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland, and Ukraine, have resulted in the arrest of four suspects (1 in Armenia and 3 in Ukraine), 16 location searches, and the seizure of over 2,000 domains.

Investigations revealed that one of the main suspects made a lot of money from renting out criminal infrastructure for ransomware deployment, earning at least 69 million euros in cryptocurrency. Legal permission has been secured to seize the assets in future actions.

Additionally, eight individuals linked to the cybercrime activities, are currently fugitives wanted by Germany. Seven identified individuals are suspected of being members of the Trickbot cybercrime ring, and another suspect is allegedly one of the ringleaders of the group behind the Smokeloader malware.

The US dismantles the 911 S5 proxy botnet linked to Covid-19 fraud and bomb threats

The US authorities have dismantled the 911 S5 residential proxy botnet, reportedly used for various cybercrimes and to facilitate bomb threats across the US. The authorities sanctioned three alleged botnet operators, Chinese nationals, named in the indictment as Yunhe Wang, Jingping Liu, and Yanni Zheng. In addition, three entities linked to Yunhe Wang—Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited—were also sanctioned.

The 911 S5 botnet infected user devices with proxy malware, enabling cybercriminals to route malicious traffic through compromised devices and hide their true locations. The 911 S5 service was shut down in July 2022 after hackers breached the service and leaked user data. However, in February 2024, the botnet made a comeback as CloudRouter.

Yunhe Wang was identified as the primary administrator of the 911 S5 service, while Jingping Liu, a co-conspirator, was responsible for laundering the botnet's proceeds, primarily through virtual currency. The role of the third sanctioned individual, Yanni Zheng, in the operation was not specified in the announcement. Yunhe Wang, a Chinese national and St. Kitts and Nevis citizen-by-investment, was arrested on May 24, 2024, the authorities said.

Due to the sanctions, all property and interests of the designated individuals and entities within the United States or controlled by US persons must be blocked and reported to the Office of Foreign Assets Control (OFAC). The sanctions also forbid US citizens from engaging in transactions with these blocked entities. Additionally, OFAC's regulations warn that those conducting certain transactions with sanctioned parties may themselves be subject to penalties.

Cybersecurity Compliance

Prevent data breaches and meet regulatory requirements

Legal Advisory
Learn More

An American responsible for the 2021 T-Mobile hack arrested in Turkey, faces extradition

Turkish authorities have arrested John Binns, an American man suspected to be behind the 2021 hack of US telecommunications services provider T-Mobile. The man was arrested after a local court approved an extradition request by federal prosecutors in the US.

Binns was indicted on 12 counts related to unauthorized access to computer systems used by T-Mobile back in 2021. Binns had allegedly exploited a security vulnerability to download records connected to tens of millions of T-Mobile’s current and former wireless subscribers.

He then worked with at least four others to sell the customer data through the now-defunct RaidForums marketplace, known for data leaks and hacking activities. Binns allegedly attempted to sell the personal information of over 124 million Americans for the price of six bitcoins.

Binns faces charges including four counts of violating the Computer Fraud and Abuse Act, three counts of wire fraud, two counts of access device fraud, two counts of identity theft, and one count of money laundering.

A man arrested in Japan for creating malware using generative AI

The Tokyo Metropolitan Police Department (TMPD) has arrested a 25-year-old man for allegedly creating malware using freely available generative artificial intelligence (AI) tools. Ryuki Hayashi, from Kawasaki, Kanagawa Prefecture, was taken into custody on suspicion of the unauthorized creation of electronic records.

According to the police, Hayashi has admitted to the allegations, saying that his motivation was to “earn easy money” and that he believed he “could do anything” with the aid of AI.

Hayashi, a former factory worker with no IT expertise, is suspected of creating the malware in March of the previous year by utilizing AI tools to develop ransomware by combining existing malicious software. The police said that the suspect failed to deploy the resulting malware, so no damage was caused.

Hayashi came into sight of law enforcement after he was arrested in March 2024 for allegedly using fake identification to obtain a SIM card registered under someone else's name.

A former nurse gets 24 months in prison for altering digital prescriptions

Kevin N. Ukaegbu, a 31-year-old resident of Pittsburgh, Pennsylvania, the US, has been sentenced to 24 months of imprisonment followed by three years of supervised release for computer fraud.

According to court records, on December 5, 2022, Ukaegbu, a former graduate nurse at Allegheny General Hospital, illegally used the credentials of a Highmark resident physician to attempt to alter prescription medications for two patients. His actions placed one of the patients at significant risk of serious bodily harm.

Fortunately, the altered medications were not administered to either patient. Due to the gravity of the offense, Ukaegbu received the maximum sentence allowed under the guideline range.

ImmuniWeb Newsletter

Get exclusive updates and invitations to our events and webinars:

Private and Confidential Your data will stay private and confidential

What’s next:

Key Dutch has been working in information technology and cybersecurity for over 20 years, starting his first job with Windows 95 and dial-up modems. As the Editor-in-Chief of our Cybercrime Prosecution Weekly blog series, he compiles the most interesting news about police operations against cybercrime, as well as about regulatory actions enforcing data protection and privacy law.
Book a Call Ask a Question
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential