World's Largest 911 S5 Botnet Taken Down by the US

On Wednesday, the U.S. Department of Justice (DoJ) announced that it had taken down what it called "probably the largest botnet ever seen in history." The botnet comprised 19 million compromised devices that were rented out to other threat actors for use in a variety of illegal activities.

In a significant cybersecurity victory, U.S. authorities, in collaboration with international partners, have successfully dismantled the world's largest botnet, known as the 911 S5 botnet. This extensive network had infected approximately 19 million devices globally, posing a severe threat to cybersecurity and the privacy of individuals and organizations.

Wang was identified as the proprietor of 911 S5 by security journalist Brian Krebs in July 2022, following which it abruptly shut down on July 28, 2022, citing a data breach of its key components. The service, which resurrected under a different brand name CloudRouter, has since ceased operations. According to court documents, Wang and others were alleged to have created and disseminated malware to compromise and amass a network of millions of residential Windows computers worldwide. Over 19 million distinct IP addresses were linked to these devices, with 613,841 of those addresses being found in the US. Wang subsequently made millions of dollars by charging fraudsters for the ability to access these compromised IP addresses.

The Operation

  • Scale and Impact: The 911 S5 botnet was responsible for infiltrating devices and establishing a vast network that was used for several malicious activities. This botnet became well-known specifically for its participation in ransomware attacks, data theft, and other online crimes. The FBI claims that during the course of the preceding 18 months, this botnet was involved in over 40 significant ransomware attacks, resulting in damages amounting to hundreds of millions of dollars.
  • Global Collaboration: A well-organized deconstruction operation involved law enforcement agencies from multiple countries, including as the United States, France, Germany, the Netherlands, and the United Kingdom. Finding and taking down the botnet's infrastructure across multiple legal countries required cooperation, which was made possible by this approach.
  • Technical Execution: Traffic from the botnet was redirected to servers under FBI control as part of the operation known as "Duck Hunt." This made it possible for the authorities to instruct the infected devices to uninstall the malware, so eliminating the threat without requiring the victims to take any action. This creative method represented a major development in cyber protection strategies.

Key Statistics and Graphs


  • Infected Devices: The 911 S5 botnet had infected around 19 million devices worldwide. Of these, approximately 200,000 devices were located in the United States alone. This widespread infection highlights the botnet's extensive reach and the scale of the threat it poses​.
  • Financial Impact: The botnet was instrumental in at least 40 ransomware attacks, resulting in financial losses exceeding $58 million over the past 18 months. This figure only accounts for recent activities, with total losses likely being much higher given the botnet's long-standing presence since 2008​.

Statements from Officials

  • FBI Director Christopher Wray: "A wide range of attacks against people and companies around the world were made possible by this botnet, which gave cybercriminals a strong command-and-control infrastructure." Our ability to take it down successfully reflects the strength of our cyber defense capabilities and our dedication to shielding the public from online threats."
  • U.S. Attorney Martin Estrada: Described the dismantling of the botnet as "the most significant technological and financial operation ever led by the Department of Justice against a botnet." He emphasized the importance of international cooperation in combating such pervasive cyber threats​​.


In the continuous fight against cybercrime, the 911 S5 botnet's successful disassembly represents a significant turning point. It demonstrates how well international cooperation and creative technological application can neutralize significant cyberthreats. Going ahead, securing digital infrastructure and shielding people from comparable dangers will need ongoing attention to detail and collaboration.