Investigation Brief 2024 Published 2024 · Investigation Brief

$99M laundered. 19M+ IP addresses compromised.
Sayari traced the botnet operator’s hidden empire.

Chinese cybercriminal Wang Yunhe laundered $99M+ from the 911 S5 botnet – compromising 19M+ IP addresses across 200 countries. Corporate analysis reveals undisclosed Singapore and Thailand holding companies and real estate entities used to conceal luxury asset purchases and global money flows.

CybercrimeMoney LaunderingChinaFinancial Crime

Download this brief

Uncovering Transnational Money Laundering Schemes: The Global Net…

Fill the form above to access the full brief.

In this brief

01 The enforcement action
02 Corporate network mapping
03 Following the money
04 Why this matters

$99M+

Laundered proceeds from the 911 S5 residential proxy botnet operation

19M+

IP addresses compromised across 200 countries by the botnet infrastructure

200

Countries affected by the largest residential proxy botnet ever dismantled

The enforcement action

In 2024, Wang Yunhe was indicted by the U.S. Department of Justice for operating the 911 S5 botnet – the largest residential proxy botnet ever dismantled. The botnet compromised 19M+ IP addresses across 200 countries, enabling cybercrime, fraud, and sanctions evasion on a massive scale. Wang Yunhe allegedly laundered $99M+ in proceeds through a global network of corporate entities and real estate purchases. The DOJ case was significant, but left questions about the full scope of the corporate infrastructure used to move and hide the funds.

Corporate network mapping

Sayari corporate records reveal a network of holding companies, shell entities, and real estate vehicles in Singapore, Thailand, and other jurisdictions – many not disclosed in the DOJ indictment. These entities were used to purchase luxury properties, move funds between jurisdictions, and create layers of corporate distance between the botnet operation and the laundered proceeds. The corporate structures follow patterns commonly associated with professional money laundering – nominee directors, layered holdings, and jurisdictional arbitrage.

Following the money

Analysis of corporate ownership chains and trade records traces the flow of funds from botnet revenue to real estate acquisitions and luxury assets. The investigation reveals how Wang Yunhe used corporate entities across multiple jurisdictions to convert cybercrime proceeds into hard assets – a laundering methodology designed to survive asset seizure by distributing holdings across corporate structures that appear unrelated. Sayari Graph connects these entities through shared ownership, common directors, and financial relationships invisible to single-jurisdiction analysis.

Why this matters

Cybercrime and financial crime are converging. The Wang Yunhe case demonstrates how cyber operations generate proceeds that are laundered through traditional corporate infrastructure – the same companies, jurisdictions, and methods used in sanctions evasion and organized crime. For financial institutions, this means screening customer portfolios against indicators of cybercrime-linked money laundering. For law enforcement, it means using corporate data to identify assets and entities beyond the initial indictment.

How Sayari helps

Sayari’s Commercial World Model covers 10.6B+ primary-source records across 250+ jurisdictions. The platform resolves entity identities, traces ownership chains, and delivers evidence-grade intelligence that enables analysts to conduct investigations like this one at scale – from corporate registries and trade manifests to beneficial ownership records and sanctions lists.

FREQUENTLY ASKED QUESTIONS

Uncovering Transnational Money Laundering Schemes:… FAQ

This investigation brief demonstrates how Sayari’s trade data and corporate records reveal hidden networks related to cybercrime. Using primary-source records across 250+ jurisdictions, Sayari analysts trace corporate ownership, trade flows, and financial relationships to identify entities and connections that standard analysis misses.

Sayari Graph connects corporate registration data across jurisdictions to reveal shared ownership, common directors, and overlapping addresses that link apparently independent entities into coordinated networks. This cross-jurisdictional corporate analysis is essential for investigations involving cybercrime because the entities involved deliberately use multi-jurisdictional structures to obscure their connections.

Sayari investigation briefs draw on the Commercial World Model, which covers 10.6B+ primary-source records including corporate registrations, trade manifests, beneficial ownership filings, intellectual property records, and sanctions lists across 250+ jurisdictions. Every finding is traceable to a primary government or regulatory source.

Complete the form on this page to download the full investigation brief as a PDF. The brief includes detailed analytical methodology, source citations, and network diagrams that demonstrate the full scope of the investigation. For a live demonstration of how Sayari Graph enables these investigations, request a briefing from our analytics team.

Get the intelligence before the enforcement.

Request a briefing from the Sayari analytics team.

Request a briefing Back to reports

$99M laundered. 19M+ IP addresses compromised.Sayari traced the botnet operator’s hidden empire.