Man allegedly behind global malware network denied access to his flash drives
Sign up now: Get ST's newsletters delivered to your inbox
A screengrab of one of the websites that Wang Yunhe used to sell access to IP addresses.
SCREENGRAB: INTERNET ARCHIVE
SINGAPORE – A Chinese national, who allegedly created malware that compromised millions of residential computers worldwide, was denied access to flash drives said to contain hidden files and “home manuals” that stored cryptocurrency passwords.
Wang Yunhe, 36, who was arrested in Singapore on May 24, 2024,
Following a request from the US authorities, the Singapore Police Force’s (SPF) Commercial Affairs Department had seized a total of 50 items from Wang, including bank cards, mobile phones, a laptop, a CPU and electronic storage devices, such as four flash drives.
In a judgment dated June 30, District Judge Cheng Yuxi said the flash drives seemingly contained simple files. However, they actually contained encrypted hidden volumes with a total of 21 files – duplicated across the flash drives – though only a portion was accessible to investigators.
The files contained screenshots and cryptocurrency wallets that the US authorities suspect were linked to a cluster of deposit addresses holding approximately 2,000 Bitcoins. According to the authorities, Wang had an ulterior motive to gain control of them.
The district judge said there were also files that were deliberately labelled with innocuous-sounding names – such as “Movie2023.6.10th” – and content that appeared harmless like home manuals.
The US authorities suspect these files might contain passwords or seed phrases, which are sequences of random words that store the data required to access or recover cryptocurrency, which Wang planned to use to re-access his cryptocurrency wallets.
There were also files that allowed the quick, secure and permanent deletion of data from storage devices, Judge Cheng added.
She said considering one of the four counts for which the US authorities wanted Wang was money laundering, including through the use of cryptocurrencies, she agreed with the Singapore state’s submissions that it would be very difficult to ascertain what type of information Wang would have access to if he was allowed to review the drives.
She also agreed there was a risk he would be able to corrupt evidence or initiate a cryptocurrency transaction to dissipate assets even before the committal proceedings for extradition, adding that the data could also be deleted.
“This problem was compounded by the fact that the applicant was the only one who knew how to access hidden volumes in the flash drives in the first place, as well as the significance (if any) of unassumingly named files.
“As such, ‘what (might) appear to be innocuous phrases in the files or documents (might) inadvertently reveal hints about a mnemonic phrase, seed phrase, or password’ to access the cryptocurrency accounts,” the judge said, quoting from the affidavit from an SPF officer.
She added that these were not risks that could be ameliorated by imposing conditions on access, such as allowing only Wang’s lawyers to access the flash drives.
Wang, who is represented in Singapore by Mr Suang Wijaya and Mr Ng Yuan Siang from Eugene Thuraisingam LLP, is facing extradition to the US to stand trial in the District Court for the Western District of Washington for conspiracy to commit computer fraud, aiding and abetting computer fraud, conspiracy to commit wire fraud and conspiracy to commit money laundering.
According to the US extradition request and supporting affidavit, these centred on Wang’s alleged development and distribution of malicious software that compromised residential computers and gained unauthorised access to their IP addresses that were subsequently sold through a residential proxy service known as the 911 S5.
Cyber criminals had allegedly utilised this service to connect to the internet through the IP addresses of the compromised computers, effectively concealing their true locations.
The scheme is said to have generated over US$99 million (S$126 million), which was later laundered through various channels, including through cryptocurrency transactions.
In dismissing Wang’s application to access his flash drives, the judge noted that there was evidence of Wang’s history of conduct in protecting his cryptocurrency assets.
For example, Wang’s cousin had admitted in Thailand to the US authorities that Wang had taken steps to protect his cryptocurrency assets previously, including giving instructions to his family members on how to access his assets, decrypt the files, and transfer cryptocurrency if he became unavailable.
Wang had also deleted data from the 911 S5 database server, Skype and other chat logs, in an attempt to hide his actions when an article was published to expose the potential criminality of the service.
The judge said while there was a statutory declaration from Wang’s cousin that was affirmed in China, disavowing the statements he had made in Thailand, it was authenticated only by a notary public and therefore could not be properly admitted as evidence.
Wang had also made other applications to the court that were dismissed.
These included for a ruling that his bank cards, electronic devices and flash drives were unlawfully seized as well as an order requiring the Singapore state to summon all the prosecution witnesses whom the US Department of Justice intends to rely upon in proceedings there, to the committal hearing here.
According to the judgment, Wang continues to be remanded pending the committal hearing to determine whether he should be extradited.
