Virtual Private Networks (VPNs) have become one of the most popular tools for protecting privacy online. Millions of users install VPN apps to encrypt their internet activity, hide their location, and bypass geographic restrictions. However, not every VPN service is trustworthy. In some cases, a VPN application can secretly misuse your device without your knowledge.
A major cybercrime case revealed how dangerous rogue VPN apps can be. In May 2024, the United States Department of Justice announced that authorities had dismantled an enormous botnet network known as “911 S5.” Investigators described it as possibly the largest botnet ever discovered. The network controlled infected computers across more than 190 countries and compromised systems tied to over 19 million IP addresses.
The case exposed how seemingly harmless VPN applications can quietly convert personal computers into tools used by cybercriminals. Understanding how this scheme worked and learning how to check your own device can help you stay protected.
The Massive 911 S5 Botnet Operation
The criminal infrastructure behind the 911 S5 botnet operated for years before authorities shut it down. Investigators believe the operation generated billions of dollars through various illegal activities over the past decade.
According to law enforcement agencies, the botnet was powered by unsuspecting computer users who had installed certain free VPN applications. Once these apps were installed, the infected devices became part of a global network of residential proxy servers.
A Chinese national identified as YunHe Wang was arrested in connection with the operation. Authorities believe he played a central role in running the proxy service that allowed criminals to use infected computers around the world.
The network had a huge footprint. Of the millions of compromised IP addresses, more than 613,000 were traced back to computers located in the United States.
How Residential Proxy Botnets Work
Residential proxy networks are particularly valuable to cybercriminals. These networks allow attackers to route their internet traffic through ordinary home computers instead of suspicious servers.
When a device becomes part of a residential proxy network, criminals can use that device’s internet connection to hide their true identity and location. Because the traffic appears to originate from a legitimate home IP address, it becomes much harder for security systems to detect malicious behavior.
Cybercriminal groups used the 911 S5 network to carry out a wide range of illegal activities. These included large-scale fraud schemes, cyberattacks, harassment campaigns, and other serious crimes. Investigators also linked the network to pandemic relief fraud and unemployment benefit scams.
In addition to committing crimes directly, the operators made money by selling access to the botnet. Other criminals could rent connections to infected devices, allowing them to disguise their online activity behind thousands of residential IP addresses.
How VPN Apps Became the Entry Point
One of the most troubling aspects of the botnet was how easily it spread. The operators distributed free VPN applications that secretly connected users to the 911 S5 infrastructure.
These apps appeared legitimate and promised users free internet privacy services. In reality, they installed hidden proxy software on victims’ computers.
Once installed, the software allowed third parties to route internet traffic through the infected device without the user realizing it. This meant that someone else could be using the victim’s internet connection for illegal purposes.
In some cases, the VPN applications were not even installed intentionally. The malicious software was bundled with other downloads, including games and utility programs. This allowed the botnet to spread silently across millions of computers.
The FBI’s Warning to Windows Users
Following the takedown of the botnet, the FBI issued a public alert encouraging people to check their devices for suspicious VPN software. The agency warned that many users might not realize they had installed one of the affected applications.
Authorities published a list of VPN programs believed to have been used to recruit devices into the botnet network. These applications include:
MaskVPN
DewVPN
PaladinVPN
ProxyGate
ShieldVPN
ShineVPN
If any of these programs are installed on a Windows computer, users should remove them immediately and verify that no related processes are still running.
Checking Your Computer for Suspicious VPN Software
The first step is to confirm whether one of the listed VPN programs is installed on your system.
Start by opening the Windows Start menu and searching for the system tool labeled “Add or remove programs.” This menu displays a complete list of software currently installed on the computer.
Once the list appears, scroll through the programs and look for the names of any suspicious VPN applications. If one of them appears, click on the application entry.
Windows will then display an option to uninstall the program. Selecting the uninstall option will begin the removal process.
Some VPN apps may also include their own uninstall option inside the Start menu folder associated with the program. If available, this option can also be used to remove the software.
Ensuring the Malicious Program Is No Longer Running
Removing the software from the installed programs list may not always stop all background activity. Some components may still remain active until the associated processes are terminated.
To confirm that no suspicious services are still running, users should open the Windows Task Manager.
This can be done in several ways. One method is pressing the Control, Alt, and Delete keys simultaneously and then selecting Task Manager. Another option is right-clicking the Start menu and choosing Task Manager from the list.
Once the Task Manager window opens, select the Processes tab. This section displays every program currently running on the system.
Look for processes associated with the suspicious VPN programs. Known examples include:
mask_svc.exe linked to MaskVPN
dew_svc.exe linked to DewVPN
pldsvc.exe linked to PaladinVPN
proxygate.exe or cloud.exe linked to ProxyGate
shieldsvc.exe linked to ShieldVPN
shsvc.exe linked to ShineVPN
If any of these processes appear, select the entry and choose the option labeled End task. This stops the process from continuing to run on the computer.
Using Security Software to Scan Your System
Even after uninstalling suspicious software and stopping related processes, it is wise to perform a full malware scan. Security tools can detect hidden components that might still remain on the system.
One option is to use Malwarebytes, which offers both free and premium versions of its security software. The application can perform threat scans to detect malicious files and remove them safely.
After installing the program, open the application dashboard and start a scan. The software will analyze the system for malware and suspicious behavior.
When the scan finishes, a summary report will appear showing whether any threats were detected. If malware is found, the program allows users to quarantine or remove the detected files.
Reviewing the scan report can also help identify previously hidden threats or suspicious activity.
When Additional Help Is Needed
If removing the VPN application and scanning the system does not resolve the issue, further investigation may be necessary. The FBI has published more advanced guidance for users who believe their systems may still be compromised.
In some situations, professional technical support may be required to ensure the device is completely clean. Security experts or trusted support services can assist with deeper system analysis and malware removal.
Regularly updating operating systems, avoiding unknown software downloads, and installing reliable security tools are essential steps for protecting devices from similar threats in the future.
