Front Page: NCSC-FI
Front Page: NCSC-FI

Information security now!

An SMS scam phishing people’s online bank credentials on the pretext of unpaid fines in Traficom’s name. A police operation discovered over 19 million terminal devices in a closed botnet. The botnet was operated by malware installed on millions of terminal devices around the world. Follow these instructions to make sure your device is not part of the botnet.


Topics covered in this week’s review

  • How to remove botnet malware from your workstation
  • Thousands of scam SMS messages sent in the name of Traficom
  • Sign up for a free information and training webinar: The Digital Europe Programme’s cyber security application process opening in July 2024

How to remove botnet malware from your workstation

Traficom instructed Finnish users to remove the malware running the 911 S5 (911-socks5-proxy) from their workstations. The malware was hidden in various VPN software available free of charge. 

If you have installed any of these free VPN software on your computer, remove the malware.

In May, the US police forces arrested a person who maintained a botnet consisting of 19 million devices. The devices had been hijacked by infecting them with malware. Access to the illegal botnet was sold to criminals, who used other people’s devices and addresses for fraud and other criminal purposes. Thanks to the police operation, the botnet is now in the possession of the authorities.

However, the malware is still installed on millions of workstations around the world. Traficom published instructions for identifying and removing software that contain the malware. 

Link to the article (in Finnish): Thousands of Finnish IP addresses found in the 911 S5 botnet (External link)

Thousands of scam messages about unpaid fines sent in Traficom’s name

Over the last weekend and early this week, the National Cyber Security Centre Finland received dozens of reports of SMS messages sent in the name of Traficom. The messages claimed that the recipient had not paid a fine of EUR 100. These are scam messages and you can delete them.
Do not click on the link in the message. The link to is not a real website of the Finnish Transport and Communications Agency Traficom. The fake website was made to look like an online bank authentication page, with the aim of phishing people’s online bank credentials. If you try to log in to the page with your online bank credentials, the credentials will fall into the hands of criminals. Please contact your bank if you accidentally entered your information on the fake website.

The National Cyber Security Centre Finland has taken measures to remove the phishing website from the internet. However, similar fake websites and addresses may appear in the future.
Traficom issued a statement on the topic on Monday 3 June.  (External link)

Sign up for a free information and training webinar: The Digital Europe Programme’s cyber security application process opening in July 2024

Sign up for a free two-part introduction and application training on the Digital Europe Programme’s cyber security application process on 18 June 2024 at 1–3 p.m. and 28 June 2024 at 9–11 a.m.! The training will be held as a webinar on Teams.

The information and application preparation training (External link)introduces you to the Digital Europe Programme’s cyber security programme application process, to be launched in July 2024, and gives you concrete expert tips and advice for preparing a high-quality application to the Digital Europe Programme. The training is organised by the National Coordination Centre for Cyber Security Research, Development and Innovation (NCC-FI) and Spinverse.

The aim of the training is to help Finnish operators prepare high-quality applications for EU project funding. The training supports the participants’ capacity to repatriate funding in projects that reinforce the competitiveness, security of supply, resilience and availability of the Finnish cyber security sector.

The training is free-of-charge and open to all interested parties.

The webinar is organised in two parts. The following topics will be covered on the first day of training (18 June 2024, 1–3 p.m.):

  • Digital Europe Programme, application process briefing and strategic preparation of applications
  1. Introduction to EU funding, the Digital Europe Programme and application interpretation, the cyber security application process opening in July, supplementary national funding
  2. Strategic preparation of an application: finding and selecting the right application process, creating a concept and consortium

On the second day of the webinar (28 June 2024, 9–11 a.m.), the following topics will be discussed:

  • Writing the DEP application and submitting it in the portal
  1. Application areas, application template and evaluation criteria; writing the application and budgeting
  2. Registering a company/organisation in the Funding & Tenders portal, submitting the application in the portal

More information about the Digital Europe Programme: (External link)

Training participants will have an opportunity to ask questions about the content of the funding application and the application process through chat. The webinar will be held in Finnish. The webinar will not be recorded. 

Sign up by 17 June 2024, 12 p.m., through this link: (External link)

The link to the webinar will be sent by email one day before the webinar.

You are warmly welcome to join us!
Enquiries by email: NCC-FI(at)

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.


Learn how to detect and protect yourself against online scams


This is the weekly review of the National Cyber Security Centre Finland (NCSC-FI) (reporting period 17–23 May 2024). The purpose of the weekly review is to share information about current cyber phenomena. The weekly review is intended for a wide audience, from cyber security specialists to regular citizens.