Microsoft, Law Enforcement Disrupt RedVDS Global Cybercrime Service
None
<p>Microsoft and international law enforcement agencies disrupted the operations of RedVDS, a player in the rapidly expanding cybercrime-as-a-service ecosystem that has been operating since 2019 and since March 2025 has helped threat actors to steal $40 million from organizations and individuals in the United States.</p><p>The tech giant and international organizations, including Europol and German authorities, seized RedVDS’ infrastructure and two associated domains that hosted its marketplace and customer portal, according to Steven Masada, assistant general counsel with Microsoft’s Digital Crimes Unit.</p><p>RedVDS provides bad actors with access to virtual dedicated servers (VDS) to run a range of scams, from business email compromise (BEC), massive phishing campaigns, account takeover, and financial fraud schemes. Hackers could pay as a $24-a-month subscription to use the disposable virtual computers.</p><p>Masada <a href="https://www.microsoft.com/en-us/security/blog/2026/01/14/inside-redvds-how-a-single-virtual-desktop-provider-fueled-worldwide-cybercriminal-operations/" target="_blank" rel="noopener">wrote</a> that the systems “make fraud cheap, scalable, and difficult to trace. Services like these have quietly become a driving force behind today’s surge in cyber‑enabled crime, powering attacks that harm individuals, businesses, and communities worldwide.”</p><h3>Bad Actors and Cybercrime-as-a-Service</h3><p>Ransomware-, phishing-, and malware-as-a-service have drastically lowered the financial and technical bar to allow low-skilled hackers to run vast and sophisticated campaigns by buying or renting the necessary tools and sharing the ill-gotten loot with the technologies’ developers.</p><p>In its 2025 State of the Underground report last year, Bitsight analysts wrote that they detected 384 unique malware variants sold in the top three criminal forums in 2024, a 10% increase from the year before, “signifying an <a href="https://www.bitsight.com/blog/what-is-malware-as-a-service#:~:text=In%20our%202025%20State%20of,smaller%20segment%20focuses%20on%20Android." target="_blank" rel="noopener">expansion in the underground malware marketplace</a>” that is “diverse and evolving.”</p><p>The virtual systems that RedVDS gave subscribers access to run unlicensed software, including Windows, according to Masada, adding that RedVDS “is frequently paired with generative AI tools that help identify high‑value targets faster and generate more realistic, multimedia message email threads that mimic legitimate correspondences.”</p><p>“In hundreds of cases, Microsoft observed attackers further augment their deception by leveraging face-swapping, video manipulation, and voice cloning AI tools to impersonate individuals and deceive victims,” he wrote.</p><h3>A Lot of Victims, a Lot of Money</h3><p>In one month, more than 2,600 RedVDS virtual servers sent an average of 1 million phishing messages a day to Microsoft customers, and while most were blocked or flagged by the IT company, some likely reached the inboxes of targets. Since September 2025, attacks using RedVDS systems compromised or access more than 191,000 organizations around the world.</p><p>Among the victims of threat actors using the virtual servers to run BEC scams are H2-Pharma, a pharmaceutical company in Alabama that lost more than $7.3 million in a scam, and the Gatehouse Dock Condominium Association in Florida, which was taken for almost $500,000.</p><p>Along with BEC campaigns, the RedVDS virtual servers have been heavily used in real estate payment scams, where attackers compromise accounts of Realtors escrow agents, and title companies and send emails using their names that include fraudulent payment instructions. Microsoft saw RedVDS-based incidents hitting more than 9,000 customers.</p><p>Other schemes have targeted such sectors as construction, manufacturing, healthcare, education, and legal services, he wrote.</p><p>An incident map by Microsoft showed heavy concentrations of attacks in North America and Europe, as well as other campaigns in Asia, Australia, and parts of Africa, the Middle East, and South America.</p><h3>Tracking Down RedVDS</h3><p>The Microsoft Threat Intelligence team in a <a href="https://www.microsoft.com/en-us/security/blog/2026/01/14/inside-redvds-how-a-single-virtual-desktop-provider-fueled-worldwide-cybercriminal-operations/" target="_blank" rel="noopener">separate report</a> wrote that RedVDS has “become a prolific tool for cybercriminals in the past year, facilitating thousands of attacks including credential theft, account takeovers, and mass phishing” and that the researchers “identified attacks showing thousands of stolen credentials, invoices stolen from target organizations, mass mailers, and phish kits.”</p><p>That information revealed that multiple Windows hosts were created from the same base Windows installation. In addition, most of the hosts were built using a single computer ID, which indicated that the same Windows Eval 2022 license was used to create them. Using the stolen licensed help the RedVDS operator to keep its expenses low and provide its services at a lower cost.</p><p>The Microsoft researchers tagged the threat actor that developed and operates RedVDS as Storm-2470. Through the marketplace, cybercriminals can buy unlicensed and inexpensive Windows Remote Desktop Protocol (RDP) servers that provide full administrator control and not limits on use. The Microsoft researchers saw a range of other threat actors that had used the RaccoonO365 phishing service – which Microsoft and Cloudflare <a href="https://blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-websites-to-disrupt-rapidly-growing-raccoono365-phishing-service/" target="_blank" rel="noopener">shut down</a> in September 2025 – also using RedVDS.</p><h3>Third-Party Hosters Involved</h3><p>For running the RedVDS service, Storm-2470 rented servers from third-party hosting providers in at least five countries – the United States, Canada, United Kingdom, France, and Netherlands – and access to the RedVDS servers was through an online portal. Bad actors used cryptocurrency – often Bitcoin – to gain access. Not imposing usage caps or maintaining activity logs helped attract users.</p><p>“Once provisioned, these cloned Windows hosts gave actors a ready‑made platform to research targets, stage phishing infrastructure, steal credentials, hijack mailboxes, and execute impersonation‑based financial fraud with minimal friction,” the researchers wrote. “The uniform, disposable nature of RedVDS servers allowed cybercriminals to rapidly iterate campaigns, automate delivery at scale, and move quickly from initial targeting to financial theft.”</p><p>Microsoft’s Masada wrote that the vendor and law enforcement agencies have more work to do, including to disrupt the payment networks used by the RedVDS service. In addition, Microsoft – along with H2-Pharma and the Gatehouse Dock Condominium Association – filed lawsuits in the United States and UK to identify people behind the operation.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/01/microsoft-law-enforcement-disrupt-redvds-global-cybercrime-service/" data-a2a-title="Microsoft, Law Enforcement Disrupt RedVDS Global Cybercrime Service"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fmicrosoft-law-enforcement-disrupt-redvds-global-cybercrime-service%2F&linkname=Microsoft%2C%20Law%20Enforcement%20Disrupt%20RedVDS%20Global%20Cybercrime%20Service" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fmicrosoft-law-enforcement-disrupt-redvds-global-cybercrime-service%2F&linkname=Microsoft%2C%20Law%20Enforcement%20Disrupt%20RedVDS%20Global%20Cybercrime%20Service" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fmicrosoft-law-enforcement-disrupt-redvds-global-cybercrime-service%2F&linkname=Microsoft%2C%20Law%20Enforcement%20Disrupt%20RedVDS%20Global%20Cybercrime%20Service" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fmicrosoft-law-enforcement-disrupt-redvds-global-cybercrime-service%2F&linkname=Microsoft%2C%20Law%20Enforcement%20Disrupt%20RedVDS%20Global%20Cybercrime%20Service" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fmicrosoft-law-enforcement-disrupt-redvds-global-cybercrime-service%2F&linkname=Microsoft%2C%20Law%20Enforcement%20Disrupt%20RedVDS%20Global%20Cybercrime%20Service" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>