Microsoft Legal Action Disrupts RedVDS Cybercrime Infrastructure Used for Online Fraud

Microsoft has successfully disrupted a major cybercrime infrastructure operation through coordinated legal action in the United States and the United Kingdom. The target was RedVDS, a subscription-based service that provided criminals with access to disposable virtual computers, enabling fraud at an unprecedented scale and low cost.

For as little as $24 per month, RedVDS offered a turnkey platform for cybercriminals to conduct anonymous operations. "RedVDS provides criminals with access to disposable virtual computers that make fraud cheap, scalable, and difficult to trace," said Steven Masada, assistant general counsel of Microsoft's Digital Crimes Unit. "Since March 2025, RedVDS‑enabled activity has driven roughly US $40 million in reported fraud losses in the United States alone."

This case exemplifies the growing professionalization of cybercrime through Crimeware-as-a-Service (CaaS) models. These services have transformed cybercrime from a technically demanding endeavor into an accessible underground economy where even inexperienced actors can launch sophisticated attacks. RedVDS was a prime example of this trend, offering a full suite of tools and infrastructure to enable various criminal activities.

How RedVDS Operated

The service functioned as a hub for purchasing unlicensed Windows-based Remote Desktop Protocol (RDP) servers. Each server provided full administrator control with no usage limits, all accessible through a feature-rich web interface. RedVDS maintained server locations across multiple countries, including Canada, the U.S., France, the Netherlands, Germany, Singapore, and the U.K.

Key features that made the service attractive to criminals included:

• Reseller Panel: Allowed users to create sub-accounts and grant server management access without sharing the main account credentials
• Telegram Integration: A bot enabled server management directly from the Telegram messaging app, reducing the need to visit the main website
• No Activity Logs: The service explicitly did not maintain logs, providing an additional layer of anonymity for users
• Rapid Provisioning: New servers could be spun up within minutes

The service was first established in 2017 and operated on platforms like Discord, ICQ, and Telegram before launching its website in 2019. Despite its Terms of Service prohibiting phishing, malware distribution, and other illegal activities, the platform was primarily used for these exact purposes.

The Attack Infrastructure

Microsoft tracks the developer and maintainer of RedVDS as Storm-2470. The infrastructure was leveraged by a global network of cybercriminals targeting multiple sectors, including legal, construction, manufacturing, real estate, healthcare, and education organizations across the U.S., Canada, U.K., France, Germany, Australia, and other countries with substantial banking infrastructure.

Since September 2025, attacks fueled by RedVDS have compromised or fraudulently accessed more than 191,000 organizations worldwide. The service was frequently paired with generative AI tools to enhance attacks:

• AI-Powered Targeting: Generative AI helped identify high-value targets more efficiently
• Enhanced Deception: Attackers used face-swapping, video manipulation, and voice cloning AI tools to impersonate individuals
• Phishing Lures: Tools like ChatGPT were used to craft convincing phishing messages and gather intelligence about organizational workflows

Technical Implementation

The technical foundation of RedVDS was both sophisticated and cost-effective. All virtual Windows cloud servers were generated from a single Windows Server 2022 image, which was cloned repeatedly without changing the system identity. Every identified instance used the same computer name: WIN-BUNS25TD77J.

The cloning process used Quick Emulator (QEMU) virtualization technology combined with VirtIO drivers. An automated system would copy the master virtual machine image onto a new host whenever a server was ordered via cryptocurrency payment. This approach allowed threat actors to provision fresh RDP hosts within minutes, enabling rapid scaling of operations.

Microsoft discovered that the service used a stolen Windows Eval 2022 license to create these images, which significantly reduced costs and made the service more attractive to criminals.

Toolkit and Capabilities

The provisioned hosts served as platforms for a comprehensive toolkit of malicious and dual-use software:

Mass Email Tools:

• SuperMailer, UltraMailer, BlueMail, SquadMailer
• Email Sorter Pro/Ultimate

Email Harvesters:

• Sky Email Extractor for scraping and validating large email address lists

Privacy and OPSEC Tools:

• Waterfox, Avast Secure Browser, Norton Private Browser
• NordVPN, ExpressVPN

Remote Access Tools:

• AnyDesk

One threat actor attempted to use Microsoft Power Automate (Flow) with Excel to programmatically send emails, though this particular attempt was unsuccessful.

Attack Chain and Objectives

The primary objective of RedVDS-enabled attacks was to conduct Business Email Compromise (BEC) scams. Attackers would:

1. Research target organizations using the provisioned infrastructure
2. Stage phishing infrastructure on the disposable servers
3. Steal credentials and hijack mailboxes
4. Insert themselves into legitimate email conversations with suppliers
5. Issue fraudulent invoices to trick targets into transferring funds to mule accounts

Microsoft identified attacks showing thousands of stolen credentials, invoices stolen from target organizations, mass mailers, and phishing kits, indicating widespread use of the platform for coordinated fraud campaigns.

Legal Action and Disruption

The coordinated legal action by Microsoft's Digital Crimes Unit, in collaboration with U.S. and U.K. law enforcement, resulted in the seizure of the RedVDS infrastructure and the takedown of the redvds[.]com website. This operation demonstrates the increasing effectiveness of public-private partnerships in combating cybercrime.

The disruption of RedVDS represents a significant blow to the cybercrime ecosystem, particularly for BEC operations that rely on readily available, anonymous infrastructure. However, the case also highlights the ongoing challenge of crimeware-as-a-service platforms, which continue to lower the barrier to entry for cybercrime.

Practical Takeaways for Organizations

1. Enhanced Email Security:

• Implement advanced email filtering that can detect sophisticated phishing attempts
• Deploy DMARC, SPF, and DKIM to prevent domain spoofing
• Train employees to recognize BEC attempts, especially those involving urgent payment requests

2. Multi-Factor Authentication (MFA):

• Enforce MFA on all accounts, particularly email and financial systems
• Consider phishing-resistant MFA methods like FIDO2 security keys

3. Vendor Verification Processes:

• Establish strict verification procedures for payment requests and invoice changes
• Require dual approval for financial transactions above certain thresholds

4. Network Monitoring:

• Monitor for unusual RDP connections and remote access tool usage
• Implement network segmentation to limit lateral movement

5. AI-Enhanced Threat Detection:

• Consider security solutions that use AI to detect anomalous behavior patterns
• Stay informed about emerging AI-powered attack techniques

6. Regular Security Assessments:

• Conduct periodic security audits to identify vulnerabilities
• Test incident response plans regularly

The RedVDS case serves as a stark reminder that cybercrime has industrialized. Services like RedVDS provide the infrastructure, tools, and anonymity that enable criminals to operate at scale. Organizations must adopt a defense-in-depth strategy that combines technical controls, employee training, and robust verification processes to protect against these evolving threats.

For more information on Microsoft's Digital Crimes Unit and their efforts to combat cybercrime, visit their official page. Organizations looking to improve their security posture can refer to the Microsoft Security Best Practices documentation.