Microsoft Disrupts RedVDS Cybercrime Platform

January 15, 2026 Faeem BLOGS 0

Microsoft has taken down RedVDS, a massive cybercrime-as-a-service operation that provided disposable virtual desktops to criminals. The disruption, carried out with Europol and German authorities, is linked to at least $40 million in losses in the U.S. since March 2025.

What Was RedVDS?

  • Active since 2019 using domains like redvds[.]com, redvds[.]pro, and vdspanel[.]space.
  • Sold Windows cloud servers with admin control and no usage limits for $24/month.
  • Customers included multiple threat groups: Storm-0259, Storm-2227, Storm-1575, Storm-1747.
  • Operator tracked as Storm-2470, who cloned all VMs from a single Windows Server 2022 image, leaving a unique fingerprint (WIN-BUNS25TD77J).

Criminal Use Cases

  • Phishing campaigns: Over 1 million phishing emails/day sent from 2,600 RedVDS VMs.
  • Credential theft & account takeovers: Nearly 200,000 Microsoft accounts compromised in 4 months.
  • Business email compromise (BEC):
    • H2-Pharma lost $7.3M.
    • Gatehouse Dock Condominium Association lost $500K.
  • Real estate payment diversion scams: Impacted 9,000+ customers in Canada and Australia.
  • Fraud infrastructure: Mass-mailing tools, harvesters, privacy utilities, remote access software.
  • AI abuse: Criminals used ChatGPT, face-swapping, video manipulation, and voice cloning to craft convincing lures.

Infrastructure

  • Servers rented from providers in the U.S., U.K., France, Canada, Netherlands, and Germany.
  • Allowed criminals to provision IPs close to victims, bypassing location-based filters.
  • Payments made via cryptocurrency to maintain anonymity.

Scale of Impact

  • Since Sept 2025, RedVDS-enabled attacks compromised or fraudulently accessed 191,000+ organizations worldwide.
  • Represents only a subset of affected accounts across all providers, showing how quickly cybercrime-as-a-service scales.

Microsoft’s Actions

  • Filed civil lawsuits in the U.S. and U.K..
  • Seized malicious infrastructure and took down RedVDS’s marketplace and customer portal.
  • Coordinated with Cloudflare in Sept 2025 to disrupt RaccoonO365, another Phishing-as-a-Service platform.

Takeaway

RedVDS exemplifies the rise of cybercrime-as-a-service platforms, making fraud cheap, scalable, and hard to trace. By offering disposable virtual desktops, it enabled criminals to launch phishing, BEC, and credential theft campaigns at industrial scale. Microsoft’s disruption is a major win, but it highlights how criminal infrastructure is evolving to mimic legitimate cloud services.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.