Microsoft has executed a disruption of RedVDS, a large-scale, subscription-based service allegedly used by a broad range of threat actors, seizing the marketplace’s infrastructure as part of a coordinated operation with law enforcement in the United States and abroad. The action, which included legal proceedings in both the U.S. and the United Kingdom, resulted in the complete shutdown of the RedVDS online marketplace.

The takedown marks a significant blow to the cybercrime-as-a-service ecosystem, which fuels large-scale, automated fraud, including increasingly sophisticated, AI-enabled schemes like real estate payment diversion scams. Microsoft said it cooperated with authorities including Europol and law enforcement agencies in Germany.

“Microsoft tracks the threat actor who develops and operates RedVDS as Storm-2470. We have observed multiple cybercriminal actors, including Storm-0259, Storm-2227, Storm-1575, Storm-1747, and phishing actors who used the RacoonO365 phishing service prior its coordinated takedown, leveraging RedVDS infrastructure. RedVDS launched their website in 2019 and has been operating publicly since to offer servers in locations including the United States, United Kingdom, Canada, France, Netherlands, and Germany. The primary website used the redvds[.]com domain, with secondary domains at redvds[.]pro and vdspanel[.]space,” Microsoft Threat Intelligence researchers wrote in a report on the service. 

“RedVDS uses a fictitious entity claiming to operate and be governed by Bahamian Law​. RedVDS customers purchased the service through cryptocurrency, primarily Bitcoin and Litecoin, adding another layer of obfuscation to illicit activity.”

The Mechanism of the Threat: Cybercrime-on-Demand

Like many other cybercrime marketplaces, RedVDS operated as an online subscription service, allegedly providing criminals with cheap, effective, and disposable virtual environments. By offering access to these virtual machines—often running unlicensed Windows software—the platform made cybercrime scalable, cheap, and difficult to trace.

RedVDS launched their website in 2019 and has been operating publicly since to offer servers in locations including the United States, United Kingdom, Canada, France, Netherlands, and Germany.

Attackers leveraged RedVDS infrastructure for a wide array of activities:

  • Payment Diversion Fraud (BEC): This was a primary use case, where attackers gained unauthorized access to email accounts, monitored conversations, and impersonated a trusted party to redirect scheduled wire transfers and payments.BEC scams are a major cause of financial loss from cybercrime, especially for companies with limited security resources. 
  • High-Volume Phishing: In one month, Microsoft saw over 2,600 distinct RedVDS VMs sending an average of one million phishing messages per day to Microsoft customers alone.
  • Real Estate Scams: The platform was heavily used to facilitate payment diversion scams in the real estate sector, compromising accounts of realtors or escrow agents to fraudulently divert closing funds.
  • Hosting Scam Infrastructure: Criminals used the VMs to host their C2 and landing pages.

The Role of AI in Scaling Fraud

A key hallmark of RedVDS-enabled attacks was the use of generative AI. Attackers frequently paired the service with AI tools to:

  • Identify Targets: Expedite the identification of high-value individuals and organizations.
  • Enhance Deception: Generate more realistic, multi-media email threads that convincingly mimic legitimate correspondence.
  • Impersonation: In hundreds of cases, attackers utilized advanced AI tools for face-swapping, video manipulation, and voice cloning to impersonate individuals and deceive victims in targeted business email compromise (BEC) schemes.

Financial and Human Toll

Since March 2025, RedVDS-enabled activity has driven approximately $40 million in reported fraud losses in the U.S. However, due to the global nature of the attacks and the high frequency of unreported incidents, Microsoft assesses the true economic and human toll to be far higher.

Two organizations joined Microsoft as co-plaintiffs in the civil action, illustrating the severe impact: H2-Pharma, an Alabama pharmaceutical company that lost more than $7.3 million, and Gatehouse Dock Condominium Association, a Florida-based association defrauded out of nearly $500,000 of residents’ funds.

Despite Microsoft blocking more than 600 million cyberattacks per day, the sheer volume facilitated by RedVDS led to widespread compromises. Since September 2025, RedVDS-enabled attacks have been linked to the fraudulent access or compromise of more than 191,000 organizations worldwide across industries including health care, manufacturing, logistics, and legal services.

The dismantling of RedVDS is expected to significantly degrade the operational capacity of cybercriminal groups who relied on the platform's infrastructure. 

  • Recent Posts

  • Recent Comments

    No comments to show.