Microsoft announced Wednesday that it collaborated with international law enforcement to seize infrastructure associated with the cybercrime service RedVDS. The company also initiated civil actions in the United States and the United Kingdom to prevent further misuse of the service, which has facilitated significant fraud.
RedVDS has been linked to at least $40 million in fraud losses in the U.S. since March 2025, according to Microsoft. Among the victims joining Microsoft as co-plaintiffs are H2 Pharma, an Alabama-based pharmaceutical company that lost over $7.3 million, and the Gatehouse Dock Condominium Association in Florida, which was defrauded of nearly $500,000.
Microsoft Disrupts RedVDS Cybercrime Infrastructure
Microsoft stated that RedVDS provided criminals with access to disposable virtual computers, making fraud operations cheaper, scalable, and more difficult to trace. Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, explained in a blog post that the service offered access to inexpensive, effective, and disposable virtual machines running unlicensed software, including Windows, enabling anonymous and cross-border criminal activities.
The seizure of RedVDS’s infrastructure was the result of a joint operation involving Microsoft, Europol, and authorities in Germany. This operation has taken the marketplace offline. Cybercriminals utilized the platform, which included features like a loyalty program and referral bonuses, to conduct high-volume phishing attacks, host scam operations, and facilitate various forms of fraud, such as business email compromise.
Impact on Microsoft Customers and Organizations
Microsoft customers were among those affected by the tools and services provided by RedVDS. According to Masada, since September 2025, attacks enabled by RedVDS have led to the compromise or fraudulent access of more than 191,000 Microsoft email accounts across over 130,000 organizations globally. He noted that these figures represent only a portion of the total impacted accounts across all technology providers.
Over a single month, researchers observed that more than 2,600 RedVDS virtual machines were used to send an average of one million phishing messages daily to Microsoft customers. The RedVDS service facilitated payment diversion fraud against organizations like H2 Pharma and the Gatehouse Dock Condominium Association through business email compromise schemes. Microsoft also reported that the marketplace was used to compromise accounts of realtors, escrow agents, and title companies, leading to the diversion of payments.
The fraud facilitated by RedVDS has directly impacted over 9,000 customers, with a significant number located in Canada and Australia, particularly related to real estate fraud. Microsoft Threat Intelligence has indicated that other types of scams enabled by RedVDS have affected organizations in sectors including construction, manufacturing, healthcare, logistics, education, and legal services.
RedVDS Operation and Technical Details
Researchers found that the RedVDS marketplace featured a user interface designed for cybercriminals to easily purchase unlicensed and inexpensive Windows-based remote desktop protocol servers with full administrator control. The service employed a method of reusing a single, cloned Windows host image across its offerings, which allowed researchers to identify unique technical fingerprints associated with the infrastructure.
Microsoft attributes the development and operation of RedVDS to a group it tracks as Storm-2470. According to Microsoft Threat Intelligence, at least five additional cybercrime groups and individual cybercriminals, who previously used the Racoon0365 phishing service before its takedown in October, were also utilizing RedVDS infrastructure.
RedVDS initially launched in 2019 and had been operating by providing servers located in the U.S., U.K., Canada, France, the Netherlands, and Germany. Researchers described the marketplace as a significant tool for cybercriminals in the past year, enabling thousands of attacks, including credential theft, account takeovers, and mass phishing campaigns.
The service rented servers from third-party hosting providers, including companies in the U.S., Canada, U.K., France, and the Netherlands. This practice allowed RedVDS to provision IP addresses in geolocations near its targets, enabling cybercriminals to bypass location-based security filters and disguise their traffic as normal data center activity, according to researchers.
“Cybercrime today is powered by shared infrastructure, which means disrupting individual attackers is not enough,” Masada stated. He added that through this coordinated action, Microsoft has disrupted RedVDS’s operations, including seizing two domains that hosted the RedVDS marketplace and customer portal, while also working to identify the individuals behind the operation.
The next steps in this ongoing effort will likely involve further investigation into the individuals behind RedVDS and the prosecution of those involved. The effectiveness of these legal and technical disruptions in deterring future cybercrime operations remains to be seen.