As part of its ongoing efforts to eradicate organized cybercrime, Microsoft has recently announced that it is taking coordinated legal action against RedVDS in both the United States and the United Kingdom. Microsoft has accused RedVDS of providing criminals with the services they need in order to commit large-scale fraud throughout the world.
The takedown of RedVDS was carried out by Microsoft's Digital Crimes Unit (DCU), with assistance from law enforcement partners. As a result of these efforts, DCU was able to seize the infrastructure used by RedVDS and take the RedVDS website down.
RedVDS provided a subscription-based service to anyone who wanted to commit cybercrime. For as little as $24 per month, criminals could rent a disposable computer that they could use to commit crimes. Microsoft estimates that RedVDS has been linked to at least $40 million in fraud losses reported in the United States since March 2025.
"In exchange for a low monthly fee, RedVDS offered a low-cost way for criminals to make a lot of money, and provided a platform that made it pretty tough to trace back to them," said Steven Masada, an assistant general counsel at Microsoft.
Simply by allowing criminals to pay less money to gain access to highly advanced tools for committing cybercrime, services like RedVDS have accelerated the growth of the cybercrime market, enabling even low-skill criminals to carry out highly sophisticated fraud operations on a grand scale.
How RedVDS Helped Fraudsters to Their Business
RedVDS was a reselling platform that sold unlicensed copies of RDP Servers in addition to selling their Windows-based RDP servers. These servers also had Full Admin Access with No Logs or Restrictions on Usage and therefore allowed the ultimate flexibility to mix and mingle with other fleecers. The RedVDS Servers were hosted in various regions of the World, including the United States, Canada, Europe, and the Asia Pacific, allowing them to blend into legitimate traffic.
Key Features of RedVDS Servers:
1. Disposable Windows VMs
2. Admin RDP Access
3. Reseller Panels to Create Sub Users
4. Telegram Bot for Management of Sub Users
5. No Audit Logs or Activity Logs
RedVDS did have the explicit policy of not allowing abuse of these servers for fraudulent activity; however, he was used by numerous people and organizations for several:
1. Phishing and Credential Harvesting
2. Business Email Compromise (BEC)
3. Account Take-Over Campaigns
4. Financial Fraud/Invoicing Manipulation
Magnitude and Impact
Microsoft states that since September 2025, Over 191,000 Organizations throughout the world have had their systems compromised/fraudulently accessed via redVDS activity.
RedVDS servers? as well as those operated within their infrastructure, were part of an international network of Cyber Criminals that WP has identified Microsoft as the Storm 2470 (current threat actor) and WP has observed users of RedVDS operating within many sectors, including Healthcare, Legal Service, Manufacturing, Education & Real Estate.
Threat Clusters known to be operating within redVDS include Storm 2227, Storm 1575, Storm 1747 and a Phishing Operator using RaccoonO365 phishing kit, which has recently been disrupted.
Malicious and Dual-use Tools Powered by Fraud and AI
RedVDS hosted systems allowed criminals to use a broad array of Tools to deploy a bank of things using various types of malicious and dual-use tools including:
1. Phishing – mass mailers
2. Information gathering – harvesting
3. Remote/Access – gaining control
4. VPN/Browser options to increase privacy
As it became clear from Microsoft's observations, adversaries were pairing RedVDS infrastructure and generative AI tools to enable adversaries to:
1. Identify targets for future attacks
2. Create realistic correspondence for phishing campaigns
3. Use voice cloning technology and video editing techniques to impersonate victims
This method of attack has significantly increased BEC scams by allowing the attacker to insert themselves into the conversation thread and redirect payments to the mule account.
Replication of Infrastructure at Scale
Investigators found that RedVDS has operated by creating multiple instances of a Windows Server 2022(master 1 image) image by repeatedly cloning that master instance through virtualization technologies using QEMU Virtualization and VirtIO drivers. The cloned systems all shared the same computer name and system identifier indicating that, at a minimum, the systems were created using the same method (automated mass deployment).
Through the use of a stolen Windows evaluation license, the operator effectively lowered their costs, allowing them to quickly create immaculately cloned instances of live fraud-ready servers minutes after making a cryptocurrency payment.
Why This Matters
Importance of this Action Taking down RedVDS has highlighted how cybercrime today is heavily relying on subscription based service models versus developing their own unique versions of malware. The use of disposable Cloud environments and AI generated lures has created a lower risk/higher reward business model for fraud.
Although Microsoft highlighted the impact of disrupting these infrastructures, it also stated that there needs to be more collaboration between technology companies, law enforcement, and cloud service providers in order to stop the re-emergence of similar platforms.
Source: The Hacker News
