Microsoft has announced a coordinated legal action in the United States and the United Kingdom that has dismantled RedVDS, a cybercrime-focused infrastructure service linked to large-scale online fraud and financial losses worldwide.
According to Microsoft, the takedown was carried out in collaboration with law enforcement partners and resulted in the seizure of RedVDS’s technical infrastructure and the shutdown of its primary domains, including redvds[.]com, redvds[.]pro, and vdspanel[.]space. The service allegedly enabled cybercriminals to conduct fraud operations at scale by offering low-cost, disposable virtual servers designed to evade detection.
A Cybercrime Platform Built for Scale
RedVDS operated as a subscription-based service, charging as little as $24 per month for access to virtual Windows-based servers. These servers allowed threat actors to run fraud campaigns anonymously, send mass phishing emails, and host scam infrastructure with minimal oversight.
Microsoft estimates that since March 2025, activity tied to RedVDS has contributed to approximately $40 million in reported fraud losses in the United States alone. The company described the platform as a clear example of how crimeware-as-a-service models are lowering the barrier to entry for cybercrime and accelerating the professionalization of online fraud.
How RedVDS Enabled Fraud
Marketed publicly as a productivity and remote work solution, RedVDS in reality provided features that strongly appealed to criminal users. These included:
- Cheap, unlicensed Windows Remote Desktop Protocol (RDP) servers with full administrative access
- No enforced usage limits or activity logging
- A reseller panel that allowed operators to create sub-accounts without sharing credentials
- Server locations across North America, Europe, and Asia
- Management via a Telegram bot, reducing the need to log in through a web interface
These features made RedVDS particularly effective for phishing campaigns, business email compromise (BEC), account takeovers, and financial fraud.
AI-Enhanced Cybercrime Tactics
Microsoft noted that RedVDS infrastructure was frequently combined with generative artificial intelligence tools to increase attack effectiveness. Threat actors used AI to identify high-value targets, generate realistic phishing messages, and simulate legitimate business correspondence.
In more advanced cases, attackers leveraged AI-driven voice cloning, face-swapping, and video manipulation to impersonate real individuals, significantly increasing the success rate of fraud attempts.
Since September 2025, Microsoft estimates that RedVDS-linked activity has impacted more than 191,000 organizations globally, spanning industries such as healthcare, legal services, manufacturing, construction, real estate, and education.
A Shared Infrastructure Behind Multiple Threat Actors
Microsoft tracks the operator of RedVDS under the name Storm-2470 and identified a broad network of cybercriminal groups using the service. These included known threat clusters such as Storm-2227, Storm-1575, and Storm-1747, as well as phishing actors previously associated with the now-disrupted RaccoonO365 phishing kit.
The infrastructure hosted a mix of malicious and dual-use tools, including mass mailing software, email harvesting utilities, privacy browsers, VPN services, remote access tools, and phishing frameworks. Some actors also attempted to abuse legitimate platforms, such as Microsoft Power Automate, to send fraudulent messages programmatically.
Cloned Windows Servers and Stolen Licenses
Microsoft’s investigation revealed that RedVDS relied on a single Windows Server 2022 image that was repeatedly cloned using QEMU virtualization technology. Each virtual machine shared the same system identity and computer name, indicating the reuse of a single evaluation license to generate thousands of servers at minimal cost.
This automated cloning process allowed RedVDS to deploy new RDP servers within minutes of receiving cryptocurrency payments, giving cybercriminals a fast and scalable platform for launching attacks.
Legal Terms vs. Criminal Reality
Despite its clear role in cybercrime, RedVDS’s terms of service formally prohibited phishing, malware distribution, and denial-of-service attacks. Microsoft believes these restrictions were included to create plausible deniability rather than to prevent abuse.
“RedVDS provided a permissive, low-cost environment that enabled every stage of fraud operations,” Microsoft said, from reconnaissance and phishing to credential theft and financial impersonation scams.
A Broader Message to Cybercriminal Services
The takedown of RedVDS highlights Microsoft’s expanding use of legal and technical measures to disrupt cybercrime ecosystems, particularly those enabling fraud at scale. It also underscores how infrastructure providers—rather than individual attackers—are becoming key targets in the fight against organized cybercrime.
