Microsoft and international law‑enforcement agencies disrupted the operations of RedVDS, a player in the rapidly expanding cybercrime‑as‑a‑service ecosystem that has been operating since 2019 and, since March 2025, has helped threat actors steal $40 million from organizations and individuals in the United States.

The tech giant and international organizations, including Europol and German authorities, seized RedVDS’ infrastructure and two associated domains that hosted its marketplace and customer portal, according to Steven Masada, assistant general counsel with Microsoft’s Digital Crimes Unit.

RedVDS provides bad actors with access to virtual dedicated servers (VDS) to run a range of scams, from business‑email‑compromise (BEC), massive phishing campaigns, account takeover, and financial‑fraud schemes. Hackers could pay as little as $24 a month to use the disposable virtual computers.

Masada wrote that the systems “make fraud cheap, scalable, and difficult to trace. Services like these have quietly become a driving force behind today’s surge in cyber‑enabled crime, powering attacks that harm individuals, businesses, and communities worldwide.”

---

Bad Actors and Cybercrime‑as‑a‑Service

Ransomware‑, phishing‑, and malware‑as‑a‑service have drastically lowered the financial and technical bar, allowing low‑skilled hackers to run vast and sophisticated campaigns by buying or renting the necessary tools and sharing the ill‑gotten loot with the technologies’ developers.

In its 2025 State of the Underground report, Bitsight analysts wrote that they detected 384 unique malware variants sold in the top three criminal forums in 2024, a 10 % increase from the year before, “signifying an expansion in the underground malware marketplace” that is “diverse and evolving.”

The virtual systems that RedVDS gave subscribers access to run unlicensed software, including Windows, according to Masada, adding that RedVDS “is frequently paired with generative AI tools that help identify high‑value targets faster and generate more realistic, multimedia message email threads that mimic legitimate correspondences.”

“In hundreds of cases, Microsoft observed attackers further augment their deception by leveraging face‑swapping, video manipulation, and voice‑cloning AI tools to impersonate individuals and deceive victims,” he wrote.

---

A Lot of Victims, a Lot of Money

• In one month, more than 2,600 RedVDS virtual servers sent an average of 1 million phishing messages a day to Microsoft customers. Most were blocked or flagged, but some likely reached inboxes.

• Since September 2025, attacks using RedVDS systems have compromised or accessed more than 191,000 organizations worldwide.

Victims include:

• H2‑Pharma, a pharmaceutical company in Alabama that lost $7.3 million in a scam.

• Gatehouse Dock Condominium Association in Florida, which was taken for almost $500,000.

RedVDS virtual servers have also been heavily used in real‑estate payment scams, where attackers compromise accounts of Realtors, escrow agents, and title companies and send fraudulent payment instructions. Microsoft saw RedVDS‑based incidents hitting more than 9,000 customers.

Other targeted sectors: construction, manufacturing, healthcare, education, and legal services.

An incident map by Microsoft showed heavy concentrations of attacks in North America and Europe, with additional campaigns in Asia, Australia, parts of Africa, the Middle East, and South America.

---

Tracking Down RedVDS

The Microsoft Threat Intelligence team, in a separate report, wrote that RedVDS has “become a prolific tool for cybercriminals in the past year, facilitating thousands of attacks including credential theft, account takeovers, and mass phishing.” Researchers identified attacks showing thousands of stolen credentials, invoices stolen from target organizations, mass mailers, and phishing kits.

Key technical findings:

• Multiple Windows hosts were created from the same base Windows installation.

• Most hosts were built using a single computer ID, indicating the same Windows Eval 2022 license was reused, helping the operator keep expenses low.

Microsoft researchers tagged the threat actor that developed and operates RedVDS as Storm‑2470. Through the marketplace, cybercriminals could buy unlicensed, inexpensive Windows Remote Desktop Protocol (RDP) servers that provide full administrator control with no usage limits. The researchers also observed that actors who had used the RaccoonO365 phishing service (shut down by Microsoft and Cloudflare in September 2025) were also using RedVDS.

---

Third‑Party Hosters Involved

To run the RedVDS service, Storm‑2470 rented servers from third‑party hosting providers in at least five countries – the United States, Canada, United Kingdom, France, and the Netherlands. Access to the RedVDS servers was through an online portal, with payment typically made in cryptocurrency (often Bitcoin). The lack of usage caps or activity logs helped attract users.

“Once provisioned, these cloned Windows hosts gave actors a ready‑made platform to research targets, stage phishing infrastructure, steal credentials, hijack mailboxes, and execute impersonation‑based financial fraud with minimal friction,” the researchers wrote. “The uniform, disposable nature of RedVDS servers allowed cybercriminals to rapidly iterate campaigns, automate delivery at scale, and move quickly from initial targeting to financial theft.”

Microsoft’s Masada noted that the vendor and law‑enforcement agencies have more work to do, including disrupting the payment networks used by the RedVDS service. Microsoft – along with H2‑Pharma and the Gatehouse Dock Condominium Association – has filed lawsuits in the United States and the United Kingdom to identify the people behind the operation.