RedVDS Cybercrime Service Disrupted by Microsoft and Law Enforcement

By Eduard Kovacs

January 14, 2026 (10:00 AM ET)

Microsoft announced on Wednesday that it has teamed up with law enforcement to target RedVDS, a cybercrime service that has facilitated a wide range of malicious activities.

Launched in 2019, RedVDS is a virtual dedicated server (VDS) service that enables cybercriminals to set up disposable Windows‑based RDP servers that they can then leverage for mass phishing, BEC attacks, financial fraud, and account takeover.

A subscription costs as little as $24 per month, but reported fraud losses tied to RedVDS total $40 million in the US alone, Microsoft said. As an example, the tech giant named an Alabama pharmaceutical company that lost over $7.3 million following a BEC attack that involved the cybercrime service.

According to Microsoft, cybercriminals have used RedVDS to target organizations in the United States, the United Kingdom, Canada, France, Germany, and Australia, including sectors such as legal, manufacturing, healthcare, real estate, construction, and education.

The tech giant tracks the threat group that operates and develops RedVDS as Storm‑2470.

Microsoft was able to link many attacks to RedVDS due to most of the virtual servers using the same base Windows installation. The servers were generated from the same Windows Server 2022 image, and the server instances had the same computer name.

“This host fingerprint appears in RDP certificates and system telemetry, serving as a core indicator of RedVDS activity. The underlying trick is that Storm‑2470 created one Windows virtual machine (VM) and repeatedly cloned it without customizing the system identity,” Microsoft explained.

These RedVDS servers do not conduct the actual malicious activity on their own. Instead, they can be provisioned by threat actors for malicious activities.

The company’s analysis showed that the RedVDS servers were used for a wide range of purposes. Some cybercriminals installed mass‑mailer utilities that they used to send out spam and phishing emails. Others installed email‑address harvesters that enabled them to create target lists.

Cybercriminals also installed privacy‑focused browsers and VPNs on their servers, as well as remote‑access tools such as AnyDesk. Some of the service’s users also leveraged AI tools to improve their operations, Microsoft reported.

The company saw, in just one month, 2,600 RedVDS VMs sending an average of one million phishing emails per day to Microsoft customers.

“While most were blocked or flagged as part of the 600 million cyberattacks Microsoft blocks per day, the sheer volume meant a small percentage may have succeeded in reaching the targets’ inbox,” Microsoft said. “Since September 2025, RedVDS‑enabled attacks have led to the compromise or fraudulent access of more than 191,000 Microsoft email accounts across over 130,000 organizations worldwide.”

---

RedVDS disrupted

Microsoft has teamed up with international law enforcement to disrupt RedVDS. Actions taken against the cybercrime service include the seizure of domains associated with the RedVDS marketplace and customer portal.

Key servers have also been seized, and Microsoft is working with law enforcement to disrupt payment networks associated with the service.

Microsoft has filed legal action in the United States — and for the first time in the United Kingdom — in an effort to disrupt RedVDS infrastructure and identify the individuals behind the operation.

The news comes just months after Microsoft and Cloudflare teamed up to disrupt the RaccoonO365 phishing service. Some of the threat actors that used the RaccoonO365 service before its takedown have also used RedVDS.

---

Author

Eduard Kovacs – Managing editor at SecurityWeek. He worked as a high‑school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

(Twitter: @EduardKovacs | LinkedIn: eduard‑kovacs‑7b796134)