News
Microsoft Knocks Offline RedVDS Cybercrime Marketplace Linked to $40M in Fraud
Microsoft said it has disrupted RedVDS, a global cybercrime subscription service used by financially motivated attackers to carry out business email compromise, mass phishing and account takeover campaigns. The activity tied to the service has been linked to about $40 million in reported fraud losses in the United States since March 2025.
The takedown, announced Wednesday, marks the 35th civil action brought by Microsoft’s Digital Crimes Unit and the first time the company has coordinated legal action across both the United States and the United Kingdom. Microsoft worked with international law enforcement partners, including German authorities and Europol, to seize key infrastructure and push the RedVDS marketplace offline.
Microsoft Threat Intelligence tracks the operator behind RedVDS as Storm-2470. Investigators found that cybercriminals around the world were buying access to the service to target organizations in legal, construction, manufacturing, real estate, health care and education sectors. Victims were spread across the United States, Canada, the United Kingdom, France, Germany and Australia.
Since September 2025, RedVDS-enabled activity compromised or fraudulently accessed more than 191,000 organizations worldwide, according to Microsoft. In one month alone, more than 2,600 RedVDS virtual machines sent an average of 1 million phishing emails per day to Microsoft customers.
Microsoft described RedVDS as a criminal marketplace that sold illegal software and services designed to make cybercrime easy to scale. Customers could rent unlicensed Windows-based Remote Desktop Protocol servers with full administrator access for as little as $24 per month through what Microsoft said was a straightforward user interface.
The service also left behind some clear technical tells. Microsoft said every RedVDS system it identified was built from the same cloned Windows Server 2022 image. All of the machines shared the same computer name, WIN-BUNS25TD77J, which became a reliable indicator of RedVDS activity.
RedVDS relied on automated provisioning built on Quick Emulator virtualization and VirtIO drivers to quickly spin up Windows instances. Rather than operating its own data centers, the service rented servers from at least five hosting providers across the United States, Canada, the United Kingdom, France and the Netherlands.
Two organizations are joining Microsoft as co-plaintiffs in the civil case. H2-Pharma, a pharmaceutical company, lost more than $7.3 million in a RedVDS-enabled scam. The Gatehouse Dock Condominium Association in Florida was defrauded of nearly $500,000 in resident funds intended for essential building repairs.
Microsoft said both organizations agreed to come forward and share their experiences publicly, a step the company said was critical to making the legal action possible and helping protect future victims.
The RedVDS disruption follows Microsoft’s September 2025 takedown of RaccoonO365, a phishing-as-a-service operation tied to thousands of compromised Microsoft 365 credentials. In that action, Microsoft seized 338 domains linked to the criminal platform.
Microsoft said multiple threat actors, including Storm-0259, Storm-2227, Storm-1575 and Storm-1747, have used RedVDS infrastructure. The company also observed phishing groups that previously relied on RaccoonO365 shifting to RedVDS after that service was shut down.
Within Microsoft Defender XDR, RedVDS-related activity can surface through alerts tied to suspicious inbox rules associated with business email compromise, risky sign-ins following phishing campaigns and questionable AnyDesk installations.
Microsoft continues to recommend that organizations use multifactor authentication, verify payment requests through secondary contact methods, closely monitor for subtle changes in email addresses, keep software up to date and report suspected cybercrime to law enforcement. The company said those steps remain key to breaking up operations like RedVDS.