Microsoft Dismantles RedVDS Phishing Platform Behind $40M Fraud

Microsoft announced Tuesday that it disrupted RedVDS, a cybercrime-as-a-service platform that powered phishing campaigns responsible for at least $40 million in fraud losses since March 2025. The operation, coordinated with Europol and German authorities, seized domains and servers used by criminals to compromise nearly 200,000 Microsoft accounts.

The takedown marks Microsoft's 35th civil action against cybercrime infrastructure and its first combined legal action in both the United States and United Kingdom.

What Was RedVDS?

RedVDS launched in 2019 as a virtual dedicated server (VDS) service catering specifically to cybercriminals. For as little as $24 per month, customers could spin up disposable Windows-based RDP servers pre-configured for mass phishing, business email compromise, financial fraud, and account takeover.

The service handled the technical overhead that would otherwise slow down criminal operations: acquiring infrastructure, configuring systems, and maintaining anonymity. Customers got clean Windows Server 2022 machines ready for immediate use. When those servers got flagged or burned, they could simply provision new ones.

In a single month, criminals operating more than 2,600 RedVDS virtual machines sent an average of 1 million phishing messages per day targeting Microsoft customers alone. Since September 2025, this infrastructure enabled the compromise of over 191,000 Microsoft email accounts across 130,000 organizations worldwide.

The Technical Fingerprint

Microsoft's Digital Crimes Unit tracked RedVDS through a distinctive technical artifact. The service's developer created all virtual machines from a single cloned Windows Server 2022 image. Every instance shared the same computer name: WIN-BUNS25TD77J.

This operational shortcut—presumably intended to streamline provisioning—left a forensic trail that helped investigators connect disparate criminal campaigns back to a common source. Different phishing operations, different target industries, different geographic regions, but all running on machines with identical system identifiers.

Microsoft tracks the threat actor operating RedVDS as Storm-2470. Multiple other criminal groups used the infrastructure, including Storm-0259, Storm-2227, Storm-1575, and Storm-1747. Some had previously used the RacoonO365 phishing service before its takedown last year.

Industries and Victims

RedVDS-enabled campaigns targeted organizations across legal, construction, manufacturing, real estate, healthcare, and education sectors. Victims spanned the United States, Canada, United Kingdom, France, Germany, Australia, and countries with significant banking infrastructure.

Some high-profile losses documented by Microsoft:

• H2-Pharma (Alabama pharmaceutical company): $7.3 million
• Gatehouse Dock Condominium Association (Florida): Nearly $500,000 in resident repair funds

These represent business email compromise attacks where criminals intercept or impersonate legitimate communications to redirect payments. The losses hit organizations that can least afford them—healthcare providers, community associations, small businesses—while enabling criminal operations to scale.

The Takedown Operation

Microsoft's legal action resulted in seizure of two domains hosting the RedVDS marketplace and customer portal. German authorities and Europol coordinated server takedowns across multiple jurisdictions.

The civil actions in U.S. and U.K. courts provide legal mechanisms to identify individuals behind the service. While the immediate disruption stops current operations, the investigation continues toward attribution and potential criminal prosecution.

From Microsoft's announcement: "Through this coordinated action, Microsoft disrupted RedVDS's operations, including seizing two domains that host the RedVDS marketplace and customer portal, while also laying the groundwork to identify the individuals behind them."

Why This Matters

RedVDS exemplifies the industrialization of cybercrime. The service commoditized infrastructure that would otherwise require technical expertise to deploy. By handling the operational complexity, RedVDS lowered barriers for criminals who could focus purely on social engineering and fraud schemes.

The $24/month subscription cost made sophisticated phishing accessible to virtually anyone. Compare that to the $40 million in documented U.S. losses alone—the return on investment for criminals was astronomical.

Microsoft's sustained campaign against such infrastructure matters because it increases friction for criminal operations. When platforms like RedVDS go down, criminals must find alternatives, rebuild infrastructure, or develop new operational security. That displacement doesn't stop cybercrime, but it does slow it down and raise costs.

For organizations, the lesson reinforces familiar guidance: email filtering, multi-factor authentication, payment verification procedures, and employee training remain critical defenses against phishing and BEC attacks. The infrastructure behind these campaigns may change, but the attack patterns persist.