Microsoft has announced coordinated legal actions in the United States and the United Kingdom that resulted in the takedown of RedVDS, a subscription-based cybercrime service widely used to fuel large-scale online fraud and phishing operations.
According to Microsoft, RedVDS provided criminals with low-cost, disposable virtual Windows servers offering full administrator access. These servers enabled anonymous phishing campaigns, business email compromise (BEC), account takeovers, and financial fraud. Subscription prices started as low as $24 per month, making cybercrime cheap, scalable, and difficult to trace.
Microsoft estimates that since March 2025, RedVDS-enabled activity has caused approximately $40 million in reported fraud losses in the United States alone. Globally, the infrastructure was linked to attacks targeting more than 191,000 organizations, affecting sectors such as finance, healthcare, education, manufacturing, and real estate.
RedVDS operated as a textbook Crimeware-as-a-Service platform, offering illegal RDP servers with no activity logging and optional management via a Telegram bot. Microsoft tracks the service operators under the designation Storm-2470. The infrastructure relied on cloning a single Windows Server 2022 image using QEMU virtualization, allowing new servers to be deployed within minutes.
The threat was further amplified by the integration of generative AI tools, which attackers used to craft realistic phishing emails, deepfake media, and impersonation content to deceive victims.
The takedown of RedVDS highlights how cybercrime has evolved into a service-driven underground economy. At the same time, it demonstrates that coordinated legal and technical actions by major technology companies, combined with law enforcement cooperation, can significantly disrupt global cybercriminal operations.
