Inside the RedVDS Crackdown: How Microsoft and Cops Crippled a Global Cybercrime Engine

It was a familiar story for many victims: a suspicious email, a breached account, and millions siphoned away in the blink of an eye. But behind the scenes, one digital ghost town powered much of this chaos - a service known as RedVDS. Now, after a sweeping crackdown led by Microsoft and global law enforcement, the engine that quietly fueled phishing and business email compromise attacks around the world is finally sputtering to a halt.

Fast Facts

• RedVDS was a virtual dedicated server (VDS) service enabling cybercriminals to rent ready-to-use Windows servers for attacks.
• Launched in 2019, it powered mass phishing, BEC scams, and financial fraud across six countries and multiple industries.
• Microsoft tracked the group behind RedVDS as Storm-2470, linking over $40 million in reported US fraud losses to the service.
• At its peak, 2,600 RedVDS servers sent an estimated one million phishing emails per day.
• The crackdown involved domain and server seizures, legal action, and efforts to dismantle RedVDS’s payment networks.

The Hidden Backbone of Cybercrime

Since its launch in 2019, RedVDS offered a simple but powerful proposition to cybercriminals: for just $24 a month, anyone could spin up a Windows-based remote desktop server, ready for use in scams and attacks. These disposable virtual machines (VMs) became the backbone for mass phishing campaigns, business email compromise (BEC) schemes, and a dizzying array of online fraud.

Microsoft’s investigation revealed that RedVDS was anything but subtle. The operators, dubbed Storm-2470, cut corners by cloning a single Windows Server 2022 image thousands of times, leaving telltale fingerprints in the form of identical system names and RDP certificates. This allowed Microsoft to track RedVDS activity across continents, linking it to attacks in the US, UK, Canada, France, Germany, and Australia. Targets ranged from hospitals to law firms, construction companies to realtors.

RedVDS didn’t execute attacks itself. Instead, it rented out infrastructure to threat actors who installed mass mailers, address harvesters, VPNs, and even AI tools to supercharge their cybercrime campaigns. In just one month, 2,600 RedVDS VMs blasted out a million phishing emails daily - contributing to over 191,000 Microsoft email account compromises since September 2025. One Alabama pharmaceutical firm alone lost $7.3 million through a single BEC attack traced back to RedVDS servers.

Shutting Down a Digital Crime Factory

The crackdown was as coordinated as the crimes it targeted. Microsoft, working alongside international law enforcement, seized RedVDS domains and key servers. Legal actions in both the US and UK sought to tear down the cybercrime service’s infrastructure and unmask the operators behind the scenes. Efforts are also underway to disrupt the payment networks that allowed RedVDS to profit from global chaos.

This takedown follows similar operations against other cybercrime platforms, such as RaccoonO365 and ONNX, signaling a new era of collaboration between tech giants and authorities in the fight against digital crime.

End of a Cybercrime Era?

The fall of RedVDS marks a significant victory in the ongoing war against cybercrime-as-a-service. But as law enforcement and tech companies celebrate, the question remains: how long before another platform rises to take its place? For now, the digital underworld is down one key player - and thousands of organizations can breathe a little easier.

WIKICROOK

• Virtual Dedicated Server (VDS): A virtual dedicated server (VDS) is a virtualized server with dedicated resources, offering enhanced control, security, and performance over shared hosting.
• Remote Desktop Protocol (RDP): Remote Desktop Protocol (RDP) lets users access and control a computer remotely. Without proper security, it can be vulnerable to cyberattacks.
• Business Email Compromise (BEC): Business Email Compromise (BEC) is a scam where criminals hack or impersonate business emails to trick companies into sending money to fraudulent accounts.
• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
• Cloning (in computing): Cloning in computing means making exact copies of systems or environments. It’s used for fast deployment, testing, scaling, and disaster recovery.