Microsoft has announced a coordinated legal action with authorities in the United States, United Kingdom, and Germany to disrupt RedVDS, a global cybercrime subscription service responsible for an estimated $40 million in fraud losses. The operation dismantled infrastructure that hosted approximately 2,600 virtual machines sending over 1 million phishing emails daily.
Operation overview
| Metric | Value |
|---|---|
| Estimated fraud losses | $40 million+ (US alone) |
| Virtual machines seized | 2,600 |
| Daily phishing emails | 1 million+ |
| Compromised organizations | 191,000+ |
| Service price | $24/month |
| Microsoft civil action number | 35th against cybercrime |
How RedVDS worked
RedVDS operated as a bulletproof hosting service, providing cybercriminals with disposable virtual infrastructure designed to evade detection and attribution. The service advertised cheap, disposable Windows-based Remote Desktop Protocol (RDP) servers with full administrator control.
Service features
| Capability | Benefit to criminals |
|---|---|
| Disposable VMs | Fresh infrastructure when servers get blocked |
| Full admin control | Complete system access |
| Unlicensed Windows | No legitimate licensing trail |
| Anonymity | Customer identity protection |
| Rapid deployment | New attack infrastructure in minutes |
| Scalability | Support for high-volume operations |
| Abuse tolerance | No takedowns for malicious content |
For just $24 per month, customers received access to virtual machines pre-configured for fraudulent operations.
Technical signature
Microsoft identified RedVDS infrastructure through a distinctive pattern:
| Indicator | Details |
|---|---|
| Base image | Windows Server 2022 |
| Computer name | WIN-BUNS25TD77J (same for all VMs) |
| Configuration | Identical across all customer VMs |
| Detection method | Consistent artifact across attacks |
The use of a single Windows Server 2022 image with identical computer names allowed Microsoft to link disparate attacks to the same infrastructure.
Threat actor: Storm-2470
Microsoft tracks the primary RedVDS operator as Storm-2470, a threat actor involved in:
| Activity | Role |
|---|---|
| RedVDS marketplace operation | Primary operator |
| Criminal customer recruitment | Marketing and sales |
| Bulletproof hosting management | Infrastructure |
| Fraud proceeds laundering | Financial operations |
While no individuals have been publicly named, Microsoft continues working with law enforcement to identify the people running and profiting from the scheme.
Criminal use cases
Phishing operations
The primary use case was high-volume phishing campaigns:
| Capability | Scale |
|---|---|
| Mass email distribution | 1M+ daily |
| Credential harvesting pages | Thousands hosted |
| Brand impersonation sites | Major companies targeted |
| Infrastructure rotation | Fresh IPs when blocked |
Real estate wire fraud
One of the fastest-growing cyber fraud categories, enabled by RedVDS infrastructure:
| Step | Action |
|---|---|
| 1 | Compromise real estate agent or title company email |
| 2 | Monitor for pending transactions |
| 3 | Send fraudulent wire instructions to buyers |
| 4 | Divert funds to criminal-controlled accounts |
| 5 | Launder through multiple hops |
Business email compromise
RedVDS supported BEC operations including:
| Attack type | Infrastructure provided |
|---|---|
| Spoofed email domains | SMTP servers |
| Fake invoice portals | Web hosting |
| Email account takeover | Credential harvesting |
| Fraudulent payment redirection | Landing pages |
Victims and co-plaintiffs
Two organizations joined Microsoft as co-plaintiffs, illustrating the real-world impact:
H2-Pharma
| Detail | Information |
|---|---|
| Location | Alabama |
| Industry | Pharmaceutical |
| Loss | $7.3 million |
| Attack type | Business email compromise |
| Transaction | Real estate wire fraud |
The $7.3 million H2-Pharma loss illustrates how wire fraud works:
- Attackers compromised email accounts monitoring real estate transactions
- Identified pending $7.3 million property purchase
- Sent fraudulent wire instructions impersonating legitimate parties
- Funds transferred to criminal accounts before discovery
- Money laundered through multiple hops
Gatehouse Dock Condominium Association
| Detail | Information |
|---|---|
| Location | Florida |
| Type | Condominium association |
| Loss | ~$500,000 |
| Attack type | BEC targeting resident funds |
Coordinated takedown
Participants
| Organization | Role |
|---|---|
| Microsoft Digital Crimes Unit | Legal action, technical analysis |
| German Federal Criminal Police (BKA) | Server seizure |
| UK National Crime Agency (NCA) | Investigation support |
| UK High Court | Legal authorization (first time for DCU) |
| Europol | International coordination |
| FBI | US investigation |
| US Attorney’s Office | Prosecution support |
Actions taken
| Action | Result |
|---|---|
| Domain seizure | RedVDS marketplace offline |
| VM seizure | 2,600 VMs captured |
| Customer records | Transaction data obtained |
| UK court action | First Microsoft DCU action in UK courts |
| Ongoing investigation | Criminal prosecutions expected |
UK legal precedent
This action marks the first time Microsoft’s Digital Crimes Unit has used UK courts to disrupt cybercrime infrastructure, demonstrating expanding legal tools for private-sector disruption efforts.
| Jurisdiction | Legal mechanism |
|---|---|
| United States | Civil RICO, Computer Fraud and Abuse Act |
| United Kingdom | High Court injunction (new for DCU) |
| Germany | Criminal seizure orders |
Technical infrastructure
RedVDS infrastructure included:
| Component | Purpose |
|---|---|
| Phishing kits | Pre-built credential harvesting templates |
| SMTP servers | High-volume email delivery |
| VPN services | Customer anonymization |
| Domain registration | Bulk disposable domains |
| Hosting automation | Rapid VM deployment |
| Payment processing | Cryptocurrency and other methods |
The service maintained relationships with upstream hosting providers who either failed to detect or ignored abuse complaints.
Impact on fraud ecosystem
Bulletproof hosting services are critical infrastructure for cybercrime. By providing reliable, anonymous platforms, they enable:
| Crime type | RedVDS role |
|---|---|
| Phishing | Email servers, landing pages |
| Wire fraud | BEC infrastructure |
| Ransomware | C2 servers, payment processing |
| Credential theft | Harvesting page hosting |
| Brand impersonation | Fake websites |
| Account takeover | Attack infrastructure |
Disrupting these services has outsized impact because they support multiple criminal operations simultaneously.
Microsoft Digital Crimes Unit history
| Action number | Target | Year |
|---|---|---|
| 35 | RedVDS | 2026 |
| 34 | Storm-1152 | 2023 |
| 33 | Zloader | 2022 |
| 32 | ZLoader | 2022 |
| Previous | Botnets, nation-state infrastructure | 2010-2021 |
Microsoft’s DCU has conducted dozens of similar operations using civil legal remedies to complement law enforcement efforts.
Recommendations
For financial transactions
| Control | Purpose |
|---|---|
| Out-of-band verification | Call known numbers to confirm wire details |
| Email security | MFA, monitoring for account compromise |
| Payment controls | Dual authorization for large transfers |
| Employee training | Wire fraud awareness |
| Callback procedures | Verify changes to payment instructions |
For organizations generally
| Action | Benefit |
|---|---|
| Monitor brand impersonation | Detect fake sites early |
| Report abuse promptly | Accelerate takedowns |
| Industry information sharing | Collective defense |
| Takedown services | Professional impersonation response |
| Email authentication | DMARC, DKIM, SPF enforcement |
For real estate transactions
| Control | Implementation |
|---|---|
| Wire verification calls | Use known phone numbers, not email-provided |
| Closing procedure training | Educate all parties on fraud risks |
| Email monitoring | Alert on account compromise indicators |
| Payment confirmation | Verify receipt before releasing property |
Indicators of compromise
RedVDS infrastructure signatures
| Indicator | Value |
|---|---|
| Computer name | WIN-BUNS25TD77J |
| Base image | Windows Server 2022 |
| Deployment pattern | Identical configurations |
Context
The RedVDS takedown demonstrates effective public-private partnership in disrupting cybercrime infrastructure. The involvement of UK courts expands the legal toolkit available to Microsoft’s Digital Crimes Unit, potentially enabling faster action in future cases.
However, bulletproof hosting remains abundant—new services emerge continuously to replace those taken down. RedVDS is likely to be succeeded by similar operations serving the same criminal customer base.
| Reality | Implication |
|---|---|
| Service will be replaced | Ecosystem is resilient |
| Customer data seized | Prosecutions may follow |
| Friction created | Criminals must rebuild |
| Intelligence gathered | Future investigations enabled |
Sustained pressure on these enablers is necessary to increase friction for cybercriminals. Each disruption forces criminals to rebuild infrastructure, find new providers, and accept operational delays—even if the underlying criminal ecosystem persists.
The $40 million in documented losses represents only US victims. Global fraud enabled by RedVDS is likely significantly higher, making this one of the more impactful cybercrime infrastructure takedowns in recent years.