RedVDS was a cybercrime-as-a-service platform — essentially a criminal subscription service that sold access to virtual desktops/servers that cybercriminals could use to launch scams. For as little as about $24/month, subscribers could spin up disposable Windows-based virtual machines that made fraud cheap, scalable, and hard to trace.

These virtual desktops were widely used in:

• Mass phishing campaigns
• Business Email Compromise (BEC)
• Credential theft
• Account takeover
• Payment diversion and financial fraud
  They were rented globally and abused by multiple threat actors to target organizations across sectors like legal, real estate, healthcare, and more.

The Takedown

Microsoft filed coordinated legal actions in both the United States and the United Kingdom to disrupt and dismantle RedVDS. As part of this joint international effort (including Europol and German law enforcement), authorities were able to:

1. Seize key infrastructure used to run RedVDS
2. Take the main marketplace and customer portal offline
3. Take legal action to restrict continued operations
4. Work with partners to disrupt associated payment networks and servers
5. This marked the first major cross-border civil action by Microsoft against RedVDS.

Impact of RedVDS Cybercrime

Microsoft and partners estimate that RedVDS-enabled schemes have caused at least $40 million in reported losses in the U.S. alone since March 2025.
Victims joining the legal action against RedVDS include:

• An Alabama pharmaceutical company that lost over $7.3 million
• A Florida condominium association defrauded of nearly $500,000

RedVDS operated publicly since 2019, and over recent months it was tied to thousands of campaigns, including phishing and account compromise.

Broader Context & Techniques

• RedVDS rented virtual servers from hosting providers in multiple countries, helping attackers evade geolocation-based defenses.
• Many RedVDS machines were built from the same Windows Server image, which helped defenders track and attribute attacks.
• Cybercriminals used these machines with tools such as mass mailers, phishing kits, and automation scripts to scale attacks.

Why This Matters

RedVDS exemplified a cybercrime-as-a-service trend, where criminal infrastructure is commodified and marketed like legitimate tech solutions — making it easier for less-sophisticated attackers to launch high-impact scams.

The takedown underscores:

• The growing role of public-private partnerships in cybercrime disruption
• The legal as well as technical approaches being used to fight global digital threats
• How even inexpensive criminal services can fuel large-scale fraud