Microsoft announced that it has disrupted RedVDS, a large cybercrime-as-a-service platform linked to at least $40 million in reported losses in the United States since March 2025.
The company filed civil lawsuits in the US and the UK, seizing key infrastructure and taking RedVDS’s marketplace and customer portal offline. The action was part of a coordinated international effort involving Europol and German authorities.
Active since 2019, RedVDS sold access to disposable virtual Windows servers for as little as $24 a month, allowing criminals to run fraud and phishing operations at scale. Microsoft said the service supported multiple cybercriminal groups and rented servers across North America and Europe to help attackers evade security controls.
Microsoft says all RedVDS virtual machines were cloned from a single Windows Server image with the same computer name, which helped link the service to numerous malicious campaigns. RedVDS infrastructure was used for phishing, credential theft, account takeovers, payment diversion schemes, and real estate fraud affecting thousands of victims globally.
Microsoft also reported that some attackers used artificial intelligence tools to create more convincing phishing messages and impersonations. In one month alone, criminals operating more than 2,600 RedVDS virtual machines sent about one million phishing emails per day, contributing to nearly 200,000 compromised accounts over four months.