Microsoft on Wednesday announced that it has taken a “coordinated legal action” in the U.S. and the U.K. to disrupt a cybercrime subscription service called RedVDS that has allegedly fueled millions in fraud losses.
The effort, per the tech giant, is part of a broader law enforcement effort in collaboration with law enforcement authorities that has allowed it to confiscate the malicious infrastructure and take the illegal service (redvds[.]com, redvds[.]pro, and vdspanel[.]space) offline.
“For as little as US $24 a month, RedVDS provides criminals with access to disposable virtual computers that make fraud cheap, scalable, and difficult to trace,” said Steven Masada, assistant general counsel of Microsoft’s Digital Crimes Unit. “Since March 2025, RedVDS‑enabled activity has driven roughly US $40 million in reported fraud losses in the United States alone.”
Crimeware-as-a-service (CaaS) offerings have increasingly become a lucrative business model, transforming cybercrime from what once was an exclusive domain that required technical expertise into an underground economy where even inexperienced and aspiring threat actors can carry out complex attacks quickly and at scale.
These turnkey services span a wide spectrum of modular tools, ranging from phishing kits to stealers to ransomware, effectively contributing to the professionalization of cybercrime and emerging as a catalyst for sophisticated attacks.
Microsoft said RedVDS was advertised as an online subscription service that provides cheap and disposable virtual computers running unlicensed software, including Windows, so as to empower and enable criminals to operate anonymously and send high‑volume phishing emails, host scam infrastructure, pull off business email compromise (BEC) schemes, conduct account takeovers, and facilitate financial fraud.
Specifically, it served as a hub for purchasing unlicensed and inexpensive Windows-based Remote Desktop Protocol (RDP) servers with full administrator control and no usage limits through a feature-rich user interface. RedVDS, besides providing servers located in Canada, the U.S., France, the Netherlands, Germany, Singapore, and the U.K., also offered a reseller panel to create sub-users and grant them access to manage the servers without having to share access to the main site.
An FAQ section on the website noted that users can leverage its Telegram bot to manage their servers from within the Telegram app instead of having to log in to the site. Notably, the service did not maintain activity logs, making it an attractive choice for illicit use.
According to snapshots captured on the Internet Archive, RedVDS was advertised as a way to “increase your productivity and work from home with comfort and ease.” The service, the maintainers said on the now-seized website, was first founded in 2017 and operated on Discord, ICQ, and Telegram. The website was launched in 2019.
“RedVDS is frequently paired with generative AI tools that help identify high‑value targets faster and generate more realistic, multimedia message email threads that mimic legitimate correspondences,” the company said, adding it “observed attackers further augment their deception by leveraging face-swapping, video manipulation, and voice cloning AI tools to impersonate individuals and deceive victims.”
| redvds panel |
“The losses associated with RedVDS have been reported across a diverse range of fraud schemes, including unemployment insurance fraud, loan fraud, and credit card fraud,” Microsoft said.
It also attributed the RedVDS infrastructure to 191,000 organizations and 550,000 fraudulent incidents, adding the service has been linked to a number of malicious cyber campaigns, including phishing and business email compromise (BEC).
The Redmond-based company noted that the infrastructure was also used by a separate threat actor to target individuals with phishing emails to harvest their Microsoft account credentials.
Microsoft said it has identified over 100,000 compromised accounts to date, and that affected parties are in the process of being notified.
“By taking action against RedVDS, we are preventing the proliferation of this infrastructure to threat actors around the globe who can leverage it to conduct a variety of attacks,” Masada said. “We will continue to collaborate with law enforcement and other partners to disrupt cybercrime and protect our customers.”
The takedown is part of a growing trend of law enforcement agencies and tech companies joining forces to dismantle cybercrime infrastructure and hold perpetrators accountable for their actions.
In November 2023, the U.S. Department of Justice (DoJ) announced the disruption of a global network of criminal actors who employed sophisticated techniques, including the use of anonymized infrastructure and virtual currency, to engage in large-scale fraud schemes and launder the proceeds.
More recently, the DoJ revealed the seizure of the domain name (thewebtrove[.]com) allegedly used to facilitate computer fraud in connection with the sale of compromised personal information.
