Microsoft on Wednesday announced that it has taken a “coordinated legal action” in the U.S. and the U.K. to disrupt a cybercrime subscription service called RedVDS that has allegedly fueled millions in fraud losses.
The effort, per the tech giant, is part of a broader law enforcement effort in collaboration with law enforcement authorities that has allowed it to confiscate the malicious infrastructure and take the illegal service (redvds[.]com, redvds[.]pro, and vdspanel[.]space) offline.
“For as little as US $24 a month, RedVDS provides criminals with access to disposable virtual computers that make fraud cheap, scalable, and difficult to trace,” said Steven Masada, assistant general counsel of Microsoft’s Digital Crimes Unit. “Since March 2025, RedVDS‑enabled activity has driven roughly US $40 million in reported fraud losses in the United States alone.”
Crimeware-as-a-service (CaaS) offerings have increasingly become a lucrative business model, transforming cybercrime from what once was an exclusive domain that required technical expertise into an underground economy where even inexperienced and aspiring threat actors can carry out complex attacks quickly and at scale.
These turnkey services span a wide spectrum of modular tools, ranging from phishing kits to stealers to ransomware, effectively contributing to the professionalization of cybercrime and emerging as a catalyst for sophisticated attacks.
Microsoft said RedVDS was advertised as an online subscription service that provides cheap and disposable virtual computers running unlicensed software, including Windows, so as to empower and enable criminals to operate anonymously and send high‑volume phishing emails, host scam infrastructure, pull off business email compromise (BEC) schemes, conduct account takeovers, and facilitate financial fraud.
Specifically, it served as a hub for purchasing unlicensed and inexpensive Windows-based Remote Desktop Protocol (RDP) servers with full administrator control and no usage limits through a feature-rich user interface. RedVDS, besides providing servers located in Canada, the U.S., France, the Netherlands, Germany, Singapore, and the U.K., also offered a reseller panel to create sub-users and grant them access to manage the servers without having to share access to the main site.
According to snapshots captured on the Internet Archive, RedVDS was advertised as a way to “increase your productivity and work from home with comfort and ease.” The service, the maintainers said on the now-seized website, was first founded in 2017 and operated on Discord, ICQ, and Telegram. The website was launched in 2019.
“RedVDS is frequently paired with generative AI tools that help identify high‑value targets faster and generate more realistic, multimedia message email threads that mimic legitimate correspondences,” the company said, adding it “observed attackers further augment their deception by leveraging face-swapping, video manipulation, and voice cloning AI tools to impersonate individuals and deceive victims.”
