News

Microsoft Dismantles RedVDS Cybercrime Marketplace Linked to $40M in Phishing Fraud

• By Chris Paoli
• January 16, 2026

In a coordinated action spanning the United States and the United Kingdom, Microsoft’s Digital Crimes Unit (DCU) and international law enforcement collaborators have taken down RedVDS, a subscription‑based cybercrime platform tied to an estimated $40 million in fraud losses in the U.S. since March 2025. The platform was used by financially motivated attackers to carry out mass phishing, account takeovers and business email compromise.

Investigators found that more than 191,000 organizations worldwide were compromised or otherwise affected by RedVDS‑related activity since September 2025. Additional to this in just one month, more than 2,600 RedVDS virtual machines sent an average of 1 million phishing emails to Microsoft customers per day. Microsoft worked with international law enforcement partners to seize key infrastructure to push the RedVDS marketplace offline.

Microsoft Threat Intelligence tracks the operator behind RedVDS as Storm-2470. Investigators found that cybercriminals around the world were buying access to the service to target organizations in legal, construction, manufacturing, real estate, health care and education sectors. Victims were spread across the United States, Canada, the United Kingdom, France, Germany and Australia.

Microsoft described RedVDS as a criminal marketplace that sold illegal software and services designed to make cybercrime easy to scale. Customers could rent unlicensed Windows-based Remote Desktop Protocol servers with full administrator access for as little as $24 per month through what Microsoft said was a straightforward user interface.

The service also left behind some clear technical tells. Microsoft said every RedVDS system it identified was built from the same cloned Windows Server 2022 image. All of the machines shared the same computer name, WIN-BUNS25TD77J, which became a reliable indicator of RedVDS activity.

RedVDS relied on automated provisioning built on Quick Emulator virtualization and VirtIO drivers to quickly spin up Windows instances. Rather than operating its own data centers, the service rented servers from at least five hosting providers across the United States, Canada, the United Kingdom, France and the Netherlands.

Two organizations are joining Microsoft as co-plaintiffs in the civil case. H2-Pharma, a pharmaceutical company, lost more than $7.3 million in a RedVDS-enabled scam. The Gatehouse Dock Condominium Association in Florida was defrauded of nearly $500,000 in resident funds intended for essential building repairs.

Microsoft said both organizations agreed to come forward and share their experiences publicly, a step the company said was critical to making the legal action possible and helping protect future victims.

The RedVDS disruption follows Microsoft’s September 2025 takedown of RaccoonO365, a phishing-as-a-service operation tied to thousands of compromised Microsoft 365 credentials. In that action, Microsoft seized 338 domains linked to the criminal platform.

Microsoft said multiple threat actors, including Storm-0259, Storm-2227, Storm-1575 and Storm-1747, have used RedVDS infrastructure. The company also observed phishing groups that previously relied on RaccoonO365 shifting to RedVDS after that service was shut down.

Within Microsoft Defender XDR, RedVDS-related activity can surface through alerts tied to suspicious inbox rules associated with business email compromise, risky sign-ins following phishing campaigns and questionable AnyDesk installations.

Microsoft continues to recommend that organizations use multifactor authentication, verify payment requests through secondary contact methods, closely monitor for subtle changes in email addresses, keep software up to date and report suspected cybercrime to law enforcement. The company said those steps remain key to breaking up operations like RedVDS.