Jan. 14, 2026 — Redmond, Wash. Microsoft’s Digital Crimes Unit (DCU), in coordination with law enforcement agencies worldwide, disrupted RedVDS, a subscription-based virtual desktop service used by cybercriminals for phishing, business email compromise (BEC), and payment diversion scams.
The operation involved court orders in the United States and United Kingdom—Microsoft’s first such legal action in the UK—leading to the seizure of RedVDS domains, including redvds.com, redvds.pro, and vdspanel.space, taking the marketplace offline, according to Microsoft’s announcement.
RedVDS provided disposable Windows-based Remote Desktop Protocol (RDP) servers for as little as $24 per month, payable in cryptocurrency, enabling fraudsters to deploy tools like mass mailers, email harvesters, VPNs, and AI services for scalable attacks.
Over 2,600 virtual machines were active in one month, sending an average of one million phishing messages daily to Microsoft customers, the company reported.
The service, operated under a fictitious Bahamian entity by threat actor Storm-2470, fueled roughly $40 million in reported U.S. fraud losses since March 2025, with the true toll likely higher due to underreporting.
It compromised or accessed more than 191,000 organizations worldwide since September 2025, targeting sectors such as real estate, pharmaceuticals, healthcare, construction, manufacturing, logistics, education, and legal services across the U.S., Canada, the UK, France, Germany, Australia, and others.
“For as little as US $24 a month, RedVDS provides criminals with access to disposable virtual computers that make fraud cheap, scalable, and difficult to trace.”
— Steven Masada, assistant general counsel of Microsoft’s Digital Crimes Unit
Partners included Germany’s Public Prosecutor’s Office Frankfurt am Main, the German State Criminal Police Office Brandenburg, and Europol’s European Cybercrime Centre (EC3).
RedVDS infrastructure was hosted across providers in the U.S., Canada, the UK, France, the Netherlands, Germany, and Singapore.
SC Media highlighted the disruption on X, noting the service’s role in phishing and payment diversion.
.@Microsoft and law enforcement dismantled RedVDS, a $24/mo “cybercrime-as-a-service” used in phishing and payment diversion tied to $40M+ U.S. losses. #cybersecurity #infosec #CISO #ITsecurity https://t.co/pqr
— SC Media (@SCMagazine) January 18, 2026
The takedown builds on Microsoft’s prior actions against related services like RacoonO365 and is part of 35 civil actions by the DCU.
