Dismantling the Phish-Factory: Microsoft Seizes RedVDS Cybercrime Network

Microsoft has formally proclaimed the neutralization of RedVDS, a nefarious platform that, since 2019, provided cyber adversaries with access to remote virtual machines. These computational resources were instrumental in orchestrating voluminous phishing campaigns, credential harvesting, and sophisticated financial fraud, culminating in aggregate losses exceeding $40 million within the United States alone.

RedVDS operated as a subscription-based service, where for a modest monthly stipend of $24, perpetrators obtained unfettered access to remote workstations pre-configured with illicit software, including pirated Windows environments. From these bastions, they disseminated deceptive missives, hosted fraudulent infrastructure, and engaged in clandestine surveillance of compromised mailboxes. At its zenith, Microsoft documented the activity of over 2,600 virtual machines, collectively dispatching an average of one million phishing emails daily. Despite stringent filtering, a significant portion reached their intended targets, resulting in the compromise of over 191,000 accounts across more than 130,000 organizations globally.

The platform was particularly prevalent in Business Email Compromise (BEC) schemes, with a marked focus on real-time real estate transactions. Fraudsters would intercept sensitive correspondence, interjecting themselves during the final stages of financial settlements to divert funds to controlled accounts. Microsoft reports that RedVDS’s machinations inflicted grievous harm upon over 9,000 entities in the real estate sector, notably in Canada and Australia, while also debilitating institutions in logistics, healthcare, construction, and academia.

Among the afflicted were the American pharmaceutical firm H2 Pharma, which sustained losses of $7.3 million, and a Florida housing association, which was defrauded of approximately $500,000 in tenant-collected renovation funds. Both organizations joined Microsoft as co-plaintiffs in civil litigation filed across the U.S. and the United Kingdom.

In a coordinated offensive involving Europol and German law enforcement, Microsoft successfully seized the domains governing RedVDS and identified the principal actors. The central server facilitating the operation was confiscated by German authorities. Although the identities of the perpetrators remain undisclosed, it is established that the service operated through a shell corporation purportedly registered in the Bahamas, with transactions conducted exclusively via cryptocurrency.

The syndicate procured server space from third-party hosting providers in the U.S., Canada, the UK, France, and the Netherlands, enabling them to launch offensives from IP addresses in close geographical proximity to their victims—a tactic designed to circumvent geolocation-based security filters. Furthermore, Microsoft revealed that RedVDS facilitated the distribution of deleterious PDF and HTML attachments, the creation of counterfeit websites, and the extraction of tokens and cookies to bypass Two-Factor Authentication (2FA). To enhance the verisimilitude of their deceptive English correspondence, the operators frequently leveraged generative AI tools, including ChatGPT.

This intervention represents Microsoft’s 35th successful initiative to dismantle cybercriminal infrastructure. Earlier in 2025, the corporation liquidated RaccoonO365, another credential-theft utility; it was subsequently discovered that a significant portion of that project’s clientele had transitioned to the RedVDS ecosystem.