Microsoft has taken down RedVDS, a subscription based cybercrime platform linked to an estimated $40 million in fraud losses in the United States since March 2025. The action was carried out by Microsoft’s Digital Crimes Unit in coordination with law enforcement agencies in the United States and the United Kingdom.
RedVDS was used by financially motivated attackers to run large scale phishing campaigns, carry out account takeovers, and execute business email compromise scams. Investigators said more than 191,000 organisations worldwide were affected by RedVDS related activity since September 2025. In just one month, over 2,600 RedVDS virtual machines were sending an average of one million phishing emails per day to Microsoft customers.
Microsoft Threat Intelligence tracks the operator of RedVDS under the name Storm 2470. Criminals from different countries used the service to target organisations in sectors such as legal, construction, manufacturing, real estate, health care, and education. Victims were reported in the United States, Canada, the United Kingdom, France, Germany, and Australia.
Microsoft described RedVDS as a criminal marketplace that sold illegal software and services designed to make cybercrime easier to scale. Users could rent unlicensed Windows based Remote Desktop Protocol servers with full administrator access for as little as $24 per month through what Microsoft called a simple user interface.
All identified RedVDS systems were built from the same cloned Windows Server 2022 image and shared the same computer name, WIN BUNS25TD77J, which helped investigators track the activity. The platform used automated provisioning tools and rented servers from hosting providers across several countries.
Two organisations have joined Microsoft as co plaintiffs in the civil case. A pharmaceutical company lost more than $7.3 million, while a condominium association in Florida lost nearly $500,000 meant for essential building repairs. Microsoft said their decision to speak publicly was vital to making the legal action possible.
Microsoft continues to advise organisations to use multifactor authentication, verify payment requests through secondary channels, monitor email activity closely, keep systems updated, and report cybercrime to authorities.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
