Thursday, January 15, 2026
Latest:

Threatshub.org sponsored-Post

The Register

Microsoft taps UK courts to dismantle cybercrime host RedVDS

TH Author

Microsoft has taken its cybercrime fight to the UK in its first major civil action outside the US, moving to shut down RedVDS, a virtual desktop service used to power phishing and fraud at global scale.

Redmond says it has filed parallel civil actions in the US and the UK, yanking RedVDS’s marketplace and customer portal offline and seizing chunks of its infrastructure as part of a wider cross-border operation involving Europol and German law enforcement.

RedVDS is a cybercrime-as-a-service platform that sells criminals access to disposable virtual dedicated servers for as little as $24 a month. Those rented machines are then used to send phishing emails, hijack accounts, and run scams that Microsoft says have resulted in roughly $40 million in reported fraud losses in the US alone.

The operation leaned on both the legal system and technical disruption. Microsoft said it worked with law enforcement to seize two domains used to host the RedVDS marketplace and customer portal, replacing them with a seizure notice.

“This website domain has been seized by Microsoft,” the notice, seen by The Register, reads. “Microsoft is committed to combating cybercrime. We prioritize protecting our customers by implementing robust security measures and taking appropriate actions, including filing civil lawsuits, to ensure a safe and secure digital environment.”

At the same time, the company filed a civil lawsuit in the US District Court for the Southern District of Florida, alleging the service relied on pirated copies of Windows Server to facilitate criminal activity.

According to Microsoft, RedVDS rented infrastructure from at least five hosting companies spread across the US, Canada, the UK, France, and the Netherlands. Its investigation found a loose, global network of cybercriminals buying access to the service and using it to target organizations across legal, construction, manufacturing, real estate, healthcare, and education sectors.

Victims were identified not only in North America and Europe but also in Australia and other regions with large banking sectors and greater potential for payoffs.

Among the named victims is H2-Pharma, an Alabama-based pharmaceutical firm that lost more than $7.3 million in a scam. In another case, the Gatehouse Dock Condominium Association in Florida was tricked out of nearly $500,000 – funds contributed by residents for essential building repairs. Both organizations are now joining Microsoft as co-plaintiffs in the civil action.

Since September 2025, Microsoft says RedVDS-enabled attacks led to the compromise or fraudulent access of more than 191,000 organizations worldwide. In one month alone, more than 2,600 RedVDS virtual machines sent an average of 1 million phishing messages per day to Microsoft customers. Most were blocked or flagged as part of the roughly 600 million cyberattacks Microsoft claims to fend off daily, but even a tiny success rate translates into real money when volumes are that high.

Microsoft tracks the operator behind the service as Storm-2470, and while no individuals have been publicly named, the company says it is continuing to work with law enforcement to identify the people running and profiting from the scheme. RedVDS itself is framed less as a single gang and more as an enabler – infrastructure for hire that allowed many different criminal crews to plug in and go.

Steven Masada, assistant general counsel in Microsoft’s Digital Crimes Unit, said the economics of services like RedVDS are a big part of the problem. “For as little as $24 a month, RedVDS provides criminals with access to disposable virtual computers that make fraud cheap, scalable, and difficult to trace. Services like these have quietly become a driving force behind today’s surge in cyber-enabled crime, powering attacks that harm individuals, businesses, and communities worldwide.”

This isn’t the first time Microsoft has taken this approach. In September, working alongside Cloudflare, the company’s Digital Crimes Unit disrupted RaccoonO365, a large phishing-as-a-service operation that stole thousands of Microsoft 365 credentials. ®

READ MORE HERE