Microsoft disrupts RedVDS cybercrime service in joint US–UK legal action
Coordinated takedown targets a subscription-based criminal platform that sold disposable virtual machines used for phishing and fraud.
Microsoft said it has moved to disrupt RedVDS, a global cybercrime subscription service, through coordinated legal action in the United States and the United Kingdom, alongside international law enforcement.
The company said the operation was conducted with partners, including German authorities and Europol, resulting in the seizure of key malicious infrastructure and the RedVDS marketplace being taken offline.
RedVDS operated as a so-called “bulletproof” virtual desktop service. It sold disposable virtual computers, known as virtual machines, for as little as $24 a month. These virtual machines are cloud-based systems that can be created, used and discarded quickly. Microsoft said this model allowed criminals to scale phishing, business email compromise and other fraud cheaply, while making it harder for defenders to trace activity back to a single physical device or operator.
According to Microsoft, RedVDS-enabled activity has driven around $40 million in reported fraud losses in the United States alone since March 2025. The company named H2-Pharma, which it said lost more than $7.3 million, and the Gatehouse Dock Condominium Association, which it said lost nearly $500,000. Both organisations are joining Microsoft as co-plaintiffs in the civil case.
Microsoft said more than 2,600 distinct RedVDS virtual machines were observed sending an average of one million phishing messages per day to Microsoft customers. Phishing messages are fraudulent emails or messages designed to trick recipients into revealing passwords, financial details or other sensitive information. The company said most of these messages were blocked or flagged as part of the roughly 600 million cyberattacks it stops daily across its platforms.
Since September 2025, Microsoft said RedVDS-enabled attacks have resulted in the compromise or fraudulent access of more than 191,000 organisations worldwide. In this context, compromise refers to attackers gaining unauthorised access to systems, accounts or data, often as a first step toward financial theft or ransomware.
The takedown involved both legal and technical measures. Legal action allowed Microsoft and its partners to seize servers and domains used by RedVDS, while technical disruption prevented remaining infrastructure from being reused quickly. Microsoft said this marks the 35th civil action brought by its Digital Crimes Unit, which combines legal authority with technical threat intelligence to dismantle cybercrime services.
The company said the action builds on ongoing cooperation with initiatives such as the National Cyber-Forensics and Training Alliance and the Global Anti-Scam Alliance, reflecting a strategy of targeting the underlying platforms that enable large-scale cybercrime rather than only individual attackers.
The Recap
- Microsoft took coordinated legal action to disrupt RedVDS globally.
- Since March 2025 RedVDS activity drove roughly US 40 million.
- Action followed seizures of infrastructure with international law enforcement.
