Microsoft has announced a coordinated legal action in the United States and the United Kingdom to disrupt RedVDS, a global cybercrime subscription service tied to large-scale fraud losses. The effort forms part of a broader joint operation with international law enforcement, including Europol and German authorities.
A screenshot of RedVDS’s user dashboard, including a loyalty program and referral bonuses for customers. (Source: Microsoft)
A service built to sell infrastructure
Since March 2025, RedVDS-enabled activity has driven about $40 million in reported fraud losses in the United States alone.
For as little as $24 a month, RedVDS gave criminals access to disposable virtual computers that helped make fraud cheap, scalable, and hard to trace. The service offered virtual machines running unlicensed software, including Windows, which supported quick, anonymous activity across borders.
Researchers said criminals used RedVDS to send high-volume phishing emails, host scam infrastructure, and support fraud schemes. The service was often paired with GenAI tools used to identify high-value targets and produce more realistic multimedia email threads that resembled legitimate correspondence. In hundreds of cases, attackers used face swapping, video manipulation, and voice cloning tools to impersonate individuals and deceive victims.
“In just one month, more than 2,600 distinct RedVDS virtual machines sent an average of one million phishing messages per day to Microsoft customers alone. While most were blocked or flagged as part of the 600 million cyberattacks Microsoft blocks per day, the sheer volume meant a small percentage may have succeeded in reaching the targets’ inboxes,” said Steven Masada, Assistant General Counsel, Microsoft’s Digital Crimes Unit.
Organizations hit through everyday payment activity
More than 191,000 organizations worldwide experienced compromised or fraudulently accessed accounts beginning in September 2025. Real estate organizations were frequent victims, especially those involved in property sales, escrow handling, and closing payments.
Healthcare organizations were also affected, with stolen funds tied to operational and medical expenses. Community and member-based groups lost money set aside for repairs, maintenance, and planned projects.
The common factor was reliance on email-based coordination for payments. Attackers monitored conversations and inserted fraudulent instructions at moments when payments were expected.