Microsoft, in collaboration with U.S. and U.K. authorities, has announced a major international operation that dismantled RedVDS, a cybercrime‑as‑a‑service platform linked to large‑scale business email compromise (BEC) and AI‑powered fraud schemes.
The joint action supported by German authorities and Europol has seized key domains and servers running the RedVDS marketplace, cutting off criminals’ access to thousands of virtual machines used for fraudulent operations.
For just US $24 per month, RedVDS offered disposable virtual computers with unlicensed software, allowing threat actors to conduct global scams anonymously.
Since March 2025, Microsoft tracked roughly US $40 million in verified fraud losses in the United States alone tied to RedVDS activity, though the actual figure is likely far higher.
Among the victims were H2‑Pharma, which lost $7.3 million, and the Gatehouse Dock Condominium Association in Florida, which was defrauded of nearly $500,000 in a BEC scheme.
What RedVDS Is and How It Fuels Cybercrime
RedVDS operated as a scalable infrastructure‑as‑a‑service tool for cybercriminals, forming part of a broader cybercrime‑as‑a‑service (CaaS) ecosystem.
Using cheap virtual machines and proxy IPs, attackers could launch high‑volume operations sending phishing emails, hosting fraudulent domains, or staging malware payloads while evading detection and attribution.
Microsoft telemetry revealed that, in a single month, 2,600+ RedVDS virtual machines sent approximately one million phishing emails per day targeting Microsoft customers.
Although most were intercepted, even a small success rate resulted in widespread compromises.
Between September and December 2025, over 191,000 organizations were affected worldwide, including incidents across the United States, Canada, the UK, France, and India.
RedVDS was frequently paired with generative AI to enable sophisticated social engineering campaigns.
Attackers used AI‑generated email threads, face‑swapping, voice cloning, and even simulated video calls to impersonate executives or trusted partners.
These deepfake‑adapted BEC schemes allowed them to manipulate legitimate financial transactions, redirecting payments before victims could verify authenticity.
In the real estate sector alone, over 9,000 RedVDS‑facilitated attacks were identified, primarily targeting escrow agents, realtors, and closing departments to divert wire transfers during high‑value deals.
Similar fraud patterns extended to manufacturing, healthcare, legal services, logistics, and education, disrupting financial operations and putting sensitive data at risk.
Coordinated Legal Action and the Path Ahead
The takedown marks Microsoft’s 35th civil action against cybercriminal networks through its Digital Crimes Unit (DCU).
By seizing RedVDS’s command domains and disrupting its payment channels, authorities effectively crippled the platform’s ability to rent infrastructure to criminals globally.
The operation was reinforced by Germany’s Central Office for Combating Internet Crime (ZIT), the State Criminal Police Office Brandenburg, and Europol’s European Cybercrime Centre (EC3).
This coalition not only dismantled RedVDS but also laid the groundwork to identify the individuals operating behind the service.
Microsoft emphasized that fraud victims like H2‑Pharma played a vital role by stepping forward, helping link financial crimes to the RedVDS network.
The company’s ongoing collaborations with the National Cyber‑Forensics and Training Alliance (NCFTA) and the Global Anti‑Scam Alliance (GASA) aim to build a sustained response to cyber‑enabled fraud.
Microsoft urges businesses and individuals to implement multifactor authentication, rigorously verify payment instructions, and report suspicious activity to law enforcement.
Each report, the company stresses, contributes to dismantling criminal infrastructure and reducing the global reach of AI‑driven cyber fraud.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.