A criminal enterprise used a single base Windows Server 2022 cloud image to create a large amount of virtual dedicated servers (VDS), which were then rented out cheaply to threat actors.
Active since 2019, RedVDS operated publicly, offering servers in the United States, United Kingdom, Canada, France, the Netherlands and Germany.
The criminal marketplace reused a single Windows host image and cloned it to simply and quickly provision cheap Remote Desktop Protocol (RDP) servers for criminals.
These servers came with full administrator rights and no usage limits, Microsoft Threat Intelligence said.
In doing so, the criminals were able to offer the VDSs at low cost to threat actors, but all instances used the same WIN-BUNS25TD77J computer name, operating system ID, and Windows Server 2022 product key, making them recognisable to Microsoft Threat Intelligence.
The cost of renting a disposable virtual computer from RedVDS was just US$24 ($35.82) a month.
RedVDS used at least five hosting companies in North America and Europe for its infrastructure, and accepted payment in various crypto currencies.
Australian property buyers scammed via RedVDS
Microsoft said RedVDS has been “heavily used to facilitate real estate payment diversion scams”, with over 9000 customers worldwide affected by the fast growing cyber fraud, and Australians and Canadians being particularly hard hit.
Other criminal activity included large-scale phishing campaigns with millions of messages per day, and business email compromise (BEC) across multiple sectors globally.
Losses from the RedVDS cyber crime subscription services amounted to millions, with the United States accounting for US$40 million since March 2025 alone.
Together with Europol and German police, Microsoft has now taken action against RedVDS and seized the two domains that provided access to the criminals’ marketplace and customer portal.
The tech giant is also working on identifying the individuals behind RedVDS, the company’s assistant general counsel of the Digital Crimes Unit, Steven Masada said.
As of now, Microsoft said RedVDS uses a fictitious entity operating in the Bahamas and provided no further detail as to who is behind the operation.