Home > Security > Security News

RedVDS Cybercrime-as-a-Service Disrupted by Germany, Europol, and Microsoft in Coordinated Takedown, Phishing Infrastructure Disabled

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Hacker - Phishing - Skull - Data
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google
Key Takeaways
  • International Takedown: Europol and German authorities dismantled the RedVDS cybercrime-as-a-service platform with Microsoft’s help.
  • Massive Phishing Operations: In a single month, over 2,600 RedVDS virtual machines sent approximately 1 million phishing messages per day to Microsoft customers.
  • Financial Impact: The RedVDS cybercrime-as-a-service enabled over $40 million in fraud losses in the U.S.

Microsoft's Digital Crimes Unit supported a coordinated international law enforcement operation, including Europol, to disrupt the RedVDS cybercrime platform, a key enabler of the cybercrime-as-a-service ecosystem. The operation involved civil actions in the U.S. and the U.K., leading to the seizure of two primary domains and a server in Germany. 

RedVDS provided criminals with disposable virtual machines (VMs) running unlicensed software, including Windows, allowing them to conduct large-scale fraud operations anonymously and with minimal investment – for a subscription fee as low as $24 per month.

Operational Impact of the Cybercrime-as-a-Service Model

The RedVDS platform was a significant source of malicious activity, primarily facilitating payment diversion fraud and business email compromise (BEC) schemes. Microsoft's investigation revealed that the malicious infrastructure was used to send an average of one million phishing messages per day from its network of VMs. 

A screenshot of RedVDS’s user dashboard, including a loyalty program and referral bonuses for customers | Source: Microsoft
A screenshot of RedVDS’s user dashboard, including a loyalty program and referral bonuses for customers | Source: Microsoft

The platform rented servers from hosting providers in North America and Europe, allowing attackers to bypass geolocation security filters by launching attacks from IP addresses close to their targets. 

BEC attack chain powered by RedVDS | Source: Microsoft
BEC attack chain powered by RedVDS | Source: Microsoft

Since September, these attacks have resulted in fraudulent access to the Microsoft email accounts of over 191,000 organizations, Microsoft said in a recent report, adding that in one month, over “2,600 distinct RedVDS virtual machines sent an average of one million phishing messages per day to Microsoft customers alone.

The real estate sector was a primary target, with threat actors impersonating realtors and escrow agents to divert home payments, resulting in devastating financial losses for victims.

It also affected other sectors, including construction, manufacturing, healthcare, logistics, education, and legal services. Among the victims are H2-Pharma and the Gatehouse Dock Condominium Association, both targeted through sophisticated BEC schemes that exploited trust and timing.

Strategic Disruption of Criminal Networks

This Microsoft RedVDS takedown marks the company's 35th civil action against malicious infrastructure.. 

Seized website message | Source: Microsoft 
Seized website message | Source: Microsoft 

Microsoft is also working closely with international law enforcement, including Europol’s European Cybercrime Centre (EC3), to disrupt the broader network of servers and payment networks that supported RedVDS customers as part of the ongoing disruption,” the report said.

The disruption of RedVDS and its supporting payment networks represents a significant blow to the accessible, low-cost tools that fuel the modern cybercrime economy.

A feature in Microsoft 365 Exchange Online, known as Direct Send, was being actively exploited by malicious actors for phishing and BEC in October. The following month, the Sneaky2FA phishing kit adopted Browser-in-the-Browser tactics to steal credentials via fake Microsoft login pages.

Add a Comment
Related
Confused Hackers - Reading - Dictionary
Sicarii Ransomware: A Deceptive New Ransomware-as-a-Service Threat Using Hebrew Iconography
Access Controls - Text Boxes - Check Boxes - Credentials - Questions Mark
Bluspark Unauthenticated API Vulnerability Exposed Sensitive Data, Including Plaintext Passwords
Target
Target Source Code Leak Confirmed by Employees, Git Server Locked Down
Bank Building - Data Stream - Man
New Devixor Malware Combines Banking RAT and Ransomware Targeting Iranian Banks, Crypto Platforms, Payment Services
Malware Target
VoidLink Cloud-Native Malware Framework Targets Linux Systems via Custom Plugin API
JPMorgan
JPMorgan Discloses Supply Chain Breach at Law Firm That Impacts Over 650 Investors
Most Popular
Confused Hackers - Reading - Dictionary
Sicarii Ransomware: A Deceptive New Ransomware-as-a-Service Threat Using Hebrew Iconography
Access Controls - Text Boxes - Check Boxes - Credentials - Questions Mark
Bluspark Unauthenticated API Vulnerability Exposed Sensitive Data, Including Plaintext Passwords
Target
Target Source Code Leak Confirmed by Employees, Git Server Locked Down
Bank Building - Data Stream - Man
New Devixor Malware Combines Banking RAT and Ransomware Targeting Iranian Banks, Crypto Platforms, Payment Services
Malware Target
VoidLink Cloud-Native Malware Framework Targets Linux Systems via Custom Plugin API
JPMorgan
JPMorgan Discloses Supply Chain Breach at Law Firm That Impacts Over 650 Investors
Sicarii Ransomware: A Deceptive New Ransomware-as-a-Service Threat Using Hebrew Iconography
Bluspark Unauthenticated API Vulnerability Exposed Sensitive Data, Including Plaintext Passwords
Target Source Code Leak Confirmed by Employees, Git Server Locked Down
New Devixor Malware Combines Banking RAT and Ransomware Targeting Iranian Banks, Crypto Platforms, Payment Services
VoidLink Cloud-Native Malware Framework Targets Linux Systems via Custom Plugin API
JPMorgan Discloses Supply Chain Breach at Law Firm That Impacts Over 650 Investors

Most Popular
Confused Hackers - Reading - Dictionary
Sicarii Ransomware: A Deceptive New Ransomware-as-a-Service Threat Using Hebrew Iconography
Access Controls - Text Boxes - Check Boxes - Credentials - Questions Mark
Bluspark Unauthenticated API Vulnerability Exposed Sensitive Data, Including Plaintext Passwords
Target
Target Source Code Leak Confirmed by Employees, Git Server Locked Down
Bank Building - Data Stream - Man
New Devixor Malware Combines Banking RAT and Ransomware Targeting Iranian Banks, Crypto Platforms, Payment Services
Malware Target
VoidLink Cloud-Native Malware Framework Targets Linux Systems via Custom Plugin API
JPMorgan
JPMorgan Discloses Supply Chain Breach at Law Firm That Impacts Over 650 Investors
Sicarii Ransomware: A Deceptive New Ransomware-as-a-Service Threat Using Hebrew Iconography
Bluspark Unauthenticated API Vulnerability Exposed Sensitive Data, Including Plaintext Passwords
Target Source Code Leak Confirmed by Employees, Git Server Locked Down
New Devixor Malware Combines Banking RAT and Ransomware Targeting Iranian Banks, Crypto Platforms, Payment Services
VoidLink Cloud-Native Malware Framework Targets Linux Systems via Custom Plugin API
JPMorgan Discloses Supply Chain Breach at Law Firm That Impacts Over 650 Investors

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2026 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: