Full Report
Redmond says cheap virtual desktops powered a global wave of phishing and fraud Microsoft has taken its cybercrime fight to the UK in its first major civil action outside the US, moving to shut down RedVDS, a virtual desktop service used to power phishing and fraud at global scale.…
Analysis Summary
# Incident Report: Disruption of RedVDS Cybercrime Infrastructure
## Executive Summary
Microsoft initiated major civil actions in the US and UK to dismantle RedVDS, a global cybercrime-as-a-service platform providing cheap, disposable virtual desktops used to launch large-scale phishing and fraud operations. The service enabled attacks against over 191,000 organizations since September 2025, leading to approximately $40 million in reported fraud losses in the US alone. The action involved coordinated legal maneuvers, domain seizures, and collaboration with international law enforcement to shut down the infrastructure enabling this scalable cybercrime.
## Incident Details
- Discovery Date: Ongoing investigation culminating in action starting January 14/15, 2026.
- Incident Date: Attacks actively leveraged RedVDS infrastructure from September 2025 onwards.
- Affected Organization: RedVDS (the system under attack/disruption). Victims include organizations across multiple sectors globally.
- Sector: Cybercrime-as-a-Service enablement platform. Victims span Legal, Construction, Manufacturing, Real Estate, Healthcare, and Education.
- Geography: Infrastructure hosted across the US, Canada, UK, France, and the Netherlands. Attacks were global.
## Timeline of Events
### Initial Access
- Date/Time: Ongoing since at least September 2025.
- Vector: Criminals purchased access to disposable Virtual Dedicated Servers (VDS) provided by RedVDS.
- Details: The service was priced as low as $24/month, lowering the barrier to entry for cybercriminals.
### Lateral Movement
- Details: Not explicitly detailed for the end-user attacks, but the platform was used to send mass phishing emails, hijack accounts, and run scams, implying compromise of end-user mailboxes/systems. The infrastructure itself was geographically distributed across at least five hosting companies.
### Data Exfiltration/Impact
- Details: Compromise or fraudulent access achieved against over 191,000 organizations worldwide since September 2025. Specific reported losses include $7.3 million (H2-Pharma) and nearly $500,000 (Gatehouse Dock Condominium Association).
### Detection & Response
- **Detection (Microsoft's Perspective):** Tracking the activity associated with the operator identified as Storm-2470 and continuous monitoring of malicious traffic (e.g., 1 million phishing messages/day targeted at Microsoft customers from 2,600 VMs in one month).
- **Response actions taken:** Filed parallel civil actions in the US (Southern District of Florida) and the UK (first major civil action outside the US). Seized domains hosting the RedVDS marketplace and customer portal, replacing them with seizure notices. Coordinated with Europol and German law enforcement.
## Attack Methodology
- **Initial Access:** Purchasing disposable Virtual Dedicated Servers (VDS) from RedVDS.
- **Persistence:** N/A (Platform itself provided the necessary compute for criminal operations).
- **Privilege Escalation:** N/A (Focus was on exploiting stolen credentials or tricking users via phishing).
- **Defense Evasion:** Use of disposable, geographically distributed virtual infrastructure makes tracing difficult.
- **Credential Access:** Phishing emails sent via VDS infrastructure were used to steal credentials (following a pattern similar to the previously disrupted 'Phishing-as-a-Service' operation).
- **Discovery:** Not explicitly detailed for the end-user attacks, but volume implies broad reconnaissance capabilities were likely employed.
- **Lateral Movement:** Using compromised accounts to conduct further fraud or accessing subsequent targets via the VDS network.
- **Collection:** Gathering data necessary for scams and account takeover.
- **Exfiltration:** Funding/asset transfer resulting from successful scams (e.g., fraudulent wire transfers).
- **Impact:** Financial fraud resulting in reported losses potentially exceeding $40 million in the US alone.
## Impact Assessment
- **Financial:** Roughly $40 million in reported fraud losses in the US alone derived from attacks leveraging this platform. Specific victims lost millions.
- **Data Breach:** Compromise or fraudulent access of over 191,000 organizations worldwide. Theft of M365 credentials mentioned in context of prior similar actions.
- **Operational:** The operation enabled attacks across critical sectors, disrupting normal business operations for thousands of entities.
- **Reputational:** Significant negative impact on victims who lost substantial funds, damaging trust in digital transactions.
## Indicators of Compromise
*(Note: As this targets infrastructure hosting, specific network IOCs for the endpoint attacks are not listed in the source. Infrastructure indicators are defanged.)*
- **Network indicators:** Domain seizure impacted the marketplace/portal domains (URLs redacted for safety). Infrastructure relied on VPS rented from hosts in US, CA, UK, FR, NL.
- **File indicators:** Not applicable/disclosed.
- **Behavioral indicators:** Extremely high volume phishing campaigns (e.g., 1 million messages/day from 2,600 VMs in one peak month).
## Response Actions
- **Containment measures:** Seizure of RedVDS marketplace and customer portal domains via combined US and UK legal action.
- **Eradication steps:** Seizing chunks of the underlying infrastructure used by RedVDS.
- **Recovery actions:** Co-plaintiff actions by victims (H2-Pharma, Gatehouse) to potentially recover losses. Continued cooperation with law enforcement to identify human operators (Storm-2470).
## Lessons Learned
- Cheap, disposable CaaS/VDS infrastructure (costing as little as $24/month) is a primary driver in the surge of scalable, hard-to-trace cybercrime.
- Cross-border legal and technical cooperation (involving agencies like Microsoft, Europol, and German law enforcement) is necessary to effectively dismantle globally distributed cybercrime services.
- Focusing legal action against the infrastructure enablers (like RedVDS) can disrupt crime at scale even if end-user operators remain anonymous.
## Recommendations
- Increase proactive monitoring and analysis of malicious traffic patterns originating from known low-cost or disposable compute resources.
- Continue leveraging civil litigation tools in multiple jurisdictions to target the technology platforms that enable criminal activity.
- Strengthen internal security around the use of virtual desktop services and mandate multi-factor authentication to mitigate phishing success, even when accounts are targeted by mass campaigns.