Many hackers woke up on Wednesday to find a critical part of their operations suddenly gone. They could no longer access the disposable virtual machine provider, which powers fraud, phishing, and other cybercrimes.
Microsoft has taken down RedVDS, a major cybercrime subscription service responsible for millions in losses and providing threat actors with tools such as remote virtual machines, mass mailing utilities, and others.
Working with international partners, the tech giant seized two domains hosting the marketplace and customer portal, and filed civil lawsuits. Authorities seized servers in Germany used by the illicit provider, according to Heise.de. The investigators, having access to the malicious infrastructure, are also laying the groundwork to identify the individuals behind the operation.
The global cybercrime subscription service fueled millions in fraud losses. Cybercriminals, for as little as $24 per month, could rent access to disposable virtual computers, making fraud cheap, scalable, and difficult to trace.
Microsoft estimates that RedVDS enabled malicious activity, resulting in $40 million in reported fraud losses within a year.
“Services like these have quietly become a driving force behind today’s surge in cyber‑enabled crime, powering attacks that harm individuals, businesses, and communities worldwide,” Steven Masad, Assistant General Counsel and Director of Microsoft’s Digital Crimes Unit, said in a blog post detailing the operation.
The scale of illicit activity was massive. In just one month, over 2,600 virtual machines deployed by RedVDS sent one million phishing emails per day to Microsoft customers alone.
Since last September, cybercrooks have used RedVDS to compromise or access more than 191,000 organizations globally. The tech giant identified 9,000 customers in the real estate sector alone, with a particularly severe impact in countries such as Canada and Australia.
These figures likely only represent the tip of the iceberg.
“Fraud and scams frequently go unreported, victims are global, and cybercriminals routinely pivot across platforms and service providers,” Masad said.
Some of the high-profile breaches include a cyberattack against H2-Pharma, an Alabama‑based pharmaceutical company, which lost more than $7.3 million, and Gatehouse Dock Condominium Association in Florida, which lost nearly $500,000 raised from residents and property owners for essential repairs.
What hackers used RedVDS for
This ecosystem was selling services and tools to cybercriminals, enabling them to launch cyberattacks at scale.
“It provides access to cheap, effective, and disposable virtual computers running unlicensed software, including Windows, allowing criminals to operate quickly, anonymously, and across borders,” Microsoft explained.
Using VMs, threat actors host scam infrastructure, send spam and phishing emails, and facilitate other fraud schemes. The service allowed criminals to install and operate malicious tools with minimal restrictions.
RedVDS offered servers in France, the UK, Germany, the Netherlands, the US, and Canada. However, the criminals didn’t own physical datacenters and rented them instead from at least five third-party hosting providers.
The operators used a single Windows Server 2022 image to deploy VMs with the same computer name “WIN-BUNS25TD77J” for all customers.
“The RedVDS operator employed Quick Emulator (QEMU) virtualization combined with VirtIO drivers to rapidly generate cloned Windows instances on demand,” Microsoft said.
Customers used Remote Desktop to sign in and manage the systems.
Many VM instances, analyzed by investigators, contained a recurring set of tools, such as mass mailer utilities, email address harvesters, privacy, and OPSEC tools, including VPNs for anonymized browsing.
These cloned Windows hosts provided cybercriminals with a ready-made platform to research targets, stage phishing infrastructure, steal credentials, hijack mailboxes, and execute impersonation-based financial fraud.
Business email compromise (BEC) was one of the most common RedVDS-enabled cyberattacks, causing the most significant financial losses.
Unlock exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked