Microsoft taps UK courts to dismantle cybercrime host RedVDS

Steven

Microsoft taps UK courts to dismantle cybercrime host RedVDS

Summary

Microsoft has taken coordinated legal and technical action in both the US and the UK to disrupt RedVDS, a cybercrime-as-a-service platform that rented disposable virtual dedicated servers to criminals for as little as $24 a month. Working with Europol and German law enforcement, Microsoft seized domains used for RedVDS’s marketplace and customer portal, replaced them with seizure notices, and filed civil suits — including allegations the service used pirated Windows Server copies.

RedVDS allegedly powered large-scale phishing and fraud campaigns: Microsoft says attacks tied to the service have affected roughly 191,000 organisations worldwide since September 2025, produced about $40m in reported US losses, and at one point saw 2,600 virtual machines sending an average of one million phishing messages per day. Victims named include H2-Pharma (over $7.3m lost) and a Florida condominium association tricked out of nearly $500,000; both are co-plaintiffs in the case.

Key Points

  • Microsoft filed parallel civil actions in the US and the UK to disrupt RedVDS and seized key domains serving the marketplace and customer portal.
  • RedVDS offered disposable virtual desktops (as little as $24/month) that made large-scale phishing and fraud cheap and hard to trace.
  • Microsoft attributes roughly $40m in reported US fraud losses and the compromise of some 191,000 organisations worldwide to RedVDS-enabled attacks.
  • At peak, about 2,600 RedVDS virtual machines reportedly sent ~1 million phishing messages per day; even low success rates translate to significant fraud when volumes are this high.
  • The operator is tracked as Storm-2470; Microsoft is continuing to work with law enforcement to identify and pursue individuals involved.
  • Microsoft alleges the service used pirated Windows Server images and rented infrastructure from multiple hosting providers across several countries.
  • The action forms part of a broader trend of vendor-led, cross-border takedowns of cybercrime infrastructure (Microsoft previously disrupted RaccoonO365 with Cloudflare).

Context and relevance

This story matters because it highlights how the commercialisation of disposable cloud infrastructure fuels modern cybercrime. Low-cost virtual desktops and turnkey ‘crime-as-a-service’ platforms let many different criminal groups scale phishing and fraud campaigns rapidly. The case also underlines a growing playbook: technology companies are increasingly combining civil litigation, domain seizures and collaboration with law enforcement to disrupt malicious infrastructure across borders. Organisations should take note — these disruptions can blunt attacks, but the underlying economic incentives for this model remain.

Why should I read this?

Quick version: cheap VMs + easy marketplaces = phishing on steroids. If you care about fraud risk, incident trends, or how providers and law enforcement fight back, this gives a neat, punchy snapshot — and the named losses (multi-million cases) show it’s not hypothetical. We’ve done the reading so you don’t have to.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/01/15/microsoft_uk_courts_redvds/