Microsoft takes down cybercrime subscription service RedVDS

A combined effort by Microsoft and law enforcement took down RedVDS, a popular cybercrime subscription virtual server service that was used to steal more than $40 million in the United States alone since March 2025.

In a Jan. 14 release, Microsoft said the threat actor that developed and operated RedVDS operates as Storm-2470. RedVDS launched its website in 2019 and has been operating publicly since to offer virtual servers in the United States, United Kingdom, France, the Netherlands, and Germany.

According to the Record, Microsoft filed lawsuits in the United States and the UK as part of an international law enforcement operation conducted with Europol and German officials.

John Carberry, solution sleuth at Xcape, Inc, said Microsoft's dismantling of RedVDS is a significant setback for the infrastructure that supports large-scale cybercrime. Carberry said platforms like RedVDS are important because they make scams inexpensive, quick, and easy to expand, reducing the obstacles criminals face when operating at scale.

Carberry pointed out that for as little as $24-a-month, RedVDS offered criminals ready-to-use Windows RDP servers created from a single cloned image, enabling them to deploy thousands of virtually untraceable hosts with a click of a button.

“These hosts were used to stage phishing attacks, take over mailboxes, and launch payment diversion schemes, resulting in at least $40 million in reported losses in the U.S.,” said Carberry. “While $40 million might seem small compared to the global scope of cybercrime, it represents real financial damage to victims and demonstrates ongoing abuse. Taking down infrastructure doesn't stop crime entirely, but it forces attackers to adapt, relocate, and become more visible.”

Michael Bell, chief executive officer of Suzu Labs, said Microsoft’s takedown was a good disruption, albeit temporary. Bell said RedVDS has been running since 2019 with 2,600 VMs sending a million phishing messages daily and 191,000 compromised accounts across 130,000 organizations.

“The value of takedowns is disruption cost: operators rebuild, re-establish trust, migrate payment channels,” said Bell. “That friction matters even if eradication is impossible. Microsoft noted many RedVDS customers also used RaccoonO365, which they took down last fall. Those operators migrated to RedVDS. Now they'll migrate again. The forensic data from seized servers feeds detection rules and future investigations. One down. The next one is already running somewhere.”