DIGITAL LIFE

RedVDS: Microsoft dismantles platform used in thousands of phishing attacks and financial fraud

An investigation conducted by Microsoft revealed a global network of cybercriminals that used cheap virtual servers for multiple phishing attacks, financial fraud, and data theft.

In a joint international operation, Microsoft's Digital Crime Unit, in collaboration with Europol and authorities from the United Kingdom and Germany, dismantled the RedVDS infrastructure. The organization operated under the "Cybercrime as a Service" (CaaS) model, selling subscriptions so that ordinary criminals could carry out sophisticated attacks without needing advanced technical knowledge.

Active since March 2025, RedVDS allowed anyone, paying just $24 a month, to access disposable virtual machines and tools capable of sending millions of phishing emails daily. It is estimated that the group facilitated fraud totaling more than $40 million in losses in the United States alone.

Microsoft's Digital Crimes Unit announced the successful dismantling of RedVDS, a virtual dedicated server (VDS) provider that had established itself as a central piece in the machinery of international cybercrime.

The operation, coordinated with authorities from several countries, put an end to a platform that facilitated thousands of phishing attacks, financial fraud, and intrusions into corporate networks, generating estimated losses of $40 million (approximately €34.4 million) in the United States alone since March 2025.

RedVDS was not a typical hosting provider, as it functioned as a veritable marketplace for malicious actors, offering a simplified interface where it was possible to purchase Windows servers based on Remote Desktop Protocol (RDP) at extremely low prices.

Without any type of verification or usage restriction, the platform guaranteed total anonymity to its "clients," exclusively accepting payments in cryptocurrencies such as Bitcoin, Litecoin, and Monero. To give an appearance of legality, the organization operated under a fictitious entity based in the Bahamas.

The success of Microsoft's investigation was largely due to a flaw in the technical operation of RedVDS. Experts identified that all the servers made available were created from a single cloned image of Windows Server 2022.

This image always shared the same computer name, “WIN-BUNS25TD77J”, an anomaly that became the digital signature of the operation. The operator behind the infrastructure, identified by the code name Storm-2470, used QEMU virtualization and stolen licenses to scale the business in minutes, allowing attackers to launch massive campaigns with almost zero operating costs.

RedVDS' popularity was transversal to several threat groups, including the well-known Storm-0259, Storm-2227, Storm-1575, and Storm-1747. These groups used the infrastructure to target critical sectors such as healthcare, construction, real estate, and education in countries such as the United Kingdom, France, Germany, Canada, and the United States.

On the analyzed servers, pre-installed tools for sending mass emails, contact extractors, and VPN clients were found. The use of artificial intelligence (AI), namely ChatGPT, was also detected to create more convincing phishing messages without grammatical errors, helping criminals overcome language barriers.

The scale of the operation was impressive, with Microsoft identifying more than 7,300 IP addresses linked to RedVDS in just 30 days, hosting more than 3,700 fraudulent domains. The shutdown of this infrastructure represents a major blow to the cybercrime economy, but the tech giant is issuing a warning.

To mitigate similar risks, organizations should strengthen their defenses through phishing-resistant multi-factor authentication (MFA), conditional access policies, and continuous employee training, thus ensuring that social engineering attempts are stopped on first contact.

mundophone