Microsoft’s Legal Action Dismantles RedVDS Cybercrime Network
On January 15, 2026, Microsoft announced a significant legal maneuver in both the United States and the United Kingdom aimed at dismantling RedVDS, a cybercrime subscription service implicated in substantial financial fraud. This coordinated effort, in partnership with law enforcement agencies, led to the seizure of RedVDS’s infrastructure and the shutdown of its associated domains: redvds[.]com, redvds[.]pro, and vdspanel[.]space.
RedVDS offered criminals access to disposable virtual computers for as little as $24 per month, facilitating anonymous operations that have resulted in approximately $40 million in reported fraud losses in the U.S. since March 2025. These virtual machines enabled a range of illicit activities, including high-volume phishing campaigns, hosting scam websites, executing business email compromise (BEC) schemes, conducting account takeovers, and perpetrating financial fraud.
The service provided unlicensed Windows-based Remote Desktop Protocol (RDP) servers with full administrative control and no usage limits, accessible through a user-friendly interface. Servers were available in multiple countries, including Canada, the U.S., France, the Netherlands, Germany, Singapore, and the U.K. Additionally, RedVDS offered a reseller panel, allowing users to create sub-accounts and manage servers without sharing main account access.
Despite its terms of service prohibiting activities such as sending phishing emails, distributing malware, transferring illegal content, scanning systems for vulnerabilities, or engaging in denial-of-service (DoS) attacks, RedVDS was exploited by cybercriminals for these very purposes. Microsoft’s investigation revealed that many of the virtual machines were created using a single Windows Server 2022 image, indicating that the same Windows Eval 2022 license was used to generate these hosts. This cloning process, facilitated by Quick Emulator (QEMU) technology and VirtIO drivers, allowed for rapid deployment of new RDP hosts, enabling cybercriminals to scale their operations efficiently.
The takedown of RedVDS underscores the growing threat posed by Crimeware-as-a-Service (CaaS) platforms, which have transformed cybercrime into an accessible and scalable enterprise. By providing turnkey solutions, these services enable even inexperienced individuals to conduct sophisticated attacks, contributing to the professionalization of cybercrime.
Microsoft’s action against RedVDS is part of a broader strategy to combat such platforms. In April 2022, Microsoft, in collaboration with cybersecurity firms, disrupted the ZLoader botnet by seizing control of 65 domains used to communicate with infected hosts. ZLoader, a derivative of the Zeus banking trojan, had evolved into a Malware-as-a-Service (MaaS) platform, facilitating various criminal activities, including credential theft and ransomware distribution.
Similarly, in December 2024, Germany’s Federal Office of Information Security (BSI) disrupted the BADBOX malware operation, which had infected at least 30,000 internet-connected devices. By sinkholing the domains associated with BADBOX, authorities severed communications between the infected devices and their command-and-control servers, mitigating the threat posed by this malware.
These coordinated efforts highlight the importance of international collaboration in combating cybercrime. By targeting the infrastructure that supports these illicit activities, authorities can disrupt the operations of cybercriminals and reduce the impact of their attacks.
The case of RedVDS also emphasizes the need for vigilance among organizations and individuals. Cybercriminals continually adapt their tactics, leveraging new technologies and services to perpetrate fraud. Staying informed about emerging threats and implementing robust cybersecurity measures are essential steps in protecting against these evolving risks.
In conclusion, Microsoft’s legal action against RedVDS represents a significant victory in the ongoing battle against cybercrime. By dismantling the infrastructure that enables these illicit activities, authorities can disrupt the operations of cybercriminals and mitigate the financial and reputational damage they cause. However, the persistence of such threats underscores the need for continued vigilance and collaboration in the fight against cybercrime.
