Full Report
The service became a prolific tool for cybercriminals in the past year, as it facilitated thousands of attacks involving credential theft, account takeovers, mass phishing and payment diversion fraud. The post Microsoft seizes RedVDS infrastructure, disrupts fast-growing cybercrime marketplace appeared first on CyberScoop.
Analysis Summary
# Incident Report: Disruption of RedVDS Cybercrime Marketplace
## Executive Summary
Microsoft, working with international law enforcement, seized the infrastructure for RedVDS, a fast-growing cybercrime subscription service that functioned as a marketplace for criminal tools. The service provided disposable, low-cost virtual computers, enabling cybercriminals to conduct thousands of widespread attacks, resulting in at least \$40 million in fraud losses, primarily through credential theft, account takeovers, mass phishing, and Business Email Compromise (BEC). The disruption was achieved through coordinated civil actions and infrastructure seizure, effectively taking the marketplace offline.
## Incident Details
- Discovery Date: Ongoing throughout the past year (Active use noted since 2019, significant escalation noted in the past year/since March 2025).
- Incident Date: Operation concluded on or around January 14, 2026 (Date of Microsoft announcement).
- Affected Organization: Global organizations across multiple sectors (Microsoft customers, pharmaceutical, condominium associations, real estate, construction, manufacturing, healthcare, logistics, education, legal services).
- Sector: Global Digital Crime Infrastructure / Hosting Services.
- Geography: Global operations; infrastructure located across the US, UK, Canada, France, and the Netherlands.
## Timeline of Events
### Initial Access
- Date/Time: Not specified; service operated since 2019, with high activity observed in the past year.
- Vector: Customers (cybercriminals) purchased access to disposable Virtual Desktop Infrastructure (VDI) running unlicensed Windows software.
- Details: Attackers utilized the purchased VDI access to launch attacks remotely, often positioning their location near targets to bypass geo-location security.
### Lateral Movement
- Not directly applicable to the *RedVDS infrastructure itself*, but the service *enabled* lateral movement within victim networks following initial compromises via phishing or account takeover.
### Data Exfiltration/Impact
- Date/Time: Ongoing incidents occurred since market proliferation.
- Details: Facilitated credential theft, account takeovers, mass phishing, and payment diversion fraud (BEC) against victims globally (191,000+ Microsoft email accounts compromised since September 2025). At least \$40 million in fraud losses in the U.S. since March 2025.
### Detection & Response
- Detection: Identified and tracked by Microsoft Threat Intelligence; evidence gathered through technical fingerprinting of the cloned Windows host image.
- Response actions: Coordinated civil actions filed in the US and UK; joint operational seizure of infrastructure with Europol and German authorities.
## Attack Methodology
- Initial Access: Customers gained access to RDP servers via a subscription model (starting as low as \$24/month).
- Persistence: Not directly applicable to the RedVDS operator, but the service provided persistent, disposable attack platforms for customers.
- Privilege Escalation: Customers likely used standard techniques post-account compromise, leveraging the clean, administrator-controlled VDI environment.
- Defense Evasion: Infrastructure located globally (US, UK, CA, FR, NL, DE) allowed attackers to provision IPs close to targets, evading location-based security filters and blending with normal data center traffic.
- Credential Access: Facilitated through mass phishing campaigns and account takeovers enabled by the platform.
- Discovery: Unknown specific techniques, but the environment provided a clean slate for reconnaissance.
- Lateral Movement: Enabled; used to conduct BEC against realtors, escrow agents, and title companies.
- Collection: Focused on gathering data necessary for financial fraud (e.g., payment instructions).
- Exfiltration: Facilitated payment diversion fraud, leading to substantial monetary losses.
- Impact: Financial fraud losses, account compromise, operational disruption for affected businesses.
## Impact Assessment
- Financial: At least **\$40 million in fraud losses** in the U.S. since March 2025 (e.g., \$7.3M for H2 Pharma, \$500k for Gatehouse Dock).
- Data Breach: Over **191,000 Microsoft email accounts** compromised or fraudulently accessed across 130,000+ organizations worldwide (subset).
- Operational: Disruption through widespread credential theft and BEC scams impacting various sectors.
- Reputational: Significant negative exposure for victim organizations reliant on secure transactions (e.g., real estate).
## Indicators of Compromise
*Note: Specific, current IoCs are not provided in this summary as the infrastructure was seized. Indicators would relate to the RedVDS Virtual Machines.*
- Network indicators: Traffic originating from compromised hosting providers (US, UK, CA, FR, NL, DE) associated with bulk phishing/spam volume (e.g., **>1 million phishing messages/day** average over one month).
- File indicators: Use of a single, cloned Windows host image across the service.
- Behavioral indicators: High volume, geographically targeted phishing campaigns linked to the Storm-2470 group; use of systems previously associated with the **Racoon0365 phishing service**.
## Response Actions
- Containment: Complete seizure of the RedVDS core infrastructure by Microsoft and international law enforcement (Europol, German authorities).
- Eradication steps: Taking the marketplace offline, preventing further provisioning of disposable VDI assets to cybercriminals.
- Recovery actions: Civil litigation initiated in the US and UK against the operators and potentially against related parties, aiming to disrupt the business model permanently.
## Lessons Learned
- Cybercrime relies heavily on **shared, scalable infrastructure**; targeting the providers of these services (like RedVDS) is critical for disruption, not just individual attackers.
- **Disposable, low-cost VDI** drastically lowers the barrier to entry and increases the scale/anonymity of criminal operations.
- The operators (tracked as **Storm-2470**) were highly organized, integrating features like loyalty programs to encourage use.
## Recommendations
- Increase monitoring of cloud/hosting providers for bulk provisioning of identical, unlicensed operating system images.
- Enhance geo-location security measures to validate traffic originating from major data center hubs when possible, especially for sensitive transactions (like payment diversion).
- Continue proactive engagement with international partners (Europol) to target infrastructure providers hosting transnational cybercrime services.