What happened
International takedown disrupts RedVDS cybercrime platform driving phishing and fraud after Microsoft filed civil actions in the U.S. and U.K. and seized infrastructure used by the RedVDS cybercrime‑as‑a‑service network, part of a broader coordinated operation with Europol and German authorities that took the malicious marketplace and customer portal offline. RedVDS had been operating since 2019, selling disposable virtual Windows servers to criminal groups including those tracked as Storm‑0259, Storm‑2227, Storm‑1575, and Storm‑1747, enabling phishing campaigns, business email compromise, credential theft, invoice fraud, and other scams that have contributed to at least tens of millions of dollars in losses. Investigators found that RedVDS customers used rented VMs to host mass‑mailing and harvesting tools, deploy malware, and run fraud schemes; Microsoft’s analysis tied more than 2,600 machines to an average of one million phishing messages per day, compromising hundreds of thousands of accounts worldwide.Â
Who is affected
Enterprise, consumer, and infrastructure accounts targeted by RedVDS‑enabled fraud are indirectly impacted, with organizations reliant on email and cloud services exposed via phishing and BEC campaigns tied to this platform.Â
Why CISOs should care
Disruption of cybercrime‑as‑a‑service underscores how commoditized infrastructure fuels large‑scale phishing, account takeovers, and fraud while highlighting the value of cross‑industry collaboration in dismantling abusive services that underpin attacker operations.Â
3 practical actions
- Review email security: Audit phishing defense controls, spam filtering, and DMARC/DKIM/DMARC policies to reduce successful delivery of malicious emails.
- Monitor for credential abuse: Integrate account monitoring to detect unusual sign‑in patterns and compromised credentials.
- Strengthen multi‑factor authentication: Enforce MFA everywhere to reduce impact of credential theft from automated fraud platforms.