Microsoft has shut down RedVDS, a large-scale virtual server rental service that functioned as bulletproof hosting for cybercriminals. According to Microsoft’s estimates, attacks launched from this infrastructure caused more than $40 million in losses in the United States alone. The takedown was executed through civil actions in the US and UK and a coordinated operation with Europol and German law enforcement, resulting in the seizure of RedVDS infrastructure and the shutdown of its marketplace and customer portal.
RedVDS as Bulletproof Hosting for Cybercrime
RedVDS operated as a commercial virtual private server (VPS) provider but in practice offered “infrastructure-as-a-service” for cybercrime. For about $24 per month, customers obtained Windows-based virtual machines with administrative privileges and no meaningful restrictions on usage, making the platform attractive for phishing, fraud and account takeover operations.
The service had been active since 2019, using domains such as redvds[.]com, redvds[.]pro and vdspanel[.]space. Microsoft attributes the operation of the platform to the group it tracks as Storm-2470, with other threat actors including Storm-0259, Storm-2227, Storm-1575 and Storm-1747 observed as frequent customers. This model fits the classic pattern of bulletproof hosting, where providers knowingly tolerate or facilitate abuse and resist enforcement actions.
Financial Impact and Real-World Victims of RedVDS Attacks
Several organizations joined Microsoft as co-plaintiffs, putting a human and financial face to attacks supported by RedVDS. Pharmaceutical company H2-Pharma in Alabama reported losses of $7.3 million after a Business Email Compromise (BEC) scheme, in which attackers hijack or spoof corporate email to redirect payments or authorize fraudulent transfers.
In another case, Florida-based association Gatehouse Dock lost nearly $500,000 in a funds-transfer fraud scenario. These incidents are examples of BEC, a threat category that the FBI’s Internet Crime Complaint Center (IC3) consistently ranks among the costliest cybercrimes worldwide, with reported US losses exceeding $2.9 billion in 2023.
BEC and Real-Estate Payment Redirection Schemes
RedVDS servers were also heavily used in real-estate transaction fraud. Attackers intercepted or manipulated payment instructions during property deals, redirecting funds to accounts under their control. According to Microsoft, more than 9,000 clients in Canada and Australia suffered financial losses in such schemes, where adversaries inserted themselves into email threads between banks, brokers and buyers to silently change wire details.
Industrial-Scale Phishing and Account Takeover
Microsoft reports that operators using RedVDS controlled more than 2,600 virtual machines at peak. From this infrastructure, they sent on average around 1 million phishing emails per day to Microsoft service users, leading over four months to the compromise of nearly 200,000 user accounts.
Since September 2025, attacks originating from RedVDS are assessed to have resulted in compromise or fraudulent access at more than 191,000 organizations worldwide. Microsoft notes that these figures likely represent only a subset of the total impact, given underreporting and the difficulty of attributing all incidents to a specific hosting provider.
Technical Fingerprints of the RedVDS Infrastructure
An investigation by the Microsoft Digital Crimes Unit (DCU) uncovered a distinctive technical trait: all RedVDS virtual servers were built from the same cloned Windows Server 2022 image. Each instance shared an identical computer name, WIN-BUNS25TD77J, a highly unusual configuration at Internet scale and a powerful indicator that allowed analysts to correlate otherwise disconnected malicious campaigns back to a single infrastructure.
RedVDS did not own the physical hardware; instead, it rented capacity from third-party hosting providers in the US, UK, France, Canada, the Netherlands and Germany. This approach let criminals choose IP addresses geographically close to their targets, helping them bypass geofencing and country-based filtering and making malicious traffic appear more legitimate during risk-based checks.
Attack Tactics and the Role of Artificial Intelligence
Customers of RedVDS hosted a wide toolkit on their rented servers, including bulk mailers, email address harvesters, anonymization tools, bots for automated attacks and remote access software. From this environment they executed phishing campaigns, credential theft, account takeover (ATO), BEC attacks and a range of financial fraud schemes.
Microsoft observed that many threat actors on RedVDS used AI-powered tools, including generative models such as ChatGPT, to craft more convincing phishing emails and business correspondence templates. Others relied on deepfake video, face swapping and voice cloning to impersonate executives, suppliers or bank representatives, significantly increasing the success rate of social engineering and complicating manual verification of requests.
Payments for RedVDS were conducted in cryptocurrency, providing high anonymity for both operator and clients. Combined with flexible IP geolocation and minimal abuse controls, the platform exemplified a mature bulletproof hosting operation optimized for resilience and monetization.
Security Lessons: How Organizations Can Defend Against BEC and Bulletproof Hosting
The RedVDS case shows how inexpensive, easily accessible infrastructure can scale cybercrime to a global level. For organizations of all sizes, it reinforces the need to harden email security, financial workflows and remote access, rather than focusing solely on perimeter defenses.
Effective countermeasures include multi-factor authentication (MFA) on all critical accounts, strict out-of-band verification of any change in payment details (for example, confirming via a known phone number or secure messaging channel), and advanced email security controls capable of detecting phishing, business email compromise and anomalous sign-in behavior.
Regular security awareness training on BEC, phishing and AI-enhanced social engineering is essential, particularly for finance, legal, HR and executive staff. Organizations should also monitor for logins from unusual geolocations, suspicious proxies or newly seen hosting providers, and integrate threat intelligence feeds that flag known bulletproof hosting ranges where possible.
Although the dismantling of RedVDS is a significant achievement in disrupting cybercriminal infrastructure, similar platforms will continue to emerge. Businesses that invest in layered defenses, continuous monitoring and incident response readiness, and that stay informed through advisories from law enforcement and security vendors, will be better positioned to withstand the next generation of infrastructure-as-a-service threats.
