Microsoft moves against global cybercrime service linked to millions in fraud losses

Microsoft has filed civil lawsuits in the United States and United Kingdom to seize the domains powering the RedVDS marketplace and obtain information about its operators and users.

RedVDS provides low-cost virtual machines that criminals use to send large volumes of phishing emails and gain unauthorised access to Microsoft email accounts multiple sectors and regions. For example, Alabama-based pharmaceutical company H2-Pharma has lost more than $7.3 million to RedVDS-enabled activity and the Gatehosue Dock Condomonium Association in Florida has lost nearly $500,000. Both organisations have assisted Microsoft’s Digital Crimes Unit with its investigations.  

Criminals use RedVDS for a range of activities including sending high-volume phishing emails, hosting scam infrastructure and facilitating fraud schemes. Microsoft has observed attackers deceive victims by leveraging face-swapping, video manipulation and voice-cloning AI tools to impersonate individuals.

In just one month, more than 2,600 distinct RedVDS virtual machines sent an average of one million phishing messages per day to Microsoft customers alone. Since September 2025, more than 191,000 Microsoft email accounts have been compromised or access fraudulently, impacting 130,000 organisations worldwide, with the highest concentrations in the US, Canada, the UK, France and India.

This has been part of a bigger operation with international law enforcement, including German authorities and Europol, to seize key malicious infrastructure and take the RedVDS marketplace offline.

“We are deeply grateful to H2-Pharma and the Gatehouse Dock Condominium Association for their willingness to come forward and share their experiences,” said Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, in a blog post titled ‘Microsoft disrupts global cybercrime subscription service responsible for millions in fraud losses’. “Their cooperation, combined with Microsoft’s threat intelligence, made this action possible and will help protect future victims. Falling victim to a scam should never carry stigma. These attacks are executed by organised, professional criminal groups that intercept and manipulate legitimate communications between trusted parties.”