Microsoft said in a security blog post on Wednesday that it executed coordinated legal action in the United States and the United Kingdom to seize infrastructure and take the RedVDS subscription service offline and that RedVDS activity has driven roughly US $40 million in reported fraud losses in the United States since March 2025.
KEY FACTS
- Incident Coordinated legal action seized RedVDS infrastructure and took redvds.com, redvds.pro and vdspanel.space offline
- Losses About US $40 million in reported U.S. fraud losses since March 2025
- Scope More than 191,000 organizations said to be compromised or fraudulently accessed since September 2025
- Service Subscription RDP hosts available for as little as US $24 per month across multiple countries
RedVDS offered disposable Windows based virtual desktops with full administrator control, a reseller panel to create sub users, a Telegram bot for management and no activity logs. Hosts were listed in locations including the United States, Canada, France, the Netherlands, Germany, Singapore and the United Kingdom.
The service was described as founded in 2017 and launched on the web in 2019. Since September 2025 the infrastructure is said to have contributed to the compromise or fraudulent access of more than 191,000 organizations worldwide across sectors such as legal, manufacturing, real estate, healthcare and education.
Technical details show the providers generated Windows Server 2022 instances from a single master image that retained the same computer name WIN-BUNS25TD77J. Instances were cloned on demand using Quick Emulator with VirtIO drivers, and provisioning was automated so fresh RDP hosts could be created rapidly for cryptocurrency payments.
Actors used the hosts to run mass mailers, email harvesters, remote access tools and privacy browsers, and to stage business email compromise scams by impersonating legitimate correspondences. The service’s terms of service banned phishing and malware use, a restriction that did not prevent illicit activity.
WHY IT MATTERS
Low cost, disposable virtual desktops reduce barriers for fraud and enable scalable, anonymized operations that can be used to mount convincing invoice and account takeover schemes. The disruption removes infrastructure used in those schemes but broader mitigation depends on detection and controls across affected organizations.