Microsoft and European police dismantle RedVDS cybercrime service behind $40 million in fraud

Microsoft and European police dismantle AI-powered cybercrime service

Global police operation disrupts AI-powered cybercrime subscription behind $40 million losses Microsoft said on Wednesday that it has disrupted RedVDS, a global cybercrime subscription service responsible for millions of dollars in fraud losses worldwide. For $24 (€21) a month, RedVDS powered phishing and fraud at a global scale, impacting hundreds of thousands of Microsoft accounts since September 2025. The coordinated effort spans civil litigation in the US, the United Kingdom, as well as server seizures by German and European law enforcement. Alongside its US court filing in the Southern District of Florida, Microsoft's Digital Crimes Unit has taken a legal step in the UK for the first time. Between September 2025 and January 2026, RedVDS-enabled cyberattacks outside of North America impacted victims across Europe, with the highest numbers in the UK, France, Germany, Italy, and Spain. The attacks primarily targeted primary and secondary education institutions, the consumer goods industry, and other professional services. The operation, conducted jointly with international law enforcement, including German authorities and Europol, has seized key infrastructure and taken the RedVDS marketplace offline. Since March 2025, RedVDS-enabled activity has driven approximately $40 million (€ 34 million) in reported fraud losses in the United States alone, though the actual toll is believed to be higher as some incidents are unreported. Among the victims joining Microsoft as co-plaintiffs is H2-Pharma, an Alabama pharmaceutical company that lost funds earmarked for lifesaving cancer treatments, mental health medications, and children's allergy drugs. "Falling victim to a scam should never carry stigma," Microsoft said in a press release. "These attacks are executed by organised, professional criminal groups that intercept and manipulate legitimate communications between trusted parties," it added. RedVDS operated as part of the growing cybercrime-as-a-service ecosystem, providing access to cheap virtual computers running unlicensed software, including Windows. This allowed criminals to operate anonymously across borders, sending phishing emails, hosting scam infrastructure, and facilitating fraud schemes. The service was frequently paired with generative AI tools that helped identify high-value targets and generate realistic email threads mimicking legitimate correspondence. In many cases, attackers used face-swapping, video manipulation, and voice cloning AI tools to impersonate individuals and deceive victims. One of the most common RedVDS-enabled attacks was payment diversion fraud, also known as business email compromise. Attackers would gain unauthorised access to email accounts, monitor conversations, and wait for opportune moments to redirect payments by impersonating trusted parties. The service has also been heavily used in real estate payment diversion scams, one of the fastest-growing forms of cyber-enabled fraud. Attackers compromised accounts of realtors, escrow agents, and title companies to send fraudulent payment instructions designed to divert closing funds and escrow payments. Microsoft's legal actions are reinforced by close collaboration with law enforcement partners around the world, including in Europe. Germany's Public Prosecutor's Office Frankfurt am Main - Central Office for Combating Internet Crime and the German State Criminal Police Office Brandenburg are seizing a critical server used to power RedVDS. In doing so, German law enforcement is taking control of the main server RedVDS uses to run its website, shutting down the online place where customers could sign up, pay for, and access RedVDS's tools. Europol's European Cybercrime Centre is working with the Digital Crimes Unit to take down the many servers across Europe that criminals were actively using through RedVDS. This disrupts the wider network that supported scams, even beyond the main website. Microsoft recommended several steps to reduce risk: slow down and question urgency in payment requests, verify requests using additional contact methods with numbers already known to you, enable multifactor authentication, watch for subtle changes in email addresses, keep software updated, and report suspicious activity to law enforcement.

Microsoft disrupts cybercrime service linked to AI-enabled fraud

Microsoft on Wednesday said it has taken coordinated legal action in the United States and Britain to disrupt a low-cost subscription service called RedVDS that helps cybercriminals carry out lucrative scams. Microsoft coordinated the legal action against RedVDS with Britain as part of a broad effort to thwart the growing trend of "cybercrime-as-a-service," according to Masada. Microsoft on Wednesday said it has taken coordinated legal action in the United States and Britain to disrupt a low-cost subscription service called RedVDS that helps cybercriminals carry out lucrative scams. RedVDS charges as little as $24 monthly for access to disposable virtual computers that enable large-scale fraud that is difficult to trace, according to the company. "Services like these have quietly become a driving force behind today's surge in cyber-enabled crime," Digital Crimes Unit Assistant General Counsel Steven Masada said in a blog post. Microsoft said RedVDS has been used primarily for payment diversion fraud, where attackers intercept legitimate business communications and redirect funds by impersonating trusted parties. Two victims joined Microsoft as co-plaintiffs: an Alabama pharmaceutical company that lost more than $7.3 million, and a Florida condominium association defrauded of nearly $500,000 in resident funds. Real estate transactions have been particularly vulnerable, Microsoft said. Generative AI tools are often paired with RedVDS services to help identify prime targets quickly and generate more authentic-appearing messages to victims, according to Masada. Microsoft reported finding hundreds of cases in which scammers used AI tools for face-swapping, voice cloning or video manipulation to trick victims. RedVDS did not respond to a request for comment. Microsoft estimated that cybercrime involving RedVDS services is linked to some $40 million in US fraud losses since March of last year. Microsoft coordinated the legal action against RedVDS with Britain as part of a broad effort to thwart the growing trend of "cybercrime-as-a-service," according to Masada. RedVDS provides inexpensive access to effective virtual computers running unlicensed software, allowing criminals to operate quickly, anonymously and across borders, Masada said. The US tech giant said the effort includes prosecutors and police in Germany, where a critical computer server used to power RedVDS was seized, according to Masada. Microsoft said it is also working with Europol's European Cybercrime Centre and law enforcement agencies elsewhere to disrupt the RedVDS server and payment networks.