Microsoft Disrupts RedVDS Cybercrime Infrastructure Globally

Microsoft Threat Intelligence and its Digital Crimes Unit, in collaboration with global law enforcement, recently disrupted RedVDS, a virtual dedicated server marketplace used since 2019 by financially motivated actors to run business email compromise, mass phishing, account takeover and financial fraud. The investigation found cloned Windows Server 2022 images and QEMU-based rapid provisioning that enabled thousands of attacks and roughly US$40 million in reported U.S. fraud losses since March 2025.
Key Points
- 1Identifies RedVDS as a VDS marketplace selling cloned Windows RDP hosts since 2019.
- 2Reveals QEMU cloning and reused Windows Server 2022 image enabling rapid, large-scale attacker provisioning.
- 3Enables defenders to detect hosts via identical hostnames, OS installation IDs, RDP certificates, and telemetry.
Scoring Rationale
High novelty and operational impact from Microsoft's authoritative takedown and technical analysis, slightly limited by topic's tangential relevance to AI/ML.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
