Modern scam operations do not depend only on individual fraudsters sending deceptive messages. Increasingly, they rely on shared infrastructure that allows criminal groups to scale phishing, business email compromise, account takeover and payment diversion fraud across borders. RedVDS provides a clear case study in how this infrastructure layer operates.
According to a Microsoft Threat Intelligence investigation into RedVDS, RedVDS was a virtual dedicated server provider used by multiple financially motivated threat actors to conduct phishing, business email compromise, account takeover and financial fraud. Microsoft observed RedVDS-linked activity targeting sectors including legal services, construction, manufacturing, real estate, healthcare and education across countries such as the United States, Canada, the United Kingdom, France, Germany and Australia.
The case is significant because RedVDS was not malware in the traditional sense. It was infrastructure. Its value to criminals came from giving them access to low-cost, disposable Windows-based RDP servers that could be used to research targets, send phishing messages, host scam infrastructure, compromise accounts and support impersonation-based fraud.
RedVDS and the Cybercrime-as-a-Service Model
RedVDS operated as part of the wider cybercrime-as-a-service ecosystem, where criminal actors buy or rent the tools and infrastructure needed to conduct attacks. Instead of building their own systems, threat actors could subscribe to RedVDS and gain access to virtual servers that offered Remote Desktop Protocol access, full administrator control and few operational restrictions.
A Microsoft story on the invisible infrastructure of modern cybercrime describes the service as a source of virtual computers used as launchpads for cyber-enabled financial fraud. The service reportedly allowed criminals to operate anonymously, pay through cryptocurrency and use features that made it easier to wipe activity and reuse servers.
This model lowers the barrier to entry for complex fraud. A criminal group does not need to maintain physical infrastructure, develop every tool internally or expose its own systems to investigators. Instead, it can rent a ready-made environment and use it to run multiple stages of a scam operation.
How RedVDS Enabled Scams at Scale
Microsoft found that RedVDS-hosted environments were used to support a range of malicious activities, including mass phishing, password spraying, spoofed phishing, account takeover and BEC. These were not isolated use cases. RedVDS provided a repeatable environment where attackers could install and run the tools needed for campaign development, delivery and exploitation.
On RedVDS hosts, Microsoft observed mass mailing tools, email address harvesters, VPNs, privacy-focused browsers, remote access tools and scripting environments. These tools helped criminals gather target lists, prepare phishing campaigns, send high volumes of messages, conceal their activity and manage access to compromised accounts.
The infrastructure also supported the use of lookalike domains. Microsoft reported that more than 7,300 IP addresses linked to RedVDS infrastructure collectively hosted more than 3,700 homoglyph domains within a 30-day period. These domains were designed to impersonate legitimate organisations and trusted business contacts, making them especially useful in payment diversion and business email compromise schemes.
The Business Email Compromise Connection
RedVDS illustrates how technical infrastructure becomes financial harm through social engineering. In a typical RedVDS-enabled business email compromise operation, attackers could first gain access to an email account through phishing or credential theft. They could then monitor conversations, identify supplier relationships, study payment workflows and wait for the right moment to intervene.
Once an opportunity emerged, the attacker could use a lookalike domain or compromised mailbox to impersonate a trusted party. The victim might receive a realistic payment change request, invoice reminder or urgent instruction that appeared to come from someone already involved in the transaction. Because the fraud was built around real conversations and real payment timing, it could be difficult to detect.
The H2-Pharma case described by Microsoft shows the consequences. Attackers used trusted email context and a subtly altered domain to divert more than US$7.3 million from an Alabama-based pharmaceutical company. The attack did not rely on a single obvious deception. It relied on access, patience, timing and infrastructure that allowed criminals to insert themselves into a legitimate business relationship.
The Scale of the RedVDS Threat
The RedVDS case also shows why infrastructure-level services can create disproportionate harm. Microsoft reported that RedVDS-enabled activity drove roughly US$40 million in reported fraud losses in the United States alone since March 2025. The actual impact is likely higher, given that fraud and scams are frequently underreported.
In one month, Microsoft observed more than 2,600 distinct RedVDS virtual machines sending an average of one million phishing messages per day to Microsoft customers. Since September 2025, RedVDS-enabled attacks led to the compromise or fraudulent access of more than 191,000 organisations worldwide.
These figures matter because RedVDS was not simply supporting one criminal group. It functioned as shared infrastructure used by multiple actors and campaigns. Disrupting such a service can therefore affect many scam operations at once.
How Microsoft and Partners Disrupted RedVDS
A central lesson from the case is that disrupting scam infrastructure requires more than technical blocking. Microsoft’s coordinated legal action against RedVDS combined threat intelligence, civil legal action, law enforcement cooperation and technical disruption.
Microsoft filed civil actions in the United States and the United Kingdom to seize domains used to host the RedVDS marketplace and customer portal, as well as to obtain information about its operators and users. German authorities seized a key server associated with RedVDS, disrupting the platform’s central marketplace. Microsoft also worked with Europol to target the wider network of servers and payment systems supporting RedVDS customers.
This combination is important. Threat intelligence helped identify the infrastructure and connect activity across campaigns. Legal action provided a route to seize domains and pursue operator information. Law enforcement cooperation extended the disruption beyond one jurisdiction. Technical measures helped reduce the ability of criminals to continue using related systems.
Why Infrastructure-Level Disruption Matters
Most scam prevention work is necessarily defensive. Organisations block phishing emails, train employees, monitor account compromise and verify payment requests. These measures remain essential, but they often address the scam at the point of delivery or execution.
The RedVDS case shows the value of moving further upstream. When a service enables thousands of phishing attempts, account takeovers and payment diversion schemes, disrupting that service can weaken the capacity of multiple criminal actors at once. It can also generate intelligence about users, tools, domains, payment flows and related infrastructure.
This does not remove the need for organisational controls. Criminal groups will continue to migrate, rebuild and rent new services. However, sustained pressure on the infrastructure layer increases cost and friction for attackers. It also limits the reliability of the services that make scam operations scalable.
Defensive Lessons for Organisations
Email and identity controls remain central. Organisations should strengthen phishing protection, monitor suspicious sign-in activity, use phishing-resistant MFA where possible and apply conditional access policies to high-risk accounts. Unusual remote access activity, mass mailing tools, suspicious inbox rules and abnormal authentication patterns should be treated as signals that may point to account compromise.
Payment processes also need stronger safeguards. Staff should verify payment changes through trusted channels outside the original email thread, especially when requests involve urgency, new bank details or changes to established supplier processes. Lookalike domains, subtle spelling changes and unexpected shifts in tone should be treated as warning signs, even when the surrounding conversation appears familiar.
Reporting is equally important. Individual incidents can reveal shared infrastructure, common tooling and recurring domains. When organisations report scams and preserve relevant evidence, investigators are better positioned to connect cases and target the systems behind them.
What the RedVDS Case Demonstrates
RedVDS shows that modern scam operations are supported by infrastructure, tooling and commercialised services that allow criminals to scale across sectors and jurisdictions. It also shows that effective disruption requires coordinated action across private sector investigators, courts, law enforcement and technical defenders.
For scam prevention, the broader lesson is clear. Organisations must continue to defend users, inboxes and payment processes, but the anti-scam ecosystem also needs to target the infrastructure that makes fraud repeatable and scalable. The RedVDS takedown provides a useful case study in how upstream disruption can reduce criminal capacity and make cyber-enabled fraud harder to operate at scale.
About the Author
James Greening is a Digital Content Manager at the Global Anti-Scam Alliance (GASA), where he writes on cyber-enabled fraud and developments in the global fight against online scams. He previously founded Fake Website Buster, a project dedicated to identifying and raising awareness of fraudulent websites.
Disrupting RedVDS: A Case Study in Taking Down Scam Infrastructure
How Microsoft’s RedVDS takedown shows the value of legal, technical and law enforcement action against cybercrime infrastructure.
Policy Blind Spots in Cyber-Enabled Investment | GASA Africa
GASA Africa Chapter explores cyber risks, investor protection, and policy gaps in digital investment ecosystems.
Meet the Winners – Scam Fighter Awards at the Global Anti-Scam Summit Europe 2026
Meet the winners of the Scam Fighter Awards at the Global Anti-Scam Summit Europe 2026, recognising initiatives advancing scam prevention, research, policy, collaboration and technology.
OKX Joins Global Anti-Scam Alliance as Foundation Member
OKX will join both the GASA Global Advisory Board and the GASA North America Chapter Board.
Republic of Fiji Officially Joins Scam.org as National Anti-Scam Hub
Milestone Partnership Announced at Global Anti-Scam Summit in Lisbon, Following First Preview at UN Fraud Summit in Vienna
Three in Four Europeans Hit by Scams: Even Those Who Recognize Them Lose $2,735 on Average
The Global Anti-Scam Alliance (GASA) has released its State of Scams in Europe Report, offering a comprehensive look at scams across the region.
Adobe Joins the Global Anti-Scam Alliance as a Foundation Member to Advance Consumer Protection and Digital Trust
Adobe has joined the Global Anti-Scam Alliance (GASA) as a Foundation Member globally and within the GASA North America Chapter.
Meet the Nominees – Scam Fighter Awards at the Global Anti-Scam Summit Europe 2026
Meet the shortlisted Scam Fighter Awards nominees and vote for initiatives advancing scam prevention, research, policy, collaboration and technology.