Microsoft, Europol Disrupt RedVDS Cybercrime Marketplace in Major Global Takedown (2025)
Executive Summary
In June 2025, Microsoft, in collaboration with international law enforcement, dismantled the infrastructure powering the RedVDS cybercrime marketplace, a platform notorious for enabling large-scale cyber fraud. Since at least March 2025, RedVDS provided cybercriminals with access to disposable, unlicensed virtual Windows servers for as little as $24 per month, facilitating attacks such as phishing, credential theft, and business email compromise. The platform's operations are tied to over $40 million in U.S. fraud losses, including multi-million-dollar incidents targeting the pharmaceutical and real estate sectors. Over a month, attackers using RedVDS compromised more than 191,000 Microsoft email accounts, demonstrating the platform's operational scale and global reach.
This takedown underscores the growing threat of Cybercrime-as-a-Service marketplaces, which lower barriers for cybercriminals and accelerate the pace and scale of attacks. Organizations across industries must prioritize modern security strategies as such platforms proliferate and regulatory bodies intensify their scrutiny of supply chain and email-based threats.
Why This Matters Now
The RedVDS incident exemplifies the increasing sophistication and accessibility of cybercrime infrastructure that fuels global phishing, payment diversion, and account compromise attacks. With cybercriminal tools growing more scalable and affordable, organizations face elevated risks from automated, high-volume threats, making urgent the adoption of robust, multi-layered security and compliance controls to counter new and evolving attacker business models.
Attack Path Analysis
Attackers leveraged RedVDS to gain initial access via high-volume phishing, compromising user credentials for corporate email accounts. After gaining access, they escalated privileges using compromised admin credentials or exploiting misconfigurations. Attackers used internal east-west movement to identify and access additional sensitive services and accounts. C2 channels were established through remote access tools on disposable VMs, blending with normal data center traffic. Sensitive information, credentials, and business communications were exfiltrated for fraud, leading to payment diversion and business email compromise that resulted in direct financial impact and reputational harm.
Kill Chain Progression
Initial Compromise
Description
Attackers sent massive volumes of phishing emails from RedVDS-issued infrastructure, tricking victims into providing credentials and gaining access to cloud email accounts.
Related CVEs
CVE-2025-29824
CVSS 8.8A privilege escalation vulnerability in Windows allows attackers to gain elevated access to sensitive data and systems.
Affected Products:
Microsoft Windows – 10, 11
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
Valid Accounts
Brute Force
Acquire Infrastructure: Server
Compromise Infrastructure: Web Services
Remote Access Software
Credentials from Password Stores
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Authentication and Account Management
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA (EU Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model 2.0 – Flexible Authentication Policies
Control ID: Identity Pillar - Authentication & Access Control
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
RedVDS-enabled business email compromise attacks targeting payment systems require enhanced egress security, encrypted traffic monitoring, and zero trust segmentation for financial transactions.
Real Estate/Mortgage
Over 9,000 customers impacted by payment diversion fraud through compromised realtor and escrow accounts necessitates multicloud visibility and threat detection capabilities.
Health Care / Life Sciences
H2 Pharma's $7.3 million loss demonstrates pharmaceutical sector vulnerability to cybercrime-as-a-service requiring HIPAA-compliant anomaly detection and policy enforcement systems.
Legal Services
RedVDS compromise of title companies and legal firms highlights need for east-west traffic security and kubernetes protection in legal document processing environments.
Sources
- Microsoft seizes RedVDS infrastructure, disrupts fast-growing cybercrime marketplacehttps://cyberscoop.com/microsoft-seizes-disrupts-redvds-cybercrime-marketplace/Verified
- Microsoft seizes 340 websites linked to growing phishing subscription servicehttps://www.investing.com/news/stock-market-news/microsoft-seizes-340-websites-linked-to-growing-phishing-subscription-service-4241000Verified
- Microsoft seizes 338 websites to disrupt rapidly growing ‘RaccoonO365’ phishing servicehttps://blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-websites-to-disrupt-rapidly-growing-raccoono365-phishing-service/Verified
- Microsoft seizes 340 websites tied to Raccoon0365 phishing operationhttps://cybernews.com/cybercrime/microsoft-seizes-340-websites-nigerian-raccoon0365-phishing-operation/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Effective implementation of Zero Trust segmentation, end-to-end encryption, and egress controls would have disrupted attackers’ ability to compromise accounts, move laterally, maintain C2, and exfiltrate sensitive data. Visibility, distributed policy enforcement, and inline threat detection could quickly identify and block anomalous traffic, limiting both the scope and impact of attacks facilitated by RedVDS.
Control: Cloud Firewall (ACF)
Mitigation: Prevents malicious inbound and outbound email/phishing traffic associated with known bad IPs.
Control: Zero Trust Segmentation
Mitigation: Limits privilege escalation by restricting account access based on identity and least-privilege policies.
Control: East-West Traffic Security
Mitigation: Detects and blocks suspicious internal traffic attempting unauthorized service-to-service movement.
Control: Inline IPS (Suricata)
Mitigation: Identifies and blocks C2 communications exhibiting known malicious patterns.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents or alerts on outbound transfers of sensitive information to unauthorized destinations.
Rapid identification and response to anomalous behaviors indicative of business email compromise.
Impact at a Glance
Affected Business Functions
- Email Communications
- Financial Transactions
- Customer Data Management
Estimated downtime: 5 days
Estimated loss: $40,000,000
Unauthorized access to sensitive customer data, including financial information and personal identifiers, leading to potential identity theft and financial fraud.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to strictly control access between cloud environments, workloads, and user tiers.
- • Deploy Cloud Firewall and Inline IPS for real-time blocking of malicious or suspicious inbound/outbound cloud traffic associated with known threat infrastructure.
- • Enforce strong egress controls with domain and FQDN filtering to prevent data exfiltration and unauthorized external communications.
- • Enhance East-West Traffic Security to detect and prevent lateral movement within cloud and hybrid networks.
- • Integrate centralized multicloud visibility and anomaly response to rapidly identify, alert, and contain suspicious account activities and business email compromise attempts.
