Global police operation disrupts AI-powered cybercrime subscription behind $40 million losses
Microsoft said on Wednesday that it has disrupted RedVDS, a global cybercrime subscription service responsible for millions of dollars in fraud losses worldwide.
For $24 (€21) a month, RedVDS powered phishing and fraud at a global scale, impacting hundreds of thousands of Microsoft accounts since September 2025.
The coordinated effort spans civil litigation in the US, the United Kingdom, as well as server seizures by German and European law enforcement.
European Impact and Cross-Border Response
Alongside its US court filing in the Southern District of Florida, Microsoft's Digital Crimes Unit has taken a legal step in the UK for the first time.
Between September 2025 and January 2026, RedVDS-enabled cyberattacks outside of North America impacted victims across Europe, with the highest numbers in the UK, France, Germany, Italy, and Spain.
The attacks primarily targeted primary and secondary education institutions, the consumer goods industry, and other professional services.
The operation, conducted jointly with international law enforcement, including German authorities and Europol, has seized key infrastructure and taken the RedVDS marketplace offline.
Since March 2025, RedVDS-enabled activity has driven approximately $40 million (€ 34 million) in reported fraud losses in the United States alone, though the actual toll is believed to be higher as some incidents are unreported.
Who were the victims?
Among the victims joining Microsoft as co-plaintiffs is H2-Pharma, an Alabama pharmaceutical company that lost funds earmarked for lifesaving cancer treatments, mental health medications, and children's allergy drugs.
"Falling victim to a scam should never carry stigma," Microsoft said in a press release. "These attacks are executed by organised, professional criminal groups that intercept and manipulate legitimate communications between trusted parties," it added.
How did it work?
RedVDS operated as part of the growing cybercrime-as-a-service ecosystem, providing access to cheap virtual computers running unlicensed software, including Windows. This allowed criminals to operate anonymously across borders, sending phishing emails, hosting scam infrastructure, and facilitating fraud schemes.
The service was frequently paired with generative AI tools that helped identify high-value targets and generate realistic email threads mimicking legitimate correspondence.
In many cases, attackers used face-swapping, video manipulation, and voice cloning AI tools to impersonate individuals and deceive victims.
Real estate scams
One of the most common RedVDS-enabled attacks was payment diversion fraud, also known as business email compromise. Attackers would gain unauthorised access to email accounts, monitor conversations, and wait for opportune moments to redirect payments by impersonating trusted parties.
The service has also been heavily used in real estate payment diversion scams, one of the fastest-growing forms of cyber-enabled fraud. Attackers compromised accounts of realtors, escrow agents, and title companies to send fraudulent payment instructions designed to divert closing funds and escrow payments.
Coordinated European law enforcement
Microsoft's legal actions are reinforced by close collaboration with law enforcement partners around the world, including in Europe.
Germany's Public Prosecutor's Office Frankfurt am Main – Central Office for Combating Internet Crime and the German State Criminal Police Office Brandenburg are seizing a critical server used to power RedVDS.
In doing so, German law enforcement is taking control of the main server RedVDS uses to run its website, shutting down the online place where customers could sign up, pay for, and access RedVDS's tools.
Europol's European Cybercrime Centre is working with the Digital Crimes Unit to take down the many servers across Europe that criminals were actively using through RedVDS. This disrupts the wider network that supported scams, even beyond the main website.
Protecting against fraud
Microsoft recommended several steps to reduce risk: slow down and question urgency in payment requests, verify requests using additional contact methods with numbers already known to you, enable multifactor authentication, watch for subtle changes in email addresses, keep software updated, and report suspicious activity to law enforcement.
