On 14 January 2026, Microsoft announced that it had taken coordinated legal action to disrupt RedVDS, a global cybercrime subscription service. The announcement shines a light on how technology is being used to perpetrate fraud and the ecosystem that sits behind it. Significantly, Microsoft has brought a civil cybercrime claim in the UK for the first time. In this article, Martin Walsh, Charlie Mercer and Francesca Bugg examines what this action against RedVDS reveals about the evolving cybercrime landscape and what it means for the fight against online fraud in the UK.

RedVDS

For as little as US$24 per month, RedVDS provided access to virtual dedicated servers (VDSs), essentially disposable virtual computers, for the purposes of perpetrating cyber fraud. Cybercriminals used the network for a wide range of activities, including sending high-volume phishing emails, hosting scam infrastructure and otherwise facilitating fraud schemes. It was frequently paired with generative AI tools, which helped to identify high-value targets more quickly. AI also helped deceive victims by mimicking legitimate email threads and enabling face-swapping, video manipulation and voice cloning. This reflects a trend in the use of AI to commit fraud that we have been tracking.

To give a sense of the scale, in a single month, more than 2,600 RedVDS machines sent an average of one million phishing messages to Microsoft customers alone, part of the 600 million cyberattacks Microsoft blocks per day. Since September 2025, RedVDS-enabled attacks have led to the compromise or fraudulent access of more than 191,000 organisations worldwide.

Most commonly, RedVDS enabled attacks through payment diversion (or business email compromise) fraud, where attackers gain unauthorised access to email accounts, quietly monitoring them until an opportune moment arises to divert a payment. It has been particularly heavily used in the real estate sector. Microsoft gives a reported impact of RedVDS-enabled scams of US$40m, but estimates the figure is significantly higher.

This follows Microsoft’s seizure in September 2025 of hundreds of websites associated with the phishing service RaccoonO365. In short, services such as this make fraud cheap, scalable and difficult to trace.

Action taken

While limited details are available, Microsoft’s Digital Crimes Unit appears to have worked with law enforcement in multiple jurisdictions, including Germany, and with Europol. Microsoft has also issued civil proceedings in Florida. Significantly, for the first time, it has also taken civil action in the UK, resulting in the seizure of two UK-hosted website domains.

Although details of the UK proceedings are not yet publicly available, the seizure notice on RedVDS’s website (displayed by Microsoft here) suggests that the action was based on the use of pirated copies of Microsoft’s Windows Server software to facilitate criminal activity.

Conclusion

This incident provides an insight into both the developing ecosystems and technologies sitting behind the increase in fraud, and the corresponding developments in the legal actions required to address them. It also demonstrates the importance of technology companies taking action themselves, rather than relying on enforcement agencies. Finally, it provides an example of how the English courts can be used to tackle cybercrime, in this case, because the relevant domains were hosted in the UK.

You can find further information regarding our expertise, experience and team on our Fraud page.

If you require assistance from our team, please contact us.

Subscribe – In order to receive our news straight to your inbox, subscribe here. Our newsletters are sent no more than once a month.