Breaking: Global crackdown shuts down cybercrime host RedVDS in Germany
Table of Contents
- 1. Breaking: Global crackdown shuts down cybercrime host RedVDS in Germany
- 2. Key findings from the crackdown
- 3. At a glance: what RedVDS offered and who was affected
- 4. Evergreen implications for cybersecurity
- 5. What this means for readers
- 6. Bottom line
- 7. Engage with us
- 8. /> Banking trojans: TrickBot variants and custom credential‑stealers.
- 9. What triggered the RedVDS operation?
- 10. Timeline of key events
- 11. agencies and units involved
- 12. Technical findings: what was discovered on the servers
- 13. Legal repercussions for RedVDS operators
- 14. Immediate impact on the cyber‑crime ecosystem
- 15. Practical steps for businesses to mitigate risk after the RedVDS takedown
- 16. Lessons learned for law‑enforcement and the security community
- 17. Frequently asked questions (FAQ)
BERLIN — An international operation lead by prosecutors and coordinated with Microsoft has halted RedVDS, a prominent cybercrime hosting platform. Investigators say the service was used to carry out a range of fraudulent activities and operated from a data center in germany.
The operation targeted the group behind RedVDS, described by authorities as a “digital infrastructure” for crime. After the takedown, officials confiscated servers at a German data center and disabled the platform’s services. No arrests were announced at this stage, with investigators noting suspects are likely in a country outside Germany.
RedVDS offered virtual dedicated servers, global IP addresses, and other anonymizing tools. Prosecutors and researchers say the service supported a broad spectrum of illicit activity, including large-scale phishing campaigns and fraud infrastructure hosting.
According to authorities and Microsoft, redvds was used by multiple actors to disseminate phishing messages and to operate payment-redirection schemes. In one month, it is said that phishing emails circulated at a rate of about one million per day across thousands of virtual machines.
Key findings from the crackdown
Microsoft describes the operation as part of a broader cybercrime ecosystem in which “crime-as-a-service” providers enable criminals to scale attacks. Investigators note the German data center in Limburg an der lahn played a central role in hosting the platform’s operations.
The U.S. data points to considerable losses linked to RedVDS activity. In the past seven months, U.S. victims reported damages totaling roughly $40 million. Notable cases include a pharmaceutical company in Alabama that lost about $7.3 million and a Florida homeowners association that suffered just under $500,000.
German authorities, led by the Brandenburg Police’s LKA unit and the Central Office for Internet and computer Crime (ZIT) at the General Prosecutor’s Office, described RedVDS as a tool that enabled anonymous crime on a large scale. They stressed that the operation aims to disrupt a growing cybercrime marketplace.
Beyond phishing,RedVDS was linked to payment-redirection scams,where criminals gain access to victim systems to intercept legitimate transactions and redirect funds. Authorities emphasized that the servers used for these activities were removed from service during the seizure.
At a glance: what RedVDS offered and who was affected
| Aspect | Details |
|---|---|
| Operator / group | Reportedly associated with “Storm-2470” |
| service type | Virtual dedicated servers, international IPs, and other anonymous hosting tools |
| data center location | Limburg an der Lahn, Germany |
| Current arrests | No suspects announced as arrested |
| Primary crimes alleged | Phishing campaigns, hosting scam infrastructure, and payment redirection schemes |
| Impact in the United States | Estimated $40 million in losses over seven months |
| Notable U.S. victims | H2 Pharma (Alabama) and a Florida homeowners association |
| investigating agencies | Brandenburg State Police (LKA) and the Central Office for Internet and Computer Crime (ZIT) |
| Cost to access | Subscriptions starting around $24 per month |
Evergreen implications for cybersecurity
- Cybercrime-as-a-service ecosystems remain a primary driver of online fraud. Disrupting a single host can ripple across multiple criminal networks.
- Cross-border collaboration between prosecutors, tech firms, and law enforcement is essential to identifying and seizing hidden infrastructure.
- For businesses, robust phishing defenses, strict vendor payment controls, and rapid incident reporting are critical to reduce exposure to such networks.
What this means for readers
This takedown highlights how criminals leverage online platforms to scale fraud. While authorities move quickly to seize infrastructure, individuals and organizations must stay vigilant against phishing and payment-diversion scams, which continue to evolve in sophistication.
Bottom line
The RedVDS shutdown marks a notable victory in international cybercrime enforcement, underscoring the importance of multinational cooperation in dismantling online crime networks.
Engage with us
Have you or your institution faced phishing or payment-diversion attempts recently? What security changes would you prioritize after seeing this crackdown? Share your experiences and thoughts in the comments below.
for further context from industry experts, see the in-depth analysis by Microsoft on the group behind RedVDS here.
Disclaimer: The examination is ongoing, and authorities have not announced arrests at this stage. Figures reflect reported incidents and losses as disclosed by officials and partners involved in the operation.
/>
Banking trojans: TrickBot variants and custom credential‑stealers.
Raid in Germany: Authorities Close Cybercrime Hoster RedVDS
What triggered the RedVDS operation?
- A multi‑year examination by the German Federal Criminal Police Office (BKA) identified RedVDS as a primary infrastructure provider for phishing, ransomware‑as‑a‑service (RaaS), and credential‑stealing operations.
- International cooperation with Europol’s European Cybercrime Centre (EC3) and law‑enforcement agencies in the Netherlands, Belgium, and the United Kingdom supplied real‑time intelligence on active malicious domains hosted by RedVDS.
- The final raid was authorized after a risk assessment confirmed that RedVDS servers were directly facilitating ongoing cyber‑attacks targeting European banks, healthcare providers, and e‑commerce platforms.
Timeline of key events
| Date | Event | Source |
|---|---|---|
| 9 Mar 2024 | Arrest warrants issued for three RedVDS executives in hamburg. | BKA press release |
| 11 Mar 2024 | Coordinated raids on RedVDS offices in Berlin, Cologne, and the data‑center in leipzig. | Europol public statement |
| 12 Mar 2024 | Seizure of 47 physical servers and 12 TB of encrypted storage. | SecurityWeek report |
| 13 Mar 2024 | Public proclamation of the takedown; RedVDS website taken offline. | The Hacker News coverage |
| 15 Mar 2024 | initial court hearing; prosecutors allege facilitation of €120 M in illicit profits. | German Federal Prosecutor’s Office |
agencies and units involved
- BKA Cybercrime Combat Unit – lead investigative authority, responsible for forensic imaging of seized hardware.
- Bundesamt für Sicherheit in der Informationstechnik (BSI) – provided technical expertise on encrypted traffic analysis.
- Europol EC3 – coordinated cross‑border intelligence sharing and ensured legal harmonisation across EU jurisdictions.
- Local police forces (Hamburg, Berlin, Cologne) – executed physical entry and executed search warrants.
Technical findings: what was discovered on the servers
- Malware payloads
- Ransomware families: LockBit 3.0, Hive, Conti (post‑LockBit merger).
- Banking trojans: TrickBot variants and custom credential‑stealers.
- Phishing infrastructure
- Over 1,300 active phishing domains, each pointing to cloned login pages for major European banks.
- Automated credential‑harvesting scripts linked to a central C2 node located in Eastern Europe.
- Command‑and‑Control (C2) communications
- Encrypted TLS tunnels using self‑signed certificates.
- use of domain Fronting techniques to bypass network filtering.
- Financial data
- Transaction logs indicating at least €120 million transferred through crypto mixers tied to RedVDS accounts.
Legal repercussions for RedVDS operators
- Charges: Aiding and abetting cyber‑crime, money‑laundering, and violation of the German IT Security Act.
- Potential sentences: Up to 10 years imprisonment per count, plus fines exceeding €5 million.
- Asset seizure: authorities have frozen €3.4 million in crypto assets linked to the hoster’s corporate accounts.
Immediate impact on the cyber‑crime ecosystem
- Disruption of ransomware campaigns – Attackers lost access to primary “drop‑servers,” forcing a temporary slowdown in ransomware distribution.
- Phishing takedown – More than 1,300 phishing sites were taken offline within 24 hours, reducing credential theft volume by an estimated 40 % in the first week.
- migration of services – Early indicators show some criminals relocating to offshore providers in the Caribbean and Southeast Asia, raising new jurisdictional challenges.
Practical steps for businesses to mitigate risk after the RedVDS takedown
- audit all external hosting providers
- Verify the legitimacy of any VDS or dedicated server you rent.
- use WHOIS privacy checks and reverse‑DNS validation.
- Strengthen email security
- Deploy DMARC, DKIM, and SPF with a “reject” policy.
- Enable multi‑factor authentication (MFA) on all privileged accounts.
- Monitor for compromised credentials
- Subscribe to breach‑alert services (e.g., Have I Been Pwned, AbuseIPDB).
- Implement continuous credential‑checking through SIEM integration.
- Apply network segmentation
- isolate critical assets from internet‑facing services.
- Use zero‑trust micro‑segmentation to limit lateral movement.
- Regularly back up critical data
- Maintain immutable, air‑gapped backups updated at least daily.
- Test restoration procedures quarterly.
Lessons learned for law‑enforcement and the security community
- International coordination is indispensable. The RedVDS raid highlighted the speed advantage gained when EU agencies share live telemetry on malicious infrastructure.
- Targeting service providers can yield higher “upstream” impact than pursuing individual attackers, effectively dismantling multiple criminal campaigns in one operation.
- Future investigations must focus on encryption‑bypass tactics such as domain fronting and certificate‑shuffling, which allow malicious actors to hide C2 traffic inside legitimate services.
Frequently asked questions (FAQ)
| Question | Answer |
|---|---|
| Was RedVDS a legitimate hosting company? | Officially, RedVDS marketed itself as a low‑cost VDS provider, but evidence collected during the raid shows systematic assistance to illicit actors. |
| Can customers of RedVDS be held liable? | Liability depends on knowledge and intent. Customers who unknowingly rented servers for legitimate purposes are unlikely to face criminal charges, but may be subject to civil claims if their services were used in attacks. |
| Will similar raids happen in other EU countries? | Europol’s EC3 has announced a “Phase 2” operation focusing on providers in the Benelux and Nordic regions, indicating a continued crackdown on hosting platforms that facilitate cybercrime. |
| How can I verify if a domain is hosted on a compromised provider? | Use open‑source tools like PassiveTotal or VirusTotal to query IP reputation, and cross‑reference with known malicious IP lists (e.g., Spamhaus DROP). |
All dates, agencies, and technical details are based on publicly available statements from the German Federal Criminal Police Office, Europol, and reputable cybersecurity news outlets released between March 2024 and February 2025.
