Skip to main content

Dark Web Leaks: Exploit Production Company

 I have to tell you about the latest "copy-paste" disaster in cybercrime history. This is pure gold.

Microsoft recently took down a massive cyber-fraud ring called "RedVDS." These guys were basically running an "all-inclusive" rental shop for cyber criminals. You just drop some crypto, and they hand you an unrestricted Windows virtual server like, "Here you go, buddy, go scam whoever you want."



They used these servers to hijack corporate emails (BEC) and run massive phishing campaigns. We’re talking about $40 million stolen in the U.S. alone!

But here’s the kicker: How did this massive network get busted? (Pay attention here).

The guy who built the system set up an automated virtualization infrastructure (QEMU) to spin up thousands of servers instantly. Everything looked super professional up to that point. But then, peak laziness kicked in. Think of it like this: you build a high tech printing press to make thousands of fake passports, but you accidentally put your own photo on every single one of them. 😂

The admin was too lazy to run "Sysprep" when cloning new virtual machines! For the non techies, that means he didn't reset the operating system's unique ID or digital fingerprint.

The result? No matter where in the world you rented a server from, thousands of machines had the exact same name, setup ID, and RDP certificate fingerprint: WIN-BUNS25TD77J

Microsoft’s security teams basically went, "Uh, why are there a million devices named WIN-BUNS25TD77J active at the same time?" and just tracked that one name.

The scammers tried to be slick by renting IPs from the UK or Netherlands to bypass ge filters, but it was useless. How are you going to hide when you're walking around with the exact same barcode on your forehead? Microsoft just grabbed them by the collar and pulled the plug on the whole network.

The most ironic part? The "sub-crews" renting these servers were actually pretty organized. They had VPNs, AnyDesk, and mass mailing tools all set up. Since they didn't speak good English, they were even using ChatGPT to write their phishing emails so they wouldn't sound like scammers. The fake domains and everything were flawless.

It just goes to show: You can assemble the world’s most dangerous hackers and use the latest AI... but if the systems guy setting up your infrastructure is too lazy to spend two seconds on a configuration setting, your multi million dollar crime empire can vanish overnight.

The Numbers Behind the Chaos

  • Scale of Impact: Since March 2025, the service facilitated over $40 million in losses in the U.S. alone.

  • Victim Count: Approximately 191,000 Microsoft accounts were compromised across 130,000 organizations worldwide.

  • Phishing Volume: At its peak, just 2,600 RedVDS virtual machines were responsible for sending an average of 1 million phishing emails per day.

    The "Fingerprint" (The Sysprep Blunder)

    In a standard IT environment, when you clone a virtual machine, you use a tool called Sysprep to "generalize" the image. This resets the Security Identifier (SID) and clears out unique hardware/software fingerprints so each copy looks like a brand new computer.

    • The Error: The operator (tracked by Microsoft as Storm-2470) skipped this step.

    • The Result: Every single server they sold, thousands of them shared the exact same Computer Name: WIN-BUNS25TD77J.

    • Detection: This name appeared in system telemetry and Remote Desktop (RDP) certificates globally. Microsoft’s Digital Crimes Unit (DCU) simply had to look for any machine with that specific name to identify a criminal server, regardless of which country's IP address it was using.

      The "Service Model"

      RedVDS didn't just provide a server; it provided a "Criminal Toolkit" for as little as $24/month:

      • Infrastructure: They rented bulk space from legitimate hosting providers in the US, UK, Netherlands, France, and Germany, then resold it as "unrestricted" virtual desktops.

      • Pre-installed Tools: The servers came pre-loaded with mass-mailers (like SuperMailer and UltraMailer), email harvesters (like Sky Email Extractor), and privacy tools (VPNs and the Waterfox browser) to help scammers get started instantly.

    The AI Connection

    The most modern part of this operation was how the "sub customers" (the scammers renting the servers) used Generative AI:

    • Professionalism: They used ChatGPT and other LLMs to write perfectly phrased emails, bypassing the "broken English" red flag that usually gives away foreign scammers.

    • High-End Deception: In some cases, they used Face-swapping and Voice Cloning AI to impersonate company executives during Business Email Compromise (BEC) attacks, making their "urgent wire transfer" requests look and sound authentic.

    Notable Victims

    • H2-Pharma: An Alabama based pharmaceutical company that lost over $7.3 million.

    • Gatehouse Dock Condominium Association: A Florida HOA that lost nearly $500,000 in resident funds meant for building repairs.


    The operation, led by Microsoft’s Digital Crimes Unit, involved a combination of civil lawsuits in the U.S. and U.K. (a first for the U.K. courts) and physical server seizures by Europol and German authorities. This allowed Microsoft to legally seize the domains redvds[.]com and redvds[.]pro, effectively "beheading" the management portal of the network.

Labels:

Comments

Post a Comment

Popular posts from this blog

Beyond the Pentest: Why I Do What I Do

  “We had a two-week pentest. They gave us a 40-page report. We fixed the high-severity issues. Are we secure now?” This is a line I’ve heard far too many times from CISOs and security leads and I always give them the same answer: No, you’re not secure. Not even close. I’m a penetration tester, but not the kind you’re used to. Let me explain. The Old Red vs Blue Paradigm Is Dead We’re no longer living in a world where attackers show up, hit your network hard for a few days, and disappear. Real adversaries stay there and observe you for months. Even for Years . They don’t follow rules of engagement. They evolve. They study you. And they compromise you slowly. The traditional red team-blue team separation, and the "2-week pentest, fix top 5 CVEs" checklist approach? It’s outdated. It gives a false sense of security . We don’t play by those rules at Gl1tch | Risk. Offensive Security as a Service – A Different Approach In our practice, we go beyond traditional penetration testing...
Post a Comment
Read more

VIP Ticket to Ruin your Life | Golden Ticket Attack

Have you ever heard of a ticket so powerful it gives you access to an entire Active Directory environment? That’s exactly what a  Golden Ticket  does. An attacker can create a Ticket Granting Ticket (TGT) using the KRBTGT account hash. This allows an attacker to impersonate  any user , access  any resource , and remain  undetected for as long as they want . Golden Ticket attacks are difficult to detect and devastating when successful. The  core vulnerability  that enables a Golden Ticket attack lies in the  design of Kerberos authentication in Active Directory , specifically how  Ticket Granting Tickets (TGTs)  are  trusted  and  validated . The Root Cause: The entire Kerberos trust model in AD depends on the secrecy of the KRBTGT account’s password hash. What Does That Mean? The KRBTGT account is a special built-in account in Active Directory. It is used by the Key Distribution Center (KDC) to sign and encrypt TGTs. A...
Post a Comment
Read more