Skip to main content

Dark Web Leaks: Exploit Production Company

 I have to tell you about the latest "copy-paste" disaster in cybercrime history. This is pure gold.

Microsoft recently took down a massive cyber-fraud ring called "RedVDS." These guys were basically running an "all-inclusive" rental shop for cyber criminals. You just drop some crypto, and they hand you an unrestricted Windows virtual server like, "Here you go, buddy, go scam whoever you want."



They used these servers to hijack corporate emails (BEC) and run massive phishing campaigns. We’re talking about $40 million stolen in the U.S. alone!

But here’s the kicker: How did this massive network get busted? (Pay attention here).

The guy who built the system set up an automated virtualization infrastructure (QEMU) to spin up thousands of servers instantly. Everything looked super professional up to that point. But then, peak laziness kicked in. Think of it like this: you build a high tech printing press to make thousands of fake passports, but you accidentally put your own photo on every single one of them. 😂

The admin was too lazy to run "Sysprep" when cloning new virtual machines! For the non techies, that means he didn't reset the operating system's unique ID or digital fingerprint.

The result? No matter where in the world you rented a server from, thousands of machines had the exact same name, setup ID, and RDP certificate fingerprint: WIN-BUNS25TD77J

Microsoft’s security teams basically went, "Uh, why are there a million devices named WIN-BUNS25TD77J active at the same time?" and just tracked that one name.

The scammers tried to be slick by renting IPs from the UK or Netherlands to bypass ge filters, but it was useless. How are you going to hide when you're walking around with the exact same barcode on your forehead? Microsoft just grabbed them by the collar and pulled the plug on the whole network.

The most ironic part? The "sub-crews" renting these servers were actually pretty organized. They had VPNs, AnyDesk, and mass mailing tools all set up. Since they didn't speak good English, they were even using ChatGPT to write their phishing emails so they wouldn't sound like scammers. The fake domains and everything were flawless.

It just goes to show: You can assemble the world’s most dangerous hackers and use the latest AI... but if the systems guy setting up your infrastructure is too lazy to spend two seconds on a configuration setting, your multi million dollar crime empire can vanish overnight.

The Numbers Behind the Chaos

  • Scale of Impact: Since March 2025, the service facilitated over $40 million in losses in the U.S. alone.

  • Victim Count: Approximately 191,000 Microsoft accounts were compromised across 130,000 organizations worldwide.

  • Phishing Volume: At its peak, just 2,600 RedVDS virtual machines were responsible for sending an average of 1 million phishing emails per day.

    The "Fingerprint" (The Sysprep Blunder)

    In a standard IT environment, when you clone a virtual machine, you use a tool called Sysprep to "generalize" the image. This resets the Security Identifier (SID) and clears out unique hardware/software fingerprints so each copy looks like a brand new computer.

    • The Error: The operator (tracked by Microsoft as Storm-2470) skipped this step.

    • The Result: Every single server they sold, thousands of them shared the exact same Computer Name: WIN-BUNS25TD77J.

    • Detection: This name appeared in system telemetry and Remote Desktop (RDP) certificates globally. Microsoft’s Digital Crimes Unit (DCU) simply had to look for any machine with that specific name to identify a criminal server, regardless of which country's IP address it was using.

      The "Service Model"

      RedVDS didn't just provide a server; it provided a "Criminal Toolkit" for as little as $24/month:

      • Infrastructure: They rented bulk space from legitimate hosting providers in the US, UK, Netherlands, France, and Germany, then resold it as "unrestricted" virtual desktops.

      • Pre-installed Tools: The servers came pre-loaded with mass-mailers (like SuperMailer and UltraMailer), email harvesters (like Sky Email Extractor), and privacy tools (VPNs and the Waterfox browser) to help scammers get started instantly.

    The AI Connection

    The most modern part of this operation was how the "sub customers" (the scammers renting the servers) used Generative AI:

    • Professionalism: They used ChatGPT and other LLMs to write perfectly phrased emails, bypassing the "broken English" red flag that usually gives away foreign scammers.

    • High-End Deception: In some cases, they used Face-swapping and Voice Cloning AI to impersonate company executives during Business Email Compromise (BEC) attacks, making their "urgent wire transfer" requests look and sound authentic.

    Notable Victims

    • H2-Pharma: An Alabama based pharmaceutical company that lost over $7.3 million.

    • Gatehouse Dock Condominium Association: A Florida HOA that lost nearly $500,000 in resident funds meant for building repairs.


    The operation, led by Microsoft’s Digital Crimes Unit, involved a combination of civil lawsuits in the U.S. and U.K. (a first for the U.K. courts) and physical server seizures by Europol and German authorities. This allowed Microsoft to legally seize the domains redvds[.]com and redvds[.]pro, effectively "beheading" the management portal of the network.

Labels:

Comments

Post a Comment

Popular posts from this blog

Beyond the Pentest: Why We Do What We Do

  “We had a two-week pentest. They gave us a 40-page report. We fixed the high-severity issues. Are we secure now?” This is a line I’ve heard far too many times from CISOs and security leads and I always give them the same answer: No, you’re not secure. Not even close. I’m a penetration tester, but not the kind you’re used to. Let me explain. The Old Red vs Blue Paradigm Is Dead We’re no longer living in a world where attackers show up, hit your network hard for a few days, and disappear. Real adversaries stay there and observe you for months. Even for Years . They don’t follow rules of engagement. They evolve. They study you. And they compromise you slowly. The traditional red team-blue team separation, and the "2-week pentest, fix top 5 CVEs" checklist approach? It’s outdated. It gives a false sense of security . We don’t play by those rules at Gl1tch | Risk. Offensive Security as a Service – A Different Approach In our practice, we go beyond traditional penetration testing...
Post a Comment
Read more

Entering Password Protected Windows Computer without the Password

 If you have a windows laptop and you don’t know the password for some reason (!) (Maybe it’s not yours ?) and want to login without entering the password, here’s a simple way to hack it without being too technical. You just need to bypass the password protection. I didn’t try this method on other windows versions, you can give it a try but for windows 10 and windows 11 it works perfectly fine. (You need an empty physical pen drive to bypass) Step 1: Download Hiren Boot ISO file: https://www.hirensbootcd.org/ Step 2: Mount the iso file to your USB (You will lose all of the data) You can use RUFUS to do this. I will skip this step. Step 3: Start the windows computer you want to bypass the password, and open the BIOS menu. Depends on the manufacturer the BIOS menu can be opened with F12, ESC or Delete buttons from the keyboard during system boot. Step 4: Select the USB from BIOS menu to boot. Step 5: It will open live os, similar to a windows environment but it’s not… We will use ...
Post a Comment
Read more

Stop the Scammers. Detection of Homoglyph Attack Attempt using KQL (Kusto Query Language)!

  Phishing attempts are getting sneakier, often leveraging homoglyph attacks or unusual characters to trick employees. I put together a simple but effective query to scan for new users created with "weird" characters in the email domain that indicates a potential sign of a spoofed or malicious account creation attempt. KQL Breakdown: This query scans 7 days of CloudAppEvents for the `Create user.` action, then checks the new user's email domain for any non-ASCII characters (characters outside the standard English keyboard set: $\text{U+0000}$ to $\text{U+007F}$) . This is a great starting point for spotting internationalized domain name (IDN) abuse or other sophisticated L3 attacks. CloudAppEvents | where TimeGenerated > ago(7d) | where ActionType == "Create user." | extend Email = tostring(parse_json(RawEventData).EmailAddress) | extend Domain = tostring(split(Email,"@")[1]) | where Domain matches regex @"[^\u0000-\u007F]" | project Ti...
Post a Comment
Read more