Microsoft took down massive cybercrime platform RedVDS

Support independent media - upgrade your Metacurity subscription today.

Metacurity is one of the few independent media outlets delivering a daily round-up of the critical infosec developments you should know. For years, we have worked to scan thousands of sources to deliver you summarized and aggregated news to help you keep your organizations secure.

We value all of our readers, but the paid subscribers help us keep plugging away at our mission of ending infosec news overload. Please, please help keep Metacurity alive with a paid subscription. Thank you!

If you can't afford a paid subscription right now, please consider donating whatever you can. Thanks.

Microsoft announced that it disrupted RedVDS, a massive cybercrime platform linked to at least $40 million in reported losses in the United States alone since March 2025.

Microsoft filed civil lawsuits in the United States and the United Kingdom, seizing malicious infrastructure and taking RedVDS's marketplace and customer portal offline as part of a broader international operation with Europol and German authorities.

Two co-plaintiffs joined Microsoft in this action: H2-Pharma, an Alabama pharmaceutical company that lost $7.3 million in a business email compromise scheme, and the Gatehouse Dock Condominium Association in Florida, which lost nearly $500,000 in resident funds.

"For as little as $24 a month, RedVDS provides criminals with access to disposable virtual computers that make fraud cheap, scalable, and difficult to trace," said Steven Masada, assistant general counsel in Microsoft's Digital Crimes Unit.

"Services like these have quietly become a driving force behind today's surge in cyber‑enabled crime, powering attacks that harm individuals, businesses, and communities worldwide."

​RedVDS operated as a cybercrime-as-a-service platform since 2019 (using the redvds[.]com, redvds[.]pro, and vdspanel[.]space domains), selling access to virtual Windows cloud servers with administrator control and no usage limits to multiple cybercriminal groups, including threat actors tracked as Storm-0259, Storm-2227, Storm-1575, and Storm-1747.

Microsoft's investigation found that RedVDS's developer and operator (tracked as Storm-2470) created all virtual machines from a single cloned Windows Server 2022 image. This left a distinctive technical fingerprint, with all instances sharing the same computer name, WIN-BUNS25TD77J, an anomaly that helped investigators track the service's operations across malicious campaigns.

RedVDS rented servers from third-party hosting providers across the United States, the United Kingdom, France, Canada, the Netherlands, and Germany. This allowed criminals to provision IP addresses geographically close to targets and easily evade location-based security filters. (Sergiu Gatlan / Bleeping Computers)

Related: Microsoft, Microsoft, Security Week, Neowin, The Record, Dark Reading, Help Net Security, CyberScoop

Security researchers at Belgium’s KU Leuven University Computer Security and Industrial Cryptography group are revealing a collection of vulnerabilities they found in 17 audio accessories that use Google’s Fast Pair protocol, enabling hackers to connect with that same seamless convenience to hundreds of millions of earbuds, headphones, and speakers.

These Fast Pair-compatible audio devices are sold by 10 different companies: Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google itself.

The hacking techniques the researchers demonstrated, which they’re collectively calling WhisperPair, would allow anyone within Bluetooth range of those devices—close to 50 feet in their testing—to pair with audio peripherals and hijack them silently.

Depending on the accessory, a hacker could take over or disrupt audio streams or phone conversations, play their own audio through the victim’s ear buds or speakers at whatever volume they chose, or undetectably take over microphones to listen to the victim’s surroundings. Worse yet, certain devices sold by Google and Sony that are compatible with Google’s device geolocation tracking feature, Find Hub, could also be exploited to allow stealthy, high-resolution stalking.

Google today published a security advisory in coordination with the researchers, acknowledging their findings and describing its efforts to fix the problem. Since the researchers first disclosed their work to the company in August, they say, Google appears to have alerted at least some of the vendors of vulnerable devices, many of whom have made security updates available.

However, given that very few consumers ever think about updating the software of internet-of-things devices like headphones, earbuds, or speakers, the KU Leuven researchers warn that the WhisperPair vulnerabilities may still persist in vulnerable accessories for months or years to come. (Andy Greenberg and Lily Hay Newman / Wired)

Related: Whisperpair

Bluspark Global, a New York-based firm whose shipping and supply chain platform, Bluvoyix, which allows hundreds of big companies to transport their products and track their cargo as it travels across the globe, has spent the last few months patching its own systems following the discovery of a raft of simple vulnerabilities, which inadvertently left the doors to its shipping platform wide open to anyone on the internet.

The company says that its security issues are now resolved. The company fixed five flaws in its platform, including the use of plaintext passwords by employees and customers, and the ability to access and interact with Bluvoyix’s shipping software remotely. The flaws exposed access to all of the customer’s data, including their shipment records, dating back decades.

But for security researcher Eaton Zveare, who uncovered the vulnerabilities in Bluspark’s systems back in October, alerting the company to the security flaws took longer than the discovery of the bugs themselves, since Bluspark had no discernible way to contact it.

In a now-published blog post, Zveare said he submitted details of the five flaws in Bluspark’s platform to the Maritime Hacking Village, a nonprofit that works to secure maritime space and, as with this case, helps researchers to notify companies working in the maritime industry of active security flaws. (Zack Whittaker / TechCrunch)

Related: PYMNTS, Eaton Works

Technical research published by XLab, Synthient, and Lumen demonstrates how the Kimwolf botnet’s operators have quickly spun up and abandoned infrastructure or shifted tactics to evade detection and remain operational.

Researchers are hopeful Kimwolf has already reached its maximum potential, yet the botnet’s operators could still exploit another proxy service and take over a new assortment of devices. 

Kimwolf hasn’t targeted critical infrastructure thus far, but it has the potential to cause severe damage if it were used for that purpose. Meanwhile, the malicious traffic the botnet controls isn’t harmless — DDoS attacks can spread beyond intended targets by causing downtime, congesting data, and affecting unrelated services and operations. (Matt Kapko / CyberScoop)

Related: XLab, Lumen, Security Affairs, Black Lotus Labs

The French data protection regulator, CNIL, today issued a collective €42 million ($48.9 million) fine to two French telecom companies for GDPR violations stemming from a data breach.

Free and Free Mobile are two separate businesses, respectively overseeing fixed-line and mobile services, owned by the Iliad Group. The fines relate to an October 2024 breach that led to the data of more than 24 million individuals being compromised, including financial information such as IBANs.

In its judgment, CNIL noted that the attack began on September 28, 2024, and the companies were made aware of the intrusion on October 21 via a message from the attacker responsible. Free ousted the attacker from its systems the following day.

The attackers gained access to Free's network via the company VPN before connecting to Free Mobile's subscriber management tool, MOBO. Even though the attacker only gained access to Free Mobile's application, MOBO, at the time, it allowed users to search for the data belonging to customers of both Free and Free Mobile, including their IBANs, provided they were subscribers of services.

A post-mortem of the attack revealed that the attacker began exfiltrating customer records on October 6, 2024, including those related to the total 24,633,469 fixed and mobile contracts. This was broken down into 19,460,891 Free Mobile contacts and 5,172,577 Free contracts. (Connor Jones / The Register)

Related: Bleeping Computer

A group of Western cyber agencies warned about the growing digital threats facing the operational technology at the heart of industrial systems.

New guidance issued by Britain’s National Cyber Security Centre (NCSC), a part of signals and cyber intelligence agency GCHQ, sets out how organizations should securely connect equipment such as industrial control systems, sensors, and other critical services.

While historically air gapped from the internet, many of these systems are now remotely monitored and managed, increasing efficiency but also the potential attack surface for malicious actors.

According to the security agencies involved in the guidance, a wide range of groups are increasingly targeting industrial environments, from ransomware gangs to state-backed hackers and other cyber threats.

“Exposed and insecure OT connectivity is known to be targeted by both opportunistic and highly capable actors,” warns the guidance, citing a joint advisory calling out China's state-sponsored cyber activity issued in June 2023.

It also highlighted another advisory, issued by the US Cybersecurity and Infrastructure Agency (CISA) and updated last month, that warned pro-Russia hacktivists were conducting opportunistic attacks against global critical infrastructure. (Alexander Martin / The Record)

Related: NCSC, CISA, Industrial Cyber

Hackers have accessed the information of current and past Victorian government school students in a significant data breach.

The Victorian Department of Education said an "external third party" had accessed all students' names, email addresses, school names, year level, and encrypted passwords.

The department said the third party had not accessed any other personal data, such as date of birth, phone number, or home address.

Hackers accessed the information through a school's network.

An education department spokesperson said the government was investigating the incident.

"The safety and privacy of students is our top priority — we have identified the point of the breach and have put safeguards in place, including the temporary disabling of systems to ensure no further data is able to be accessed," they said.

"Now we're working with cyber experts, other government agencies, and communicating with our schools to ensure this does not disrupt students when they start the 2026 school year." (ABC.net.au)

Related: Information Age, News.com, Financial Review, Cyber Press, Insurance Business, Cyber Daily

The website called ICE List, which aims to leak personal information of Immigration and Customs Enforcement and Border Patrol officers, reportedly suffered a DDoS attack.

Founder Dominick Skinner believes the DDoS attack may have originated in Russia.

The attack happened after reports that Skinner intended to publish a dataset of approximately 4,500 immigration personnel, obtained from a Department of Homeland Security whistleblower.

The dataset contains names, email addresses, phone numbers, and job titles, with Skinner planning to make most of this information public. (Ariana Baio / Independent)

Related: Daily Beast, Infosecurity Magazine

The Federal Trade Commission finalized an order with General Motors and OnStar to settle allegations that the companies collected and sold consumers’ data without adequate notification.

Under the order, General Motors and its subscription-based telematics service OnStar are prohibited from sharing certain consumer data with consumer reporting agencies. They are also required to provide greater transparency and choice to consumers about data collection.

The allegations, first announced in January 2025, claimed the companies collected and sold geolocation and driving behavior data from millions of consumers without obtaining their affirmative consent.

The final order approved by the FTC imposes a five-year ban on GM disclosing consumers’ geolocation and driver behavior data to consumer reporting agencies.

For the next 20 years, GM will be required to obtain affirmative express consent, create a way for customers to request a copy of their data and seek deletion, give consumers the ability to disable data collection, and provide a way for them to opt out of collection. (Katherine Hamilton / Wall Street Journal)

Related: FTC, TechCrunch, GM Authority, Dataconomy

The Canadian Investment Regulatory Organization says about 750,000 Canadian investors may have had personal information compromised in a data breach last year.

According to CIRO, certain information, like social insurance numbers, investment account numbers, phone numbers, and more, may have been impacted.

CIRO says that at this time, there is no evidence that the information has been misused, but it will continue to monitor for potential malicious activity.

The data breach was the result of a sophisticated phishing attack that was quickly contained, according to CIRO.

CIRO says it is reaching out to affected investors, and those affected will be sent a notification letter starting on Jan. 14. (The Canadian Press)

Related: CIRO, Investment Executive, r/PersonalFinanceCanada, The Globe and Mail, Wealth Professional Canada, Bloomberg

UK ministers have rolled back plans for a central element of the proposed digital ID plans, leaving open the possibility that people will be able to use other forms of identification to prove their right to work.

This will mean that the IDs, announced to some controversy in September, will no longer be mandatory for working-age people, given that the only planned obligatory element was to prove the right to work in the UK.

While officials said this was not a U-turn, just a tweak before a detailed consultation on how the system will function, it will be viewed as the latest in a series of policy changes, including on business rates and inheritance tax for farmers.

When Keir Starmer announced the proposal for digital IDs by 2029, they were billed as voluntary, with the exception that they would be mandatory for people to show they were legally allowed to work. (Peter Walker and Pippa Crerar / The Guardian)

Related: BBC, The New York Times, Associated Press, Reuters, The Verge, Computer Weekly, The Independent, The Times, Financial Times, European Conservative, The Standard

X says it is changing its policies around Grok’s image-editing abilities following a multi-week outcry over the chatbot repeatedly being accused of generating sexualized images of children and nonconsensual nudity.

In an update shared from the @Safety account on X, the company said it has “implemented technological measures to prevent the Grok account from allowing the editing of images of real people in revealing clothing such as bikinis.”

The new safeguards, according to X, will apply to all users regardless of whether they pay for Grok.

Separately, California Attorney General Rob Bonta announced an investigation into the large-scale production of sexual images of women and children created using Musk’s Grok chatbot.

Bonta said the material has been used to harass people across Musk’s social-media platform, X. Both X and Grok are part of xAI.

“The avalanche of reports detailing the non-consensual sexually explicit material that xAI has produced and posted online in recent weeks is shocking,” Bonta said in a statement. (Karissa Bell / Engadget and Georgia Well and Kim Mackrael / Wall Street Journal)

Related: Financial Times, State of California, NBC News, New York Times, Reuters, The Guardian, The Indian Express, ABC, The Independent Popular Information, Newser, CNBC, Mashable, The Independent, Türkiye Today, Wall Street Journal, Android Headlines, CalMatters, Social Media Today, Engadget, Implicator.ai, Business Insider, CNBC, Los Angeles Times, Bloomberg, The Hill, Politico, X, Forbes, Al Jazeera, The Irish Times, Telegraph

Aikido Security, a Brussels, Belgium- and London, UK-based provider of developer-first security products, raised $60 million in a Series B venture funding round.

DST Global led the round with participation from PSG Equity. (Supantha Mukherjee / Reuters)

Related: Sifted, Tech.eu, FinSMEs, The Next Web, Telecompaper, Tech Funding News

Depthfirst, a security startup positioning itself at the forefront of this AI-powered defense, announced it had raised $40 million in a Series A venture funding round.

Accel led the round with participation from Alt Capital, BoxGroup, Liquid 2 Ventures, Mantis VC, SV Angel, and angel investors, including Jeff Dean, Kirsten Green, Colin Evans, Logan Kilpatrick, and Julian Schrittwieser. (Lucas Ropek / TechCrunch)

Related: FinSMEs, Business Wire, Ventureburn, Bloomberg

Novee, an emerging leader in AI offensive security, today announced its out-of-stealth launch with $51.5 million in a Series A funding round.

YL Ventures, Canaan Partners, and Oren Zeev (Zeev Ventures) led the round. (Chris Metinko / Axios)

Related: Business Wire, FinSMEs, SiliconANGLE, Novee, Globes, CTech, Pulse 2.0, Forbes

Best Thing of the Day: All Hope Is Not Lost

The Department of Homeland Security is finalizing plans for a new body that would replace the functions of the Critical Infrastructure Partnership Advisory Council (CIPAC) and serve as a communications hub between industry and government to discuss ongoing threats to US critical infrastructure, including from cyber attacks.

Worst Thing of the Day: Vibe Coding Can't Be Trusted

Popular vibe coding platforms consistently generate insecure code in response to common programming prompts, including creating vulnerabilities rated as critical.

Closing Thought