Cyber Incident Victim: H2-Pharma
Date:
Mar 2025
Location:
United States of America
Summary
Microsoft, in coordination with legal partners from the US and UK and international law enforcement including Europol, seized the infrastructure of RedVDS, a cybercriminal subscription service that offered AI-powered phishing and business email compromise tools. The platform, which charged as little as $24 monthly, provided criminals with disposable virtual computers running unlicensed software and enabled attacks that have caused over $40 million in losses in the US alone, impacting nearly 190,000 organizations globally. Among the victims was an Alabama pharmaceutical company, H2-Pharma, which incurred losses exceeding $7.3 million, along with a Florida home association that lost more than $500,000. RedVDS services were frequently combined with generative AI to craft convincing phishing messages and even deepfake videos and voice clones to impersonate individuals. The takedown was enabled by victim cooperation, which Microsoft noted was crucial for the action.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or before January 14, 2026, the Alabama-based pharmaceutical company H2-Pharma fell victim to a cyber-attack orchestrated through the criminal subscription service RedVDS, resulting in financial losses exceeding $7.3 million. This specific incident was part of a broader pattern of fraud campaigns hosted on the RedVDS platform, which provided cybercriminals with access to inexpensive, disposable virtual computers running unlicensed software to operate anonymously. The attackers utilized these resources to conduct highly targeted business email compromise (BEC) scams, a method where criminals infiltrate or monitor legitimate business communications before impersonating a trusted contact to request fraudulent wire transfers. For the H2-Pharma attack, as with other RedVDS-facilitated BEC scams, the perpetrators likely employed generative artificial intelligence tools to identify the company as a high-value target and to craft convincing phishing emails or associated attachments that mimicked expected legitimate correspondence, thereby increasing the deception's plausibility. The attack against H2-Pharma was one of several notable cases cited by Microsoft, which identified nearly 190,000 organizations worldwide as victims of RedVDS-supported campaigns since March 2025, with the United States, Canada, and the United Kingdom being the most impacted countries. The total losses from these campaigns in the U.S. alone surpassed $40 million, underscoring the severe financial impact of the service despite its low monthly subscription cost for criminals.
The coordinated action to dismantle RedVDS was announced by Microsoft on January 14, 2026, following legal proceedings in the United States and, for the first time in such a case, the United Kingdom, with additional support from international law enforcement including Europol. This operation resulted in the seizure of RedVDS's website and underlying infrastructure, effectively disrupting the cybercrime-as-a-service platform that had enabled attacks like the one against H2-Pharma. Microsoft explicitly acknowledged the crucial role played by victims such as H2-Pharma and the Gatehouse Dock Condominium Association in Florida, which lost over $500,000, stating that their cooperation was instrumental in enabling the disruptive legal action and would help protect future potential targets. The takedown targeted the core tools of the operation, including the AI-enhanced phishing and BEC capabilities that had been paired with deepfake video and voice cloning technologies to create more sophisticated impersonations. By seizing the infrastructure, the action aimed to prevent further immediate harm, while Microsoft's public statements emphasized that reporting cybercrime incidents, as H2-Pharma did, is a vital step in dismantling such criminal networks and preventing additional victims, a process that relies on the willingness of affected organizations to come forward without stigma.