Google on June 12, 2026 filed a federal civil lawsuit in Manhattan against a China-based cybercrime network it calls the “Outsider Enterprise,” accusing the group of running an AI-assisted text-message phishing operation that the FBI has linked to roughly 3.87 million stolen credit cards and an estimated $1.9 billion in losses. The complaint was filed in the U.S. District Court for the Southern District of New York, the same day the FBI, Google, and Lumen Technologies’ Black Lotus Labs carried out a coordinated takedown of the network’s infrastructure.
Google said 2.5 million scam messages reached Android users in a two-week stretch in May, and that the kit weaponized Google’s own Gemini chatbot to generate the fraudulent web pages the texts linked to. The lawsuit, paired with cooperation from AT&T, T-Mobile, and Verizon, marks Google’s most aggressive move yet against a smishing-as-a-service economy that has grown into a subscription business sold through Telegram channels.
The 2.5 Million Texts That Triggered a Federal Lawsuit
Google filed the civil complaint in Manhattan federal court on Friday, June 12, 2026, targeting Outsider Enterprise and the operators behind its phishing kit. AT&T, T-Mobile, and Verizon are working with Google to block the fraudulent messages before they reach customers, according to Google’s own announcement of the action. The takedown, dubbed Operation Ghost Hook, was coordinated the same day by the FBI, Google, and Lumen’s Black Lotus Labs.
Between May 18 and June 1, 2026, Google said, 2.5 million messages went out to Android users containing links to Outsider-generated sites. In that same two-week window, Android users flagged 55,000 spam texts tied to the operation, more than two complaints a minute. The kit’s catalog included more than 290 pre-built website templates impersonating brokerage account issues, mobile carrier rewards, package tracking problems, and compromised-account warnings. Every link Google counted was a route to a fake site built to collect personal or financial information.
The FBI estimated the platform is tied to roughly 3.87 million stolen credit cards and about $1.9 billion in losses between July 2023 and the takedown. Google said the schemes victimized more than 100,000 people, with losses in the millions (full figures spelled out in the company’s full announcement of the lawsuit and partner statements).
- 2.5 million messages sent to Android users in two weeks
- 55,000 spam texts flagged by Android users in the same window
- 1.59 million fraudulent URLs identified between November 14, 2025 and April 14, 2026
- 9,000 fake websites tied to the operation
- 3.87 million stolen credit cards linked to the kit since July 2023
How Outsider Turned Phishing Into a Subscription Service
Outsider was a phishing-as-a-service kit distributed through Telegram and sold through a self-service ordering bot. Subscribers paid $88 a week or $200 a month for a license, and the package came with more than 290 pre-built templates impersonating the sites of trusted institutions. The kit also bundled real-time keystroke logging and a campaign-tracking dashboard, and the complaint says it gave buyers the ability to defeat SMS, PIN, email, and app verification flows. Outsider effectively turned phishing into a SaaS product with a checkout button, with annual licenses scaling into the four figures.
Google framed Outsider as plug-and-play for fraudsters who cannot write code. The kit’s instructions, the complaint says, walked members through copying and pasting Gemini-generated HTML into Outsider to convert a basic shell page into a working phishing site.
The prompts themselves were dressed up as ordinary programming requests. Members asked Gemini for the HTML of a “gift redemption page” with specific functionality and were told to avoid JavaScript and use inline CSS, the complaint alleges. Once the counterfeit site was live, its URL was sent to potential victims via SMS.
The pattern, according to The Hacker News, is the same one that powered the recently disrupted Sniper Dz kit and Lighthouse, the platform Google sued in November 2025. The economic model runs on subscription volume, and it lowers the bar to entry for would-be fraudsters who would otherwise have no idea how to build a phishing page.
Five Interlinked Groups Form the Network
Outsider Enterprise is not one actor. Google’s complaint describes a network of overlapping groups with different functions, and Google said it does not know the real names of the people or entities behind the operation. The roles mirror a small software company, complete with a developer team, a sales pipeline, and a customer-success arm.
The Developer Group supplies the phishing software and templates. The Data Broker Group provides curated lists of people to target. The Spammer Group ships the bulk-messaging tools, and the Theft Group monetizes the stolen data and launders the funds.
A fifth role, the Telegram Group, is what holds the operation together. It coordinates members, recruits new ones, and operates the @OutsiderCodeBot license store. The complaint accuses the network of abusing Google Cloud, Google Drive, and Google trademarks, and says Outsider’s software lets scammers request multiple types of verification from victims, a flexibility Google says lets the kit defeat various forms of authentication security. Google is asking the court to block the Outsider software and to award unspecified monetary damages. Reuters reported Google is also supporting seven pending congressional bills aimed at countering scams.
| Group | Function |
|---|---|
| Developer | Supplies the phishing software and templates |
| Data Broker | Provides curated target lists |
| Spammer | Provides bulk-messaging tools |
| Theft | Monetizes stolen data, launders funds |
| Telegram | Coordinates members, recruits new ones |
Gemini Becomes a Co-Pilot for the Scam Pages
The AI angle is what made this case new. Google said it is the first lawsuit it has filed specifically over the abuse of its Gemini AI tools, and the complaint alleges that the network’s instructions told members to frame their Gemini prompts as ordinary programming requests, asking for the HTML of a “gift redemption page” with specific features.
The case is one of the first public examples of a major AI vendor naming a criminal network in a federal filing over the misuse of its own chatbot. The complaint was filed in the Southern District of New York, the same court where Google sued the Lighthouse operators seven months earlier. FBI Assistant Director Brett Leatherman framed the AI risk more broadly in Google’s blog post on the case, and Help Net Security noted Google described the suit as its first involving Gemini abuse. AT&T, T-Mobile, and Verizon, plus several named members of Congress, are now publicly citing AI in their own statements on the case.
The criminals behind the Outsider Enterprise built a business out of impersonating trusted brands to defraud hundreds of thousands of victims. Criminals increasingly use AI to make fraud like this more convincing and harder to detect. Together with partners like Google, we can disrupt criminal networks in ways no single organization could on its own.
Brett Leatherman, assistant director of the FBI’s Cyber Division, in a statement published with Google’s blog post on June 12, 2026.
Operation Ghost Hook Hits Servers, Wallets, and Storefronts
The takedown came the same day as the lawsuit. The FBI, Google, and Lumen Technologies’ Black Lotus Labs jointly ran Operation Ghost Hook. CyberScoop reported that the FBI used an Outsider Telegram bot to obtain information on the network’s customers.
What was seized: multiple domains tied to the group’s core admin servers, a Shopify e-commerce storefront, and an account used to test the phishing service. Authorities confiscated roughly $100,000 in USDT from Outsider payment wallets. The @OutsiderCodeBot Telegram bot used to purchase licenses is no longer accessible, The Hacker News reported, and the channels associated with it have been deleted or taken down.
Thousands of phishing domains registered through U.S.-based providers were disrupted and rerouted to an FBI splash page. The FBI traced Outsider’s phishing domains to nearly 3.9 million stolen credit cards, a figure that lines up with Google’s own count of the operation’s footprint. Operation Ghost Hook is part of the FBI’s broader Operation Riptide campaign targeting cybercriminal infrastructure, and the FBI said the takedown reached attacks against people and businesses in 55 countries, including the United States. Google’s threat team had already flagged the same U.K. retail attack pattern earlier this year, as documented in the UK retailer attacks Google says are now aimed at U.S. chains.
Telecoms played the front-line blocking role. AT&T, T-Mobile, and Verizon are working with Google to intercept smishing messages before they reach customers, with each carrier citing AI-driven scam volume and cross-industry coordination as their main defense. The carriers’ statements were issued alongside Google’s filing.
The Smishing Wave That Was Already Building
The Outsider takedown lands inside a much larger text-scam wave. The FTC said U.S. consumers reported $470 million in losses from scams that started with text messages in 2024, more than five times the amount reported in 2020. The FBI’s 2024 Internet Crime Report logged $16.6 billion in total reported losses across 859,532 complaints, a 33% jump from 2023 (full tally in the 2024 Internet Crime Report’s $16 billion tally and complaint totals).
The top three categories by number of complaints in 2024 were phishing/spoofing, extortion, and personal data breaches. Investment fraud, particularly crypto-linked schemes, drove the most reported losses at over $6.5 billion. The FTC’s 2024 data spotlight (the 2024 text-scam loss data showing a fivefold jump since 2020) also names the top five text-scam varieties of 2024:
- Fake package delivery problems (most reported, usually pretending to be USPS)
- Phony job opportunities and task scams
- Fake fraud alerts impersonating banks or Amazon
- Bogus notices about unpaid tolls (SunPass, FasTrak, and others)
- “Wrong number” texts that turn into fake crypto investment pitches
Outsider is the second major Chinese PhaaS platform Google has sued in seven months. In November 2025, Google filed a civil suit in the Southern District of New York against the operators of Lighthouse, a PhaaS platform that ensnared over 1 million users across 120 countries. Lighthouse is part of a broader Chinese smishing network tracked as Smishing Triad, alongside Darcula and Lucid. Google said the Lighthouse service has since been disrupted, and its operators’ Telegram channels have been deleted or taken down.
Google Is Also Backing Seven Bipartisan Bills
Google is pairing the lawsuit with a legislative push. The company said it is supporting seven pending bipartisan congressional bills aimed at countering scams, and General Counsel Halimah DeLaine Prado wrote that litigation alone won’t end the threat. The bills are part of a broader push to make AI-driven scam protections permanent in U.S. law.
Three of the bills have named sponsors. Senator Rick Scott, chairman of the U.S. Senate Special Committee on Aging, is pushing the National Strategy for Combating Scams Act with Ranking Member Kirsten Gillibrand. Representative Brian Fitzpatrick, a former FBI agent and federal prosecutor, is sponsoring the Stop SCAMS Act, and Representative Josh Harder is also backing the Stop SCAMS Act. The strategy behind the package is the same one Google is using in the lawsuit: law enforcement, industry, and government working in lockstep. The package sits alongside the EU’s coordinated crackdown on the NoName05716 hacker network (the EU’s coordinated crackdown on the NoName05716 hacker network) as a parallel example of cross-border enforcement against a smishing-adjacent operation.
Criminal scammers are using an increasingly sophisticated toolkit to bilk hardworking Americans out of their savings. The government’s job is to protect them, and Washington needs to do that better. As chairman of the U.S. Senate Special Committee on Aging, I was proud to join Ranking Member Gillibrand in the bipartisan National Strategy for Combating Scams Act, which would finally bring federal agencies together, slash redundancies and create a real national plan to protect seniors and hardworking Americans.
Senator Rick Scott, chairman of the U.S. Senate Special Committee on Aging, in a statement published with Google’s blog post on June 12, 2026.
Frequently Asked Questions
What is Outsider Enterprise?
Outsider Enterprise is the name Google uses in a June 12, 2026 federal lawsuit for an organized Chinese cybercrime group. The group ran a phishing-as-a-service kit sold via Telegram and used Gemini to generate fraudulent web pages linked in scam text messages.
How much did the phishing scheme cost victims?
The FBI estimated $1.9 billion in losses tied to roughly 3.87 million stolen credit cards between July 2023 and mid-2026. Google said more than 100,000 people were victimized.
What did Google ask the court to do?
Google is seeking a court order to block the Outsider software, plus unspecified monetary damages. The complaint also accuses the group of abusing Google Cloud, Google Drive, and Google trademarks.
Will this stop AI-driven text scams?
Google called the case the first time it has sued specifically over abuse of its Gemini AI tools. The FBI says it disrupted the platform’s infrastructure, but warns criminals will adapt.
What should I do if I get a suspicious text?
Don’t click the link. Forward the message to 7726 (SPAM), report it through Google Messages or iMessage, and file a complaint at ReportFraud.ftc.gov. If you already entered information, contact your bank immediately.
