Google Sues Chinese Cybercrime Network for Exploiting Gemini AI in Phishing Scheme

In a significant legal move, Google has initiated a lawsuit against a Chinese cybercrime network, alleging that it exploited the company’s Gemini artificial intelligence (AI) agent to orchestrate phishing text message campaigns targeting American citizens. This development underscores the evolving landscape of cyber threats and the increasing sophistication of phishing techniques.

Legal Action Against Cybercrime

On Friday, Google announced its legal pursuit against the network, which is reportedly behind a phishing-as-a-service (PhaaS) toolkit known as “Outsider.” The tech giant claims that this operation has weaponized Gemini to create fraudulent phishing pages and conduct extensive SMS phishing, commonly referred to as “smishing.” These attacks often impersonate legitimate brands, misleading recipients with messages about “brokerage account issues” or claims of eligibility for “rewards through their mobile phone carrier.”

Google’s lawsuit aims to dismantle the infrastructure of this cybercrime network. In a collaborative effort, the company is working alongside major telecommunications providers such as AT&T, T-Mobile, and Verizon to prevent these malicious messages from reaching consumers.

Scale of the Operation

According to Google, the Outsider operation is coordinated through Telegram, where the network distributes phishing kits that enable criminals to send deceptive text messages masquerading as trusted brands. This scheme has reportedly victimized over 100,000 individuals, resulting in millions of dollars in financial losses.

Between November 14, 2025, and April 14, 2026, authorities identified approximately 9,000 fake websites and over 1.59 million fraudulent URLs associated with the phishing service. During a two-week period from May 18 to June 1, 2026, the network was responsible for sending 55,000 spam texts flagged by Android users. In total, 2.5 million messages containing links to Outsider-generated websites were dispatched to Android users within the same timeframe.

For a subscription fee as low as $88 per week or $200 per month, criminals could utilize the Outsider kit to create fraudulent websites, launch phishing campaigns, and steal sensitive information, including credit card numbers and bank account credentials. Licenses for the service were available through a self-service ordering bot on Telegram.

Technical Mechanisms of the Phishing Kit

The Outsider service provides over 290 pre-built templates that mimic legitimate websites of trusted institutions. It also includes features such as real-time keystroke logging and a performance dashboard to monitor campaign effectiveness. Google’s complaint highlights the alarming simplicity of the Outsider toolkit, which offers step-by-step instructions on how to weaponize AI-generated code.

Members of the Outsider Enterprise can generate programming code for a shell website using AI tools. This code can then be integrated into the Outsider platform to create fraudulent sites designed to extract personal or financial information from victims. The prompts for Gemini and similar AI platforms are often framed as benign requests for programming assistance, such as generating HTML code for a “gift redemption page.”

Structure of the Outsider Enterprise

The Outsider Enterprise consists of several interconnected groups that collaborate to execute phishing attacks. These groups include:

• The Developer Group: Supplies the phishing software and templates.
• The Data Broker Group: Provides curated lists of potential targets.
• The Spammer Group: Supplies tools for sending bulk fraudulent text messages.
• The Theft Group: Assists in monetizing stolen information and laundering funds.
• The Telegram Group: Facilitates collaboration and recruitment among members.

This structure significantly lowers the barrier to entry for novice fraudsters, allowing individuals with limited programming knowledge to conduct sophisticated phishing attacks with minimal effort.

Implications for Cybersecurity

Brett Leatherman, assistant director of the FBI’s Cyber Division, noted that the criminals behind the Outsider Enterprise have built a business model based on impersonating trusted brands to defraud countless victims. The use of AI in these schemes makes them increasingly convincing and harder to detect.

The FBI reported that the PhaaS platform accounted for an estimated 3,870,000 stolen credit cards and approximately $1.9 billion in losses from July 2023 to the present. As part of a coordinated effort known as Operation Ghost Hook, several domains, including a Shopify e-commerce storefront and accounts used to test the phishing service, have been seized. Additionally, around $100,000 in USDT from Outsider payment wallets has been confiscated, alongside the disruption of thousands of phishing domains.

Operation Ghost Hook is part of a broader initiative termed Operation Riptide, which targets the criminal actors, infrastructure, and financial networks behind cybercrime and fraud against American citizens.

This legal action follows a similar lawsuit filed by Google against another Chinese cybercrime group responsible for a massive PhaaS platform called Lighthouse, which affected over 1 million users across 120 countries.

Update on Outsider Operations

As of now, the Telegram bot (@OutsiderCodeBot) that facilitated the purchase of Outsider licenses is no longer accessible. This development marks a significant step in disrupting the operations of this cybercrime network.

Source: thehackernews.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.