Outsider

Outsider is a China-based cybercrime network and phishing-as-a-service operation active since at least July 2023. It provided phishing kits, hosted infrastructure, and related services to cybercriminal customers, facilitating phishing and smishing attacks against people and businesses in 55 countries, including the United States. Authorities estimated the operation caused $1.9 billion in losses, and Google said its activity affected more than 100,000 victims. According to the provided reporting, Outsider operated as a multi-group criminal ecosystem, also referred to as the Outsider Enterprise, composed of interconnected groups with specialized roles and overlapping infrastructure. These included a Developer Group that supplied phishing software and templates, a Data Broker Group that provided target lists, a Spammer Group that sent bulk fraudulent texts, a Theft Group that monetized stolen data and laundered funds, and a Telegram Group that coordinated collaboration and recruitment. Outsider sold phishing kits by subscription for as little as $88 per week, including through a Telegram self-service ordering bot identified as @OutsiderCodeBot. The kits enabled customers to generate fake websites and phishing campaigns impersonating trusted brands, including Google, using more than 290 pre-built templates. Reported lures included missed packages, overdue highway tolls, parking violations, brokerage account issues, and wireless carrier rewards. Google described the operation as AI-enabled or AI-powered, stating that customers were encouraged to use Gemini and other AI platforms to generate custom code for phishing lures and fraudulent sites. The software reportedly supported collection of SMS, PIN, email, and app-based verification data, helping attackers bypass authentication controls, and also included real-time keystroke logging and campaign performance dashboards. The operation relied heavily on Telegram-based infrastructure and large-scale SMS phishing distribution. Google linked Outsider to 9,000 fake websites and more than 1.59 million fraudulent URLs between November 14, 2025 and April 14, 2026, and said 2.5 million messages containing links to Outsider-generated websites were sent to Android users during a two-week period in 2026. The FBI said Outsider phishing domains were linked to nearly 3.9 million stolen credit cards. The network was disrupted by the FBI, Google, and Lumen Technologies in a coordinated action called Operation Ghost Hook, part of the FBI's broader Operation Riptide. The takedown included seizure of core administrative domains, a Shopify storefront, roughly $100,000 from payment wallets, and thousands of domains registered through U.S.-based providers. Google also filed civil litigation to dismantle the group's infrastructure. Known alias/sub-group naming directly mentioned in the content: Outsider Enterprise.