Google Sues Outsider Enterprise Over Gemini-Assisted Phishing and Smishing
Google filed a lawsuit in the U.S. District Court for the Southern District of New York against Outsider Enterprise, an alleged China-based cybercrime network accused of abusing Gemini and other AI tools to build phishing websites and support large-scale smishing campaigns targeting U.S. consumers. Google said the Telegram-based operation functioned as a phishing-as-a-service platform, offering more than 290 prebuilt templates and infrastructure used to impersonate brands and institutions including Google, YouTube, USPS, banks, DMVs, mobile carriers, and E-ZPass in order to steal credentials and payment information.
According to Google, the campaign was tied to more than 9,000 fake websites, over 1 million fraudulent URLs, and roughly 2.5 million smishing messages sent to Android users during a two-week period in May, while users reported at least 55,000 related spam texts and losses reached millions of dollars across hundreds of thousands of victims. The company said it has disabled abusive accounts and infrastructure, is coordinating disruption efforts with the FBI Cyber Division and major U.S. carriers including AT&T, T-Mobile, and Verizon, and is pursuing claims under RICO and the Lanham Act as part of a broader effort to curb AI-enabled scam operations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
FBI and partners execute Operation Ghost Hook takedown
The FBI, working with Google and Lumen Technologies, carried out a coordinated disruption called Operation Ghost Hook against the Outsider cybercrime network. Authorities seized core administrative domains, a Shopify storefront, about $100,000 from payment wallets, and thousands of domains registered through U.S.-based providers.
Google and partners begin coordinated disruption of scam infrastructure
Google said it is coordinating with the FBI and major U.S. telecom providers including AT&T, T-Mobile, and Verizon to disrupt the operation, block malicious messages, and disable abusive Gemini-linked accounts and infrastructure. One report also says the FBI Cyber Division is pursuing parallel law enforcement action.
Court issues TRO blocking Outsider provider worldwide
A New York federal court approved Google's emergency request and issued a temporary restraining order against the phishing-as-a-service provider, blocking its operations worldwide. This represents a concrete court action beyond Google's filing of the lawsuit itself.
Google files lawsuit against Outsider Enterprise
Google filed a lawsuit against the China-based cybercrime network it calls Outsider Enterprise, alleging abuse of Gemini and other AI tools to build phishing websites and support large-scale phishing and smishing campaigns. The suit was filed in the U.S. District Court for the Southern District of New York and cites statutes including RICO and the Lanham Act.
Google detects large smishing volume tied to Outsider Enterprise in May
During a two-week period in May 2026, Google linked about 2.5 million messages sent to Android users to websites generated through Outsider Enterprise infrastructure. In the same period, Android users reported roughly 55,000 spam texts associated with the operation.
FBI says Outsider platform has driven fraud since July 2023
According to the FBI, the Outsider phishing platform has enabled the theft of at least 3.87 million credit cards and caused about $1.9 billion in losses since July 2023. The estimate frames the operation as a long-running fraud ecosystem predating Google's June 2026 lawsuit.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
FBI takes down massive China-based cybercrime network that caused $1.9B in losses | CyberScoop
cyberscoop.com
Open sourceGoogle sues to dismantle AI-powered cybercrime operation | brief | SC Media
scworld.com
Open sourceGoogle Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing
thehackernews.com
Open sourceGoogle sues Chinese cybercrime network that used Gemini to automate scams - Ars Technica
arstechnica.com
Open sourceGoogle Sues Chinese Phishing Service Over Gemini Abuse
bankinfosecurity.com
Open sourceGoogle sues China-based scammers over Gemini AI abuse - Help Net Security
helpnetsecurity.com
Open sourceGoogle fires sueball at alleged Chinese phishers over AI-powered fraud ops
theregister.com
Open sourceGoogle sues alleged Chinese cybercrime operation that used AI to send scam texts | TechCrunch
techcrunch.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Lawsuit Targets Lighthouse Phishing-as-a-Service Operation
Google has filed a civil lawsuit in the US Southern District of New York against 25 individuals alleged to be behind a large-scale phishing-as-a-service operation known as Lighthouse. The company accuses a Chinese cybercriminal group of selling "phishing for dummies" kits that enable even inexperienced fraudsters to launch widespread SMS and e-commerce scams. These kits provide hundreds of templates for fake websites, domain setup tools, and other resources, allowing attackers to impersonate well-known brands, government agencies such as USPS, and toll collection firms, tricking victims into disclosing sensitive information like passwords and financial details. The Lighthouse network, also referred to as part of the "Smishing Triad," is accused of targeting millions of people in over 120 countries, including a significant number of Americans. Google alleges that the group has generated over a billion dollars through these scams and has abused Google's logos and technology to increase the credibility of their fraudulent sites. The lawsuit represents one of the most high-profile legal actions against transnational smishing operations, highlighting the growing threat posed by organized cybercrime groups leveraging phishing-as-a-service platforms.
Mar 21, 2026
Google Lawsuit Against Lighthouse Phishing-as-a-Service Platform
Google has initiated legal action against the operators of Lighthouse, a large-scale Phishing-as-a-Service (PhaaS) platform, by filing a lawsuit in the Southern District of New York. The complaint alleges that Lighthouse provided ready-made phishing kits impersonating major brands such as E-ZPass, USPS, and Google itself, using Google’s trademarks to create convincing sign-in screens. These kits were rented to cybercriminals globally, facilitating the theft of credentials and credit card data from millions of users. Google’s lawsuit, titled Google LLC v. Does 1–25, No. 1:25-cv-09421, represents a strategic move to use civil litigation as a complement to criminal investigations, aiming for injunctive relief and discovery even when monetary damages may be unlikely. The legal action is structured similarly to a hacking indictment and racketeering case, signaling a proactive approach by Google to disrupt cybercrime infrastructure and deter future phishing operations targeting its users and brand.
Mar 21, 2026
Scams and Malware Abusing Google Branding to Steal Cryptocurrency
Security researchers reported multiple campaigns abusing *Google* branding to drive crypto theft. Malwarebytes identified a polished fraudulent “presale” site promoting a fake token called **“Google Coin”** and embedding a chatbot that impersonates **Google Gemini**; the bot delivers a scripted investment pitch, cites specific token pricing and a “2026 roadmap,” and steers victims toward sending irreversible cryptocurrency payments while avoiding verifiable corporate, regulatory, or registration details. Separately, Kaspersky’s Securelist detailed **BeatBanker**, an Android malware campaign targeting Brazil that spreads via phishing to a website masquerading as the **Google Play Store** (e.g., `cupomgratisfood[.]shop`) and distributing trojanized APKs such as a fake “INSS Reembolso” app. The malware combines a **cryptominer** with a **banking Trojan** capable of device hijacking and screen overlays, including swapping destination addresses during **USDT** transactions in apps like *Binance* and *Trust Wallet*; newer samples reportedly replaced the banking module with **BTMOB RAT** while retaining the broader infection chain and persistence techniques (including looping near-inaudible audio to resist termination).
Mar 21, 2026