Google has sued a Chinese phishing network known as Outsider Enterprise as part of a broader effort with the FBI and major US telecoms groups to disrupt the operation.
The network distributed phishing kits through Telegram and used them to send fake text messages impersonating trusted brands, including Google. The messages linked to fraudulent websites designed to steal passwords and payment card details.
The operation was linked to 9,000 fake websites and more than 1 million fraudulent URLs. Over a two-week period, Android users flagged 55,000 spam texts tied to the group, while 2.5 million messages containing links to Outsider-generated sites were sent to Android users.
Authorities believe campaigns linked to the network led to the theft of more than 3.8 million credit card records and caused an estimated USD $1.9 billion in losses. The scale of the fraud suggests a large, repeatable phishing system rather than a single campaign.
AI and scale
Adam Issa, Senior Threat Intelligence Consultant at NCC Group, said the case reflects a broader shift in cybercrime towards the use of artificial intelligence tools.
"The AI-ification of cybercrime is one of the key trends observed in 2026, with AI, including legitimate tools and platforms, increasingly used to support criminal activity. This goes beyond generating written content and extends to building websites and supporting other parts of the criminal workflow, lowering the barrier to entry and speeding up operations. Similar trends have been observed in other phishing kits such as EvilTokens and Kali365, where AI plays an increasingly important role," Issa said.
He said the main risk for most organisations was not direct network intrusion by Outsider itself, but the wider fallout from stolen credentials and fraud.
"For most organizations, the main risk is not direct network intrusion from Outsider itself, but credential theft, payment fraud, customer harm, increased helpdesk workload, brand damage, and downstream account takeover. Based on Google and FBI reporting, the operation appears to have been conducted at large scale, potentially affecting millions of users. The scale and operational model suggest repeatable phishing infrastructure rather than a one-off campaign," Issa said.
The FBI described the group as a criminal enterprise built on impersonating trusted brands to defraud large numbers of victims. Brett Leatherman, Assistant Director of the FBI's Cyber Division, said the use of artificial intelligence had made such schemes harder to detect.
"The criminals behind Outsider Enterprise built a business out of impersonating trusted brands to defraud hundreds of thousands of victims. Criminals increasingly use AI to make fraud like this more convincing and harder to detect. Together with partners like Google, we can disrupt criminal networks in ways no single organization could on its own," Leatherman said.
Carrier response
AT&T, T-Mobile, and Verizon were identified as carriers through which the text campaigns were sent. Google said it would continue working with the telecoms groups to block the messages before they reach users.
Rich Baich, Chief Information Security Officer at AT&T, said the company already blocks or labels large volumes of robocalls and spam texts each month.
"We appreciate Google's teamwork and actions to help protect consumers. AT&T blocks or labels billions of robocalls and spam texts every month using AI. We help take down imposter websites, and we work with the Industry Traceback Group to track spam calls to the source, leading directly to law enforcement actions. Fighting fraud requires collective defense, and each technology provider in our industry plays an important role," Baich said.
Jeff Simon, Executive Vice President and Chief Information Officer at T-Mobile, said criminal groups were moving quickly and using more advanced tools.
"At T-Mobile, protecting customers from evolving threats like AI-powered phishing and smishing scams is paramount. Scammers are moving faster and using more advanced tools, so we are meeting that challenge on multiple fronts. We're proud to work with Google, law enforcement, and others across the industry to fight the bad guys, block scam traffic, disrupt malicious activity, and help keep people safe. As threats grow more sophisticated, we'll continue investing in advanced technologies, network-level protections, and partnerships that give customers greater confidence that the messages they receive are authentic," Simon said.
Nasrin Rezai, Chief Information Security Officer at Verizon, said the response required cooperation across companies and law enforcement.
"Verizon is focused on protecting our customers from fraudulent activity and securing our networks. As cybercriminals increasingly leverage advanced technologies like AI to carry out sophisticated text-messaging scams, defeating these threats requires a unified, cross-industry response. We look forward to standing with Google, the telecom industry, and federal law enforcement in this coordinated effort to dismantle malicious domains and disrupt global cybercrime operations. Technical defenses alone are not enough, which is why we believe it is important to combine aggressive legal action and collaboration with federal and state governments, while helping consumers protect themselves with the comprehensive safeguards they deserve," Rezai said.
Broader lesson
Issa said the case also highlights the weakness of SMS as a channel in many security programmes and the tendency to treat brand impersonation as a fraud issue rather than a broader business risk.
"Outsider is not a fundamentally new threat model. It is a notable example of a scaled phishing-as-a-service operation using AI as an efficiency tool. One of the key lessons is that SMS remains a weak point in many security programs. It also highlights how brand impersonation is often treated primarily as a fraud issue rather than an enterprise risk. While takedowns can disrupt operations, their impact is often temporary unless combined with measures such as smarter filtering, domain monitoring, customer notification, phishing-resistant MFA, and faster response from hosting, domain, cloud, and messaging providers," Issa said.