Google just filed a lawsuit that reads like a forensic breakdown of an AI-powered assembly line for phishing—1.59 million malicious URLs detected in five months, 3.87 million credit cards stolen since July 2023, and $1.9 billion in estimated losses.
The Scale: 1 Million Domains and 3.87 Million Stolen Cards
Outsider Enterprise didn't run a few dozen scam sites. Between November 2025 and April 2026, Google identified over 1.59 million unique URLs tied to the operation. The group spun up 9,000 fake websites, one million fraudulent domains total, and blasted 2.5 million SMS messages to Android users in a single two-week period. During May, Android users flagged 55,000 spam texts—more than two complaints per minute.
The FBI, working with Google and Lumen's Black Lotus Labs, seized domains, Shopify storefronts, and test accounts. Since July 2023, the phishing platform enabled theft of at least 3,870,000 credit cards across 95 countries, with corresponding losses estimated at $1.9 billion. That's not theoretical—those are cards issued by real financial institutions, now in criminal hands.
How Outsider’s $200/Month Platform Works
Google calls it a "phishing-for-dummies" software suite. Outsider costs $88 per week or $200 per month and requires no technical skill. The platform includes over 290 pre-built website templates mimicking telecom providers, financial institutions, government agencies, and retailers. Operators can generate a convincing fake site in minutes—using AI, including Google's own Gemini, to create the code and content.
The cybercriminals coordinate openly on Telegram, sharing target lists built from public records, social media, and data breaches. A dedicated "spammer group" maintains smartphone banks, SIM cards, and modems to send bulk SMS. Real-time data exfiltration lets attackers steal passwords, multi-factor codes, and credit card numbers as victims type them in.
Google’s Counterattack: AI vs. AI and FBI Collaboration
Google says it uses "AI-powered tools to fight AI-powered scams," intercepting more than 10 billion scam messages per month. The company partnered with AT&T, T-Mobile, and Verizon to block these texts and coordinated with the FBI for domain seizures.
The lawsuit seeks compensatory and punitive damages plus an injunction to shut down the operation. Google accuses Outsider Enterprise of racketeering, wire fraud, false advertising, and copyright infringement for impersonating Google brands. The complaint names the group as "foreign-based cybercriminals whose real identities are unknown," but the detailed infrastructure mapping suggests investigators are closing in.
Source: Chinese cybercrime operation that used AI to scam 'hundreds of thousands of victims' sued by Google
Domain: techcrunch.com
Comments load interactively on the live page.