Operation Ghost Hook: FBI, Google and Lumen seize Outsider infrastructure
Federal investigators, working with Google and Lumen Technologies, announced a coordinated takedown Friday of a China-based cybercrime network known as Outsider. The action, described by the FBI as part of the broader Operation Riptide, resulted in seizure of several domains tied to the group's core administration servers, a Shopify storefront, and thousands of domains registered through U.S.-based providers, officials said in a LinkedIn post and related statements.
How Outsider built and sold phishing-as-a-service
Outsider operated as a commercial service for criminals, offering phishing kits and hosted infrastructure since July 2023. The kits allowed customers to spin up fake websites and full phishing campaigns designed to harvest credit cards, bank credentials and personal data. According to a civil lawsuit Google filed in the U.S. District Court for the Southern District of New York, Outsider offered weekly subscriptions for as little as $88.
Google told the court the operation leaned on generative AI — including Google’s Gemini and other AI platforms — to produce custom phishing lure copy and site code. The group supplied step‑by‑step instructions for scammers to create realistic fraudulent messages tied to scenarios like missed packages, overdue highway tolls, parking violations, brokerage account problems or wireless carrier rewards.
Google’s lawsuit also described technical flexibility built into the Outsider software: the kits could request multiple types of verification from victims, including SMS, PIN, email and app-based verification, a capability Google said enabled the enterprise to defeat various forms of authentication security.
Scale and material impact: $1.9 billion, 3.9 million cards, and seized funds
Officials attributed an estimated $1.9 billion in losses to the network’s activities. Investigators traced Outsider’s phishing domains to nearly 3.9 million stolen credit cards, the FBI said. In the takedown, authorities recovered roughly $100,000 from Outsider payment wallets, alongside the seized domains and storefront infrastructure that supported the campaign.
Google’s legal and carrier-focused response
Google framed its response on two tracks: litigation and operational coordination with carriers. In its SDNY civil suit, Google said it does not know the real names of those behind Outsider but characterized the operation as supported by multiple cybercrime groups with overlapping infrastructure. Separately, Google told Congress and the public it is working directly with AT&T, T‑Mobile and Verizon to intercept spam messages carrying the phishing lures before they reach customers.
“Litigation alone won’t end this,” Google General Counsel Halimah DeLaine Prado wrote in a blog post cited by the company; Google is also pushing for legislative changes it says would help curb these kinds of scams as the technology behind them evolves.
What this means for technologists, policymakers, and end users
- Technologists and security teams: Expect closer scrutiny of turnkey phishing kits and the hosting and domain‑registration chains that support them. The FBI’s use of an Outsider Telegram bot to pull information on the network’s customers highlights how adversaries leverage messaging platforms to operate and how law enforcement can exploit those same channels during investigations.
- Policymakers and regulators: Google’s public call for updated laws and its simultaneous civil litigation signal a dual approach — courts to dismantle infrastructure and legislation to change incentives and technical obligations. Lawmakers will see a concrete, cited example of how generative AI and cheap subscription models lower the bar to large-scale fraud.
- End users and consumers: The campaigns relied on believable lures tied to everyday services — missed packages, tolls, carrier rewards — and used multi-factor prompts to harvest authentication. Consumers should be alert to unsolicited messages requesting PINs, SMS codes, or app verifications and to impersonation of trusted brands, including those named in the legal filing.
The takedown marks a blunt disruption of a large, commercially organized phishing enterprise, but authorities and vendors themselves emphasize it is only one step. The FBI tied the operation to a global fraud footprint hitting 55 countries, and Google notes the criminal network was supported by multiple groups and that it does not know the true identities behind Outsider. Operation Riptide continues to target the infrastructure and financial networks used for fraud, but the scale of the losses and the use of AI to automate convincing scams underline why law enforcement, vendors and carriers are pressing for both technical measures and legal changes.
