“The operation weaponized Gemini to help generate fraudulent phishing pages and deploy massive SMS phishing ('smishing') attacks,” Google told a court — and investigators say those attacks reached millions of mobile users and built an off‑the‑shelf business for fraud.
Google sues to dismantle a China‑linked smishing network
Google announced on Friday that it has filed a lawsuit in Manhattan federal court against a Chinese cybercrime network it says operated a Phishing‑as‑a‑Service (PhaaS) kit called Outsider. The company said the suit seeks to dismantle the network's infrastructure and that it is partnering with AT&T, T‑Mobile, and Verizon to block the fraudulent text messages from reaching customers.
Google framed the network as a commercialized criminal operation, alleging that it used AI — specifically its Gemini agent — to generate fraudulent pages and deploy large smishing campaigns impersonating trusted brands and warning of “brokerage account issues” or promising “rewards through their mobile phone carrier.” The texts, Google said, “prompt users to click a link leading to a fraudulent website that mimics trusted institutions to steal personal and financial information.”
Outsider: price, templates, telemetry and scale
Google’s filings lay out the product features and scale. The Outsider kit, the company says, could be bought “for as little as $88 a week” and provided more than 290 pre‑built templates that impersonate legitimate sites. The service included “real‑time keystroke logging” and “a performance dashboard to track the effectiveness of a campaign.” Licenses, Google says, could be purchased through a “self‑service ordering bot” on Telegram (@OutsiderCodeBot).
Google reported identifying 9,000 fake websites and more than 1.59 million fraudulent URLs tied to the phishing service between November 14, 2025, and April 14, 2026. In a two‑week period from May 18 to June 1, 2026, Outsider was responsible for 55,000 spam texts flagged by Android users. During that same timeframe, Google says the network sent 2.5 million messages to Android users that contained links to Outsider‑generated websites.
How Google says Gemini and AI were used
According to the complaint, Outsider’s operators provided step‑by‑step guidance so that members could use AI tools to produce code and turn it into functioning malicious landing pages. “Following those instructions, Enterprise members can use AI tools to generate programming code for a shell website, and copy and paste that code into Outsider to transform that shell into a fraudulent site that can be used to steal personal or financial information from their victims,” Google wrote.
Google describes the prompts as framed as harmless programming help: asking Gemini and other AI platforms to generate HTML for a “gift redemption page,” to avoid using JavaScript and to employ inline CSS so the generated code could be pasted into Outsider. Once the counterfeit website was live, its URL would be distributed by SMS to potential victims.
The Outsider Enterprise: roles and coordination on Telegram
Google characterizes the operation as an “Enterprise” composed of multiple, interlocking groups that together enable large‑scale fraud. The complaint breaks those groups into functions:
- The Developer Group: supplies the phishing software and templates
- The Data Broker Group: provides curated target lists
- The Spammer Group: supplies tools to send fraudulent text messages in bulk
- The Theft Group: monetizes stolen information and launders funds
- The Telegram Group: facilitates collaboration and recruitment
Google says the network coordinated through Telegram and that its organization and tooling dramatically lower the barrier to entry, enabling novice fraudsters to launch convincing campaigns with minimal technical skill — a pattern the company compared to a recently disrupted service called Sniper Dz.
Victims, losses and official response
Google estimates the Outsider schemes victimized more than 100,000 people and caused “millions of dollars in losses.” Brett Leatherman, assistant director of the FBI’s Cyber Division, is quoted in the filing: “The criminals behind the Outsider Enterprise built a business out of impersonating trusted brands to defraud hundreds of thousands of victims. Criminals increasingly use AI to make fraud like this more convincing and harder to detect.”
As part of its response, Google is coordinating with major U.S. mobile carriers to block messages and has asked the court to permit actions aimed at dismantling the infrastructure that hosts Outsider’s kits, templates and fraudulent pages. The filing comes seven months after Google filed a separate U.S. lawsuit against operators of another PhaaS platform, Lighthouse, which Google said had ensnared over 1 million users across 120 countries.
Carriers, Android users, and the FBI
Mobile carriers: Google says it is working with AT&T, T‑Mobile, and Verizon to block the text messages and prevent the fraudulent links from reaching customers.
Android users: Google reports Android users flagged tens of thousands of spam texts in a two‑week window and that 2.5 million messages were sent to Android devices containing links to Outsider‑generated sites during the cited timeframe.
The FBI: The bureau’s Cyber Division publicly framed the case as an example of how criminals are adopting AI to scale and refine fraud, underscoring the law‑enforcement interest cited in Google’s complaint.
The case Google has filed asks the court to remove the infrastructure that allowed a commercialized phishing kit to combine AI‑generated code, Telegram coordination, and bulk SMS delivery. The clear question in the record is whether civil litigation, carrier blocking and disruption efforts can keep pace with PhaaS offerings that, according to Google, sell turnkey fraud tools for less than $100 a week.
