Google announced on Friday that it is taking legal action against a Chinese cybercrime operation that exploited its Gemini AI system to send fraudulent text messages to people across the United States.
According to the company, this group is responsible for developing and running a phishing-as-a-service (PhaaS) tool known as Outsider.
“The group used Gemini to create fake phishing websites and sent out large-scale SMS phishing (‘smishing’) messages, often pretending to be reputable brands,” Google stated. “These messages would warn people of supposed ‘brokerage account problems’ or tell them they qualified for ‘rewards from their mobile carrier.'”
“The texts include links to scam websites designed to look like legitimate businesses, tricking people into handing over personal and financial details.”
Google explained that it is filing this lawsuit to dismantle the group’s technical infrastructure, and that it is working with AT&T, T-Mobile, and Verizon to prevent such messages from reaching customers.
Google noted that Outsider’s activities are organized through Telegram, where the group shares phishing kits that enable cybercriminals to send fake text messages impersonating well-known brands. It is believed that these schemes have victimized over 100,000 people, resulting in millions of dollars in financial losses.
From November 14, 2025, to April 14, 2026, researchers identified 9,000 fake websites and more than 1.59 million scam URLs linked to the phishing service. Between May 18 and June 1, 2026, Outsider was responsible for 55,000 spam texts reported by Android users in just two weeks.
During that same period, the group sent 2.5 million messages to Android users containing links to Outsider-generated sites. The kit was available for as little as $88 per week (or $200 monthly), allowing scammers to build fake websites, run phishing campaigns, and steal credit card numbers, banking credentials, and personal data. Purchases were made through a Telegram bot (@OutsiderCodeBot) that automated the process.
The service also included over 290 pre-made templates mimicking trusted institutions, live keystroke tracking, and a dashboard to monitor how well a campaign was performing.
“Even though Outsider’s ease of concern is troubling enough, the group has made the tool even more dangerous by offering detailed guidance on how to use AI-generated code within the platform,” Google stated in its federal court filing in Manhattan.
“By following these instructions, group members can ask AI tools to produce programming code for a basic website, then paste that code into Outsider to turn it into a fully functional scam site designed to capture personal or financial data from victims.”
Google explained that prompts sent to Gemini and other AI systems were disguised as innocent requests for programming help, such as asking the model to write HTML code to build a “gift redemption page” with specific features, while specifying that no JavaScript should be used and that inline CSS should be applied. Once the fake site was live, its link was distributed to targets via text message.
The Outsider operation is reportedly composed of multiple interconnected groups, each with distinct roles but working together to carry out phishing attacks using the kit. These groups include:
- The Developer Group, responsible for providing the phishing software and templates
- The Data Broker Group, which supplies carefully curated target lists
- The Spammer Group, which provides tools for sending large volumes of fraudulent messages
- The Theft Group, which helps convert stolen data (such as credit card details and login credentials) into profit and launder funds
- The Telegram Group, which coordinates activities among members and recruits new participants
The appeal of services like Outsider, similar to the recently shut down Sniper Dz platform, is that they vastly lower the barrier to entry for would-be scammers who lack technical skills. Such tools make it possible to launch convincing phishing campaigns with very little effort and at a significant scale.
“The criminals behind the Outsider operation built an entire enterprise around impersonating trusted brands to cheat hundreds of thousands of people,” said Brett Leatherman, assistant director of the FBI’s Cyber Division. “Criminals are increasingly turning to AI to make fraud more believable and harder to spot.”
The FBI reported that the PhaaS platform is linked to at least 3,870,000 stolen credit cards and an estimated $1.9 billion in losses between July 2023 and today. As part of a coordinated crackdown called Operation Ghost Hook, several domains have been taken down, including a Shopify e-commerce storefront and an account used for testing the phishing service.
Additionally, roughly $100,000 in USDT from Outsider payment wallets has been seized, and thousands of phishing domains tied to U.S. providers were disrupted and redirected to an FBI warning page. The agency also used an Outsider Telegram bot to gather information about the cybercrime group’s customers.
Operation Ghost Hook falls under the broader Operation Riptide, which the FBI described as a continuing initiative aimed at targeting “the criminals, technical infrastructure, and financial systems behind cybercrime, cyber-enabled crime, and fraud targeting Americans.”
This development comes precisely seven months after Google filed another lawsuit in the U.S. against Chinese hackers operating a large-scale PhaaS platform called Lighthouse, which ensnared more than 1 million users in 120 countries.
Update
The Telegram bot (@OutsiderCodeBot) previously used to purchase Outsider licenses is now inaccessible.
