In a coordinated effort, the FBI, working with Google and Black Lotus Labs, has dismantled a massive Chinese phishing-as-a-service operation called Outsider Enterprise with thousands of phishing websites used to steal credit card data and passwords.
The cybercrime operation used AI and distributed phishing kits for campaigns impersonating various trusted brands in texts sent through AT&T, T-Mobile, and Verizon.
Outsider Enterprise has been active since at least 2023 and operated at a massive scale, with Google linking to it 9,000 fake websites and more than a million fraudulent URLs.
Authorities believe that phishing campaigns powered by Outsider Enterprise led to stealing more than 3.8 million credit card records, causing an estimated $1.9 billion in losses.
[subtitle]
The action against Outsider Enterprise has technical and legal components and is part of the FBI’s larger Operation Riptide that targets cybercrime activity and infrastructure.
During the technical takedown, the FBI and partners seized multiple administration servers, a Shopify e-commerce storefront, and an account the threat actor used to test the phishing service.
The agency also seized around $100,000 USDT from Outsider payment wallets. Thousands of phishing domains that the threat actor registered at U.S. providers are now redirecting to an FBI splash page.
FBI seizes site used by Outside Enterprise phishing-as-a-service
source: FBI
The agency also took over a Telegram bot linked to Outsider Enterprise that contained information on customers of the phishing service.
According to Google, the AI-assisted phishing operation has impacted hundreds of thousands of users worldwide.
The tech giant has filed a civil lawsuit targeting the operation’s infrastructure, and is coordinating with telecommunications service providers AT&T, T-Mobile, and Verizon to block fraudulent messages before they reach to subscribers.
“Our civil lawsuit targets an organized cybercrime operation known as the ‘Outsider Enterprise’. Based in China and coordinating through Telegram, this network distributes “phishing kits” that allow criminals to blast out fake text campaigns that look like they’re from Google and other trusted brands,” Google says.
Over a two-week period in May, Google says that a total of 2.5 million SMS messages were sent to Android users from the Outsider Enterprise infrastructure. Android users flagged 55,000 of them as fraudulent.
The company estimates that hundreds of thousands of victims lost millions to these scams.
Google is using this opportunity “to combine aggressive legal action and collaboration with federal and state governments” and is advocating for seven bipartisan U.S. anti-scam bills, including the Stop SCAMS Act, to strengthen legal protections against AI-enabled fraud.
The Stop SCAMS Act would require the FBI to lead a coordinated national anti-scam strategy, bringing together federal agencies, law enforcement, and private companies to better track, disrupt, and prevent fraud and scam operations.
In the meantime, Google underlined that Android users are protected from these threats by AI-powered defenses.
The defenses support scam detection on Android that warns users about suspicious calls, and messaging protections that block more than 10 billion malicious messages every month.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper
