FBI dismantles Chinese phishing service that coached buyers to generate scam sites using AI —$88 cybercrime product linked to $1.9 billion in losses, 3.87 million stolen cards

(Image credit: Federal Bureau of Investigation)

The FBI, Google, and Lumen Technologies say they’ve dismantled a China-based phishing-as-a-service operation called Outsider Enterprise, seizing its servers and payment wallets, and instigating a civil lawsuit. Sold through a Telegram bot for as little as $88 per week, the kit allowed buyers to spin up fake bank, toll, and delivery pages in minutes, with Google's complaint alleging its operators handed out tutorials teaching subscribers to prompt Gemini for the underlying code. The FBI links the platform to roughly 3.87 million stolen credit cards and an estimated $1.9 billion in losses since July 2023.Zero technical skill was required to operate the Outsider software. Subscribers simply paid $88 per week, or $200 per month, via a self-service Telegram bot before choosing from more than 290 pre-built templates impersonating banks, wireless carriers, government agencies, state DMVs, the U.S. Postal Service, and toll systems such as New York's E-ZPass, according to the complaint filed in the Southern District of New York.The kit captured victim data in real time and could request SMS codes, PINs, email codes, and app approvals on demand, allowing operators to retrieve one-time passcodes for two-factor authentication. Fake E-ZPass and other toll texts have driven a wave of fraud over the past two years.Google's filing alleges Outsider distributed step-by-step instructions, including a tutorial video, showing customers how to make Gemini write the HTML for a phishing page. The prompts were dressed up as requests for an innocuous "gift redemption page" built with inline CSS and no JavaScript, wording that was meant to read as ordinary coding help and avoid the model’s safety filters.The resulting shell was imported back into the Outsider software and became a working scam site, multiplying the variations available from the 290 templates. Google has previously reported nation-state hackers using Gemini across phishing and intrusion campaigns, and researchers last year demonstrated a Gemini for Workspace flaw that obeyed instructions hidden inside emails. “Criminals increasingly use AI to make fraud like this more convincing and harder to detect,” said Brett Leatherman, assistant director of the FBI's Cyber Division.The operation, dubbed Operation Ghost Hook and part of the FBI's wider Operation Riptide, seized the group's core admin domains, a Shopify storefront, and about $100,000 in USDT from Outsider payment wallets. Thousands of phishing domains registered through U.S. providers now redirect to an FBI splash page, and investigators used the group's own Telegram bot to pull data on its customers. Google's own count is narrower than the FBI's, citing hundreds of thousands of victims and 2.5 million scam texts sent to Android users over a two-week period in May.For its civil suit, the company is pursuing claims under the Racketeer Influenced and Corrupt Organizations (RICO) Act and trademark infringement, though it concedes the unnamed defendants are unlikely to face extradition from China. The action follows a Google suit against the Lighthouse phishing platform last November, tied to more than 1 million victims across 120 countries.Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.