FBI and Google Dismantle Outsider Enterprise, a Chinese AI-Powered Phishing Service Behind $1.9 Billion in Fraud

A coordinated takedown operation carried out by the FBI, Google, and Black Lotus Labs has disrupted Outsider Enterprise, a Chinese-operated phishing-as-a-service (PhaaS) platform responsible for distributing AI-generated phishing kits to criminal customers worldwide, as reported by BleepingComputer. The platform, active since at least 2023, had grown into one of the most industrialized cybercrime operations ever documented, with a reach spanning 9,000 fake websites, over one million fraudulent URLs, and an estimated $1.9 billion in financial losses.

What Is Phishing-as-a-Service — and Why AI Makes It Dangerous

Traditional phishing required technical skills to set up convincing fake websites and distribute lure messages. PhaaS operations change that calculus entirely: a criminal can subscribe to a platform, receive a ready-made phishing kit impersonating a trusted brand, and launch attacks within hours — no coding required. Outsider Enterprise took that model further by leveraging AI-generated phishing kits that could rapidly clone the look and feel of legitimate banking, retail, and delivery services, making the fake pages significantly harder to detect than hand-crafted imitations.

The platform distributed its kits and coordinated its criminal customer base through Telegram, which has become a preferred operational channel for cybercrime marketplaces due to its encrypted messaging and limited cooperation with law enforcement.

How the Operation Worked

Outsider Enterprise specialized in smishing — phishing delivered via SMS — targeting Android users in the United States. Fraudulent text messages were routed through legitimate carrier infrastructure including AT&T, T-Mobile, and Verizon networks, lending them an air of authenticity and bypassing many spam filters designed to catch email-based phishing. The scale was staggering: in May 2026 alone, the platform blasted out 2.5 million SMS messages to unsuspecting targets.

The supply chain worked roughly as follows:

• Kit production: AI tools generated phishing pages impersonating well-known brands — banks, parcel carriers, government portals, and e-commerce platforms.
• Distribution: Criminal customers purchased kits and operational infrastructure through Shopify storefronts operated by the platform's administrators.
• Delivery: Smishing messages pushed victims to fake sites hosted across approximately 9,000 domains.
• Harvest: Victims who entered payment or personal data had that information captured and routed back to the platform's operators.

The Damage: 3.8 Million Cards, $1.9 Billion in Losses

The documented impact is severe. Investigators attributed roughly 3.8 million stolen credit card records to Outsider Enterprise, with financial losses estimated at $1.9 billion. These figures — derived from seized records and payment data — almost certainly undercount the true scope, since many victims never report card fraud and losses absorbed by financial institutions often go untracked in public statistics.

The 2.5 million SMS messages sent in a single month illustrates the platform's operational tempo. At that volume, even a fractional conversion rate translates into tens of thousands of compromised individuals per month.

The Takedown: What Each Partner Did

The disruption operation was a multi-pronged effort:

• FBI: Led the law enforcement action, seizing administration servers that formed the backbone of the PhaaS infrastructure and capturing a Telegram bot that contained the platform's customer records — effectively mapping who was using the service.
• Google: Contributed threat intelligence and infrastructure visibility, helping identify the network of fraudulent domains and the carrier pathways used to deliver smishing messages.
• Black Lotus Labs (Lumen Technologies): Provided network-level analysis that traced the platform's backend infrastructure and aided in the identification of domains ripe for seizure.

In addition to the server seizures, authorities confiscated approximately $100,000 in USDT from payment wallets tied to the operation and took down Shopify storefronts used to sell phishing kits. Visitors to the seized phishing domains now see FBI seizure splash pages — a standard law enforcement tactic intended to notify victims and deter would-be customers.

What's Missing: No Arrests Announced

The June 14 disclosure makes no mention of arrests. This is a meaningful gap. Infrastructure seizures — servers, domains, wallets — disrupt an operation in the short term, but without the arrest and prosecution of the administrators and developers behind Outsider Enterprise, reconstitution is possible. Criminal PhaaS operators have historically rebuilt after takedowns, sometimes within weeks, especially when they operate from jurisdictions with limited extradition cooperation with the United States.

Whether arrests are pending under seal or simply haven't occurred yet remains unclear. The capture of the Telegram bot containing customer records could, however, give investigators a roadmap to the platform's user base and potentially its operators.

Implications: The Industrialization of Cybercrime

Outsider Enterprise is a case study in how AI is lowering the barrier to entry for large-scale fraud. When a platform can generate convincing phishing pages on demand — automatically cloning brand assets, localizing language, and updating templates to bypass detection signatures — the constraint on cybercrime shifts from technical skill to distribution and monetization. Both of those are well-solved problems in the criminal underground.

For individuals, the practical takeaway is familiar but worth restating: treat unsolicited SMS messages requesting payment information or credential verification with extreme suspicion, regardless of how convincing the linked page appears. For organizations, the operation underscores the value of carrier-level SMS filtering partnerships and real-time domain monitoring to identify brand impersonation before victims reach fake pages.

The Outsider Enterprise takedown is significant. Whether it proves durable depends on what investigators do with the customer records they seized — and whether they can reach the people who built and ran the platform.