Google is suing an alleged China-based cybercrime network called Outsider Enterprise after linking it to AI-assisted smishing campaigns, phishing kits, more than 9,000 fake websites, and 2.5 million scam texts sent to Android users during a two-week period in May.[1] The case is worth attention because it shows how consumer phishing is turning into a managed service: templates, bulk SMS infrastructure, Telegram coordination, and AI-generated website code all wrapped into one operation.
Google said the Outsider network distributed phishing kits that let criminals send fake package alerts, bank warnings, account-security notices, and brand impersonation texts designed to steal passwords, payment details, and one-time codes.[1] The company also said Android users flagged 55,000 related spam texts in those same two weeks, while its messaging defenses block more than 10 billion malicious messages every month.[1]
The numbers make this more than a routine spam story. Help Net Security reported that Google connects the operation to hundreds of thousands of victims, losses estimated in the millions, over 1 million fraudulent URLs, and phishing infrastructure built with AI tools including Gemini.[2] TechCrunch, citing Google and an FBI spokesperson, added that domain seizures and Shopify-account actions were coordinated with Google, the FBI, and Lumen’s Black Lotus Labs, and that the platform has been tied to an estimated 3.87 million stolen credit cards and $1.9 billion in losses since July 2023.[3]
What readers should check now
The practical risk is not that a message mentions AI. It is that old smishing lures can now be produced at higher speed and quality, with fake pages that copy banks, delivery firms, mobile carriers, tech brands, and government-style services. Treat any text that pushes urgency, a payment issue, a stuck delivery, or an account lockout as untrusted until you open the service manually from a saved bookmark or official app.
If you clicked one of these links, the immediate triage is simple: change the password for the impersonated service from a clean browser session, revoke unknown sessions, rotate saved payment cards if card data was entered, and check recent login history. If a code was entered, assume the attacker may have bypassed MFA for that session. This is the same token-and-credential theft pattern behind earlier campaigns such as the Microsoft AiTM phishing campaign and the Google AppSheet Facebook phishing campaign.
For defenders, the useful signal is the campaign architecture: bulk SMS delivery, rapidly generated URLs, reusable templates, and real-time credential collection. Mobile-device logs, helpdesk tickets about suspicious SMS links, unusual card-testing complaints, and bursts of lookalike domains around a brand can be more useful than waiting for one perfect IOC list. Organizations that run customer-facing login portals should also watch for phishing reports that imitate their brand and publish clear guidance telling users where real alerts do and do not come from.
Google said it will keep working with AT&T, T-Mobile, and Verizon to block the texts before delivery, while the FBI described the case as a coordinated disruption of a network that impersonated trusted brands at scale.[1] That industry cooperation matters, but it does not remove the user-level rule: never follow payment or account-recovery links from unsolicited texts. Go directly to the service, then verify whether the alert exists.
References
- Google, “How we’re combatting AI scams with security, legislation and more,” June 12, 2026.
- Help Net Security, “Google sues China-based scammers over Gemini AI abuse,” June 12, 2026.
- TechCrunch, “Chinese cybercrime operation that used AI to scam ‘hundreds of thousands of victims’ sued by Google,” June 12, 2026.
Leave a Comment