FBI disrupts massive AI-powered phishing service using a million URLs

The FBI has taken down one of the largest AI-powered phishing operations ever documented, seizing servers, domains, and cryptocurrency from a Chinese cybercrime service that generated over a million fraudulent URLs to steal credit card data and passwords from hundreds of thousands of victims.

The operation, known as Outsider Enterprise, ran a phishing-as-a-service platform that made it easy for criminals with minimal technical skill to launch convincing SMS phishing campaigns. Since at least 2023, the service has been impersonating Google and other trusted brands through text messages sent across AT&T, T-Mobile, and Verizon networks.

The Scale of the Operation

Google linked Outsider Enterprise to 9,000 fake websites and more than 1 million unique phishing URLs. The company estimates that phishing campaigns powered by the service led to the theft of 3.8 million credit card records, resulting in approximately $1.9 billion in losses.

Over just two weeks in May, Google counted 2.5 million SMS messages sent to Android users from Outsider Enterprise infrastructure. Android users flagged 55,000 of those messages as fraudulent, but the majority slipped through to potential victims.

The operation targeted users across all three major U.S. carriers, sending messages that appeared to come from legitimate brands. Recipients were directed to convincing fake login pages designed to harvest credentials and payment information.

How the Takedown Worked

The action against Outsider Enterprise had both technical and legal components, as part of the FBI's larger Operation Riptide targeting cybercrime infrastructure.

FBI seizes site used by Outside Enterprise phishing-as-a-service. Source: FBI

On the technical side, the FBI and its partners seized multiple administration servers, a Shopify e-commerce storefront used to sell phishing kits, and an account the threat actors used to test their service. Authorities also seized approximately $100,000 in USDT from Outsider payment wallets.

Thousands of phishing domains registered at U.S. providers now redirect to an FBI splash page. The agency also took over a Telegram bot linked to Outsider Enterprise that contained information on the service's customers, potentially exposing thousands of criminals who purchased phishing kits through the platform.

Google's Response and Legal Action

Google has filed a civil lawsuit targeting the operation's infrastructure and is coordinating with telecommunications providers to block fraudulent messages before they reach subscribers.

"Our civil lawsuit targets an organized cybercrime operation known as the 'Outsider Enterprise'. Based in China and coordinating through Telegram, this network distributes 'phishing kits' that allow criminals to blast out fake text campaigns that look like they're from Google and other trusted brands," Google stated.

The company is using the case to advocate for stronger legal protections against AI-enabled fraud. Google supports seven bipartisan U.S. anti-scam bills, including the Stop SCAMS Act, which would require the FBI to lead a coordinated national anti-scam strategy bringing together federal agencies, law enforcement, and private companies.

Google also pointed to Android's existing protections, noting that its AI-powered scam detection warns users about suspicious calls and that messaging protections block more than 10 billion malicious messages every month.

What This Means for Security Teams

The Outsider Enterprise takedown reveals several important trends in modern phishing operations:

AI lowers the barrier to entry. Phishing-as-a-service platforms like Outsider Enterprise allow attackers to generate convincing, brand-specific content at scale without writing a single line of code. The AI assistance means phishing kits can be customized for different targets and updated quickly to evade detection.

SMS remains a high-risk channel. Despite years of awareness training, SMS phishing continues to succeed because users trust text messages more than email. The fact that Android users flagged only 55,000 out of 2.5 million messages suggests most recipients either didn't recognize the threat or didn't report it.

Infrastructure takedowns require coordination. This operation involved the FBI, Google, Black Lotus Labs, and three major telecom carriers. Single-agency efforts are increasingly insufficient against distributed cybercrime operations that span multiple jurisdictions and platforms.

Practical Steps for Defenders

Organizations should consider these actions in response to this type of threat:

1. Monitor for brand impersonation. Use threat intelligence services to track new domains and URLs that impersonate your brand. Services like Google Safe Browsing and PhishTank can help identify emerging threats.

2. Implement DMARC and brand monitoring. While this case focused on SMS, the same infrastructure often supports email phishing. Ensure your domain has proper DMARC, SPF, and DKIM records.

3. Educate users about SMS phishing. Include smishing in security awareness training. Users should know that legitimate companies rarely ask for credentials or payment information via text.

4. Report suspicious messages. The FBI's takedown was possible in part because victims and security tools flagged fraudulent messages. Encourage users to report suspicious texts using their device's built-in reporting features.

5. Consider mobile threat defense. For organizations with significant mobile workforces, mobile threat defense solutions can detect and block phishing attempts before they reach users.

The Outsider Enterprise disruption shows that coordinated action between law enforcement and technology companies can impact even large-scale cybercrime operations. However, the underlying business model of phishing-as-a-service continues to attract criminal entrepreneurs, and similar operations will likely emerge to fill the gap.