FBI and Google Dismantle 'Outsider', the $88-a-Week Phishing Service Behind $1.9 Billion in Losses

The FBI, Google, and Lumen took down Outsider Enterprise, the China-based phishing-as-a-service network behind America's toll and package scam texts: 3.87 million stolen cards, 55 countries.
Those "unpaid toll" and "missed package" texts that have flooded American phones for two years were not random. A large share of them trace back to one subscription service. On 12 June 2026, the FBI, Google, and Lumen Technologies announced they had dismantled Outsider Enterprise, a China-based phishing-as-a-service network that the FBI links to roughly 3.87 million stolen payment cards and an estimated $1.9 billion in losses since July 2023, across victims in 55 countries.
A phishing operation you could rent like software
Outsider did not phish anyone itself. It sold the ability to phish, the same way a legitimate startup sells software. For as little as $88 a week, purchased through a Telegram bot, a subscriber got ready-made phishing kits, hosting infrastructure, and templates impersonating banks, delivery companies, toll authorities, and mobile carriers. Investigators say the service supported the full menu of texts Americans have learned to dread: unpaid highway tolls, missed package notifications, parking violations, "brokerage account issues," and fake carrier reward offers.
The modern twist is where the sites came from. According to Google's civil complaint, Outsider's operators coached subscribers to prompt AI models, including Google's own Gemini, to generate the code for a shell website (framed as innocent requests, like HTML for a "gift redemption page"), then paste that code into the Outsider platform, which converted it into a live credential-harvesting page. Google says the network built more than 9,000 fake websites and generated over a million fraudulent URLs; in a single two-week stretch in May 2026 it pushed about 2.5 million scam texts.
How the takedown worked
The action, dubbed Operation Ghost Hook, combined criminal and civil levers at once. The FBI seized the domains of Outsider's core administration servers, a Shopify storefront the group used to test its kits, and roughly $100,000 in USDT from its payment wallets, and took down thousands of phishing domains registered through US-based providers, redirecting them to an FBI notice page. Lumen's Black Lotus Labs traced the network's infrastructure. The FBI says the operation is part of Operation Riptide, its ongoing campaign against the infrastructure and money networks behind mass fraud.
Google simultaneously filed a civil suit in the US District Court for the Southern District of New York against the network's as-yet unnamed operators. It follows the company's November 2025 suit against the "Lighthouse" phishing network, and this time the complaint centres on the criminal misuse of Google's own Gemini model. Google also worked with AT&T, T-Mobile, and Verizon on filtering the network's text campaigns. The enforcement action is entirely American (FBI, a New York court, US carriers), even though the victims span 55 countries; no other country's authorities are party to it.
"The criminals behind Outsider Enterprise built a business out of impersonating trusted brands to defraud hundreds of thousands of victims," said Brett Leatherman, assistant director of the FBI's cyber division.
Why this matters
Phishing-as-a-service is the reason scam texts feel industrial: they are. One takedown removes a supplier, not the demand, and rival kits will absorb Outsider's customers. But the operation matters for three reasons. It confirms that the toll and package smishing waves were centrally supplied, not the work of thousands of independent scammers. It sets a legal precedent, with an AI company suing over criminal abuse of its own model. And it shows the pressure point that works: the infrastructure, the domains, the wallets, and the storefronts, rather than the individual texts.
The texts will not stop overnight. If one lands on your phone, the defence is unchanged: do not tap the link, forward it to 7726, and delete it. We have detailed guides on the unpaid-toll text wave and fake IRS texts and calls, and if you already tapped and paid, see what to do in the first 24 hours after a scam.
Sources
- Google: How we're combatting AI scams and dismantling the Outsider Enterprise
- CyberScoop: FBI takes down massive China-based cybercrime network that caused $1.9B in losses
- BleepingComputer: FBI disrupts massive AI-powered phishing service using a million URLs
- The Hacker News: Google sues Chinese smishing network accused of using Gemini AI in phishing
- SecurityWeek: FBI, Google dismantle 'Outsider Enterprise' phishing service
- FBI: Operation Riptide announcement