What happened
The FBI, working with Google and Black Lotus Labs, disrupted a large Chinese phishing-as-a-service operation known as Outsider Enterprise.
The operation used AI and distributed phishing kits to run campaigns impersonating trusted brands in text messages sent through AT&T, T-Mobile, and Verizon. The campaigns were designed to steal credit card data and passwords.
Outsider Enterprise has been active since at least 2023. Google linked the operation to 9,000 fake websites and more than one million fraudulent URLs.
Authorities believe phishing campaigns powered by Outsider Enterprise led to the theft of more than 3.8 million credit card records and caused an estimated $1.9 billion in losses.
The disruption was part of the FBI’s Operation Riptide, a broader effort targeting cybercrime activity and infrastructure. During the takedown, the FBI and its partners seized multiple administration servers, a Shopify e-commerce storefront, and an account used to test the phishing service.
The FBI also seized around $100,000 in USDT from Outsider payment wallets. Thousands of phishing domains registered at U.S. providers now redirect to an FBI splash page. The agency also took over a Telegram bot linked to Outsider Enterprise that contained information about customers of the phishing service.
Google filed a civil lawsuit targeting the operation’s infrastructure and is coordinating with telecommunications providers to block fraudulent messages before they reach subscribers.
Over a two-week period in May, Google said 2.5 million SMS messages were sent to Android users from Outsider Enterprise infrastructure. Android users flagged 55,000 of those messages as fraudulent.
Who is affected
Hundreds of thousands of users worldwide were affected by the AI-assisted phishing operation.
Mobile users receiving scam text messages impersonating trusted brands were directly targeted. The campaigns were designed to steal passwords and credit card data, and authorities believe the operation contributed to more than 3.8 million stolen credit card records and $1.9 billion in estimated losses.
Telecommunications providers, digital platforms, financial institutions, and organizations whose brands were impersonated are also affected because the phishing service operated across SMS, fraudulent websites, and phishing kits distributed to other criminals.
Why CISOs should care
This operation shows how phishing-as-a-service has become industrialized and AI-assisted. Outsider Enterprise did not operate as a single phishing campaign. It provided infrastructure, phishing kits, fraudulent URLs, Telegram coordination, and testing capabilities that other criminals could use at scale.
For CISOs, the scale is the warning. Google linked the operation to more than one million fraudulent URLs and 9,000 fake websites. That level of infrastructure can overwhelm traditional blocking and takedown processes if detection and brand abuse monitoring are not automated.
The SMS channel also matters. The campaigns impersonated trusted brands in messages sent through major U.S. mobile carriers. Security teams focused only on email phishing may miss a major path for credential theft, payment fraud, and customer impersonation.
The disruption also shows the importance of public-private coordination. The FBI worked with Google, Black Lotus Labs, and telecommunications providers, while Google pursued civil litigation and carrier-level message blocking. Large-scale phishing operations often require technical, legal, and infrastructure-level responses at the same time.
3 practical actions
- Expand phishing defense beyond email: Outsider Enterprise used SMS campaigns to impersonate trusted brands and direct victims to fraudulent websites. CISOs should ensure phishing defenses cover text messaging, brand impersonation, fraudulent domains, and mobile-focused scam workflows, not only corporate email.
- Monitor for brand abuse at internet scale: Google linked the operation to 9,000 fake websites and more than one million fraudulent URLs. Organizations should monitor newly registered domains, lookalike sites, phishing kits, and scam pages that impersonate their brands or customer portals.
- Coordinate takedown and blocking with external partners: The disruption involved the FBI, Google, Black Lotus Labs, telecommunications providers, domain infrastructure, and legal action. Security teams should define escalation paths for law enforcement, carriers, domain registrars, hosting providers, and platform abuse teams before a phishing campaign reaches large scale.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.