-
The FBI, together with Google and Lumen’s Black Lotus Labs, brought down a phishing-as-a-service operation with links to China going by “Outsider Enterprise,” which owns millions of fraudulent URLs.
-
The network operators use AI-assisted phishing kits plus SMS campaigns mimicking popular brands with good reputation through major U.S. carriers, like AT&T, T-Mobile, & Verizon.
-
Authorities estimate that Outsider Enterprise is likely part of the criminals that contributed to over 3.8 million stolen credit card records & nearly $1.9 billion in losses.
The FBI has dismantled a large-scale cybercrime operation bearing the name “Outsider Enterprise”. This campaign is a phishing-as-a-service network that makes use of artificial intelligence AI & distributed infrastructure to carry out scam campaigns all over the world.
In an operation which the FBI alongside Google & Lumen’s Black Lotus Labs, jointly carried out, the system, which the bad actors behind the scenes had been operating since 2023 came to a halt.
These threat actors used more than a million malicious URLs to carry out their phishing attacks. And they impersonated brands which many users trusted in the SMS messages which they sent through some of the top telecom providers in the US.
With this approach, they tricked their targets into releasing their sensitive financial & login information to them thinking they were the legit brands.
According to officials, this operation disruption is still a part of a wider law enforcement initiative in which authorities started to stop industrialised cybercrime ecosystems that make large-scale fraud operations successful.
AI-Driven Phishing Network Operated at Industrial Scale
According to what investigators discovered, Outsider Enterprise was operating fully as a phishing-as-a-service platform. Ït helped its cybercriminal customers to utilize ready-made phishing kits at a wider scale without needing any technical knowledge.
The criminal customers of Outsider Enterprise will use these kits to create thousands of fake websites, which the developers design to appear like the services & financial platforms that are legit.
Google reported that the analysis it carried out about the operation showed close to 9,000 fraudulent domains plus more than 1 million fake URLs.
Bad actors created the infrastructure to help them carry out massive phishing actions through SMS. In this plan, the criminals will simply send the victims text messages that seem to be from popular & reliable companies.
In just a 2-week time frame in May, researchers found 2.5 million scam messages that Android users received, with tens of thousands of them showing as fraud.
The cybercriminals behind the operation used more automation & AI assistance to create phishing pages that looked very legit & also to manage their distribution workflows. These tools lowered the barrier for many cybercriminals to launch massive fraud campaigns without stress or technical know-how.
Millions of People Impacted Through SMS Impersonation Campaigns
The phishing network mainly focused on mobile users via SMS “smishing” campaigns that appeared as trusted brands, including Google plus other popular global services. The threat actors delivered the messages through messaging routes they are in control of via AT&T, T-Mobile, & Verizon infrastructure, making them seem legitimate to those who received the messages.
Google revealed in its report that Android users alone pointed out 55,000 of these messages as fraudulent during the monitoring period. On the other hand, the wider campaign likely targeted hundreds of thousands of victims all over the world.
Authorities made estimates that phishing activity originating from “Outsider Enterprise” played a part in the theft of over 3.8 million credit card records. Also the losses from these thefts, according to law enforcement, reached approximately $1.9 billion.
Enterprise platforms are also at risk. A Claude Code exploit could give attackers persistent access to GitHub, Jira, and other corporate systems — highlighting the need for comprehensive security.
Security researchers noted that combining content from AI with massive SMS distribution helped the bad actors to record success in their operations because the victims could not help but trust messages that looked so much like official brand communications.
FBI-Led Operation Riptide Seizes Infrastructure and Wallets
The current takedown is part of the FBI’s broader Operation Riptide. This campaign is an initiative by its different units with the goal to dismantle the infrastructure and financial networks cybercriminals use to carry out their deals.
During the current enforcement actions, authorities seized many administrative servers, a storefront on Shopify that the scam ecosystem uses. They also seized accounts of the threat actors used to test phishing infrastructure.
Investigators also confiscated up to $100,000 in USDT from the cryptocurrency wallets the attackers used in their operation.
Further the authorities redirected thousands of phishing domains registered through providers in the U.S. to a warning page that the FBI controls. This redirection effectively disabled active scam campaigns.
Another tool law enforcement seized was a Telegram bot that the criminals use to coordinate customers of their phishing service. Google has already filed a civil lawsuit against the infrastructure of Outsider Enterprise & is working with telecommunications providers to prevent scam messages from reaching the users.
Google states, “Our civil lawsuit is against the cybercrime operation ‘Outsider Enterprise’. Based in China & coordinating through Telegram, this network shares “phishing kits” that enable criminals to dish out fake text campaigns that appear like they’re from Google & other reputable brands.”
The company says it continues to add more AI-based protections on Android to discover and stop fraudulent activity at a large scale.