FBI and Google Take Down $1.9B China-Based "Outsider" Cybercrime Network
A coordinated public-private takedown disrupts one of 2026's largest China-based cybercrime networks — and Google sues a related operation for abusing Gemini.
Key Takeaways
|
A public-private takedown pairs FBI infrastructure seizures with a Google lawsuit — and puts AI-assisted phishing-as-a-service squarely in law enforcement's sights.
WASHINGTON, D.C. — The FBI, working with Google and Lumen Technologies, announced on June 12, 2026 the takedown of "Outsider," a China-based cybercrime network the bureau says was responsible for an estimated $1.9 billion in losses. Active since July 2023, Outsider sold phishing kits and hosted infrastructure that fueled a wave of fraud against people and businesses in 55 countries, including the United States. The coordinated operation, dubbed "Operation Ghost Hook," seized several of the group's core admin-server domains, a Shopify storefront, roughly $100,000 from its payment wallets and thousands of domains registered through U.S.-based providers.
Alongside the seizures, Google filed a civil lawsuit accusing the same network — which it calls the "Outsider Enterprise" — of weaponizing its Gemini AI model to mass-produce phishing pages and run "smishing" text-message campaigns that it says victimized more than 100,000 people. Together, the two actions amount to one of the larger U.S.-led disruptions of China-based cybercrime in 2026, and they extend a broader push to use AI both to attack and to defend — here, with a criminal enterprise turning a mainstream AI assistant into a fraud factory.
| At a Glance | |
|---|---|
| Field | Details |
| Operation | Operation Ghost Hook (part of Operation Riptide) |
| Network | Outsider / "Outsider Enterprise" (phishing-as-a-service) |
| Origin | China-based |
| Active since | July 2023 |
| Estimated losses | $1.9 billion (FBI) |
| Reach | Victims in 55 countries |
| Seized | Admin domains, Shopify storefront, ~$100K, thousands of domains |
| Google suit | S.D.N.Y. — Gemini-abusing smishing operation, 100,000+ victims |
What the FBI Seized and How
According to the FBI, Outsider operated as a phishing-as-a-service business: rather than running scams directly, it supplied the phishing kits and hosted infrastructure that let other criminals impersonate trusted brands and harvest credit-card numbers, bank credentials and personal data. The bureau says the network had been active since July 2023 and facilitated phishing campaigns against individuals and businesses in 55 countries, with lures built around missed-package notices, overdue highway tolls, parking violations, brokerage-account issues and wireless-carrier rewards.
Operation Ghost Hook targeted the infrastructure underneath that business. The FBI says the coordinated effort netted the seizure of several domains tied to the group's core administrative servers, a Shopify storefront used to sell the kits, roughly $100,000 from Outsider payment wallets, and thousands of domains registered through U.S.-based providers. The bureau added that it used an Outsider Telegram bot to access information on the network's customers — a move that could expose the downstream operators who bought the kits, not just the developers behind them.
"The criminals behind Outsider Enterprise built a business out of impersonating trusted brands to defraud hundreds of thousands of victims," Brett Leatherman, assistant director of the FBI's Cyber Division, said in a statement. The bureau framed the takedown as part of Operation Riptide, an ongoing campaign targeting cybercriminals and the financial and hosting networks they rely on. Authorities also traced Outsider's phishing domains to nearly 3.9 million stolen credit cards.
Lumen's Role in the Operation
The takedown was a three-way public-private effort, with the FBI joined by Google and Lumen Technologies, the U.S.-based telecommunications and internet-backbone provider. Lumen's participation is consistent with the role network operators increasingly play in disruption operations: visibility into the internet infrastructure that command-and-control and phishing systems route through, which lets investigators map, and then pull, the connective tissue a criminal service depends on.
The available statements do not break out Lumen's specific technical contribution to Operation Ghost Hook, and the company's exact role should not be overstated beyond what officials disclosed. What is clear is the pattern: durable takedowns of hosted criminal services now routinely pair law-enforcement legal authority with the operational reach of the carriers and platforms whose infrastructure the criminals abuse.
That model has become a defining feature of recent enforcement. It echoes the multi-party coordination behind operations such as Europol's Operation Endgame 2.0, which dismantled hundreds of servers underpinning the ransomware supply chain — and underscores that disrupting the infrastructure layer, not just arresting individuals, is where much of the leverage now sits.
Google's Parallel Smishing Lawsuit
Running in parallel with the FBI's seizures, Google filed a civil lawsuit in the U.S. District Court for the Southern District of New York seeking to dismantle the same network's infrastructure. Google refers to the group as the "Outsider Enterprise" and frames it as a massive, AI-powered operation that it says weaponized its Gemini model to generate fraudulent phishing pages and run large-scale SMS-based phishing — "smishing" — campaigns impersonating legitimate brands.
The mechanism Google describes is notable for how mundane it is. Rather than jailbreaking the model outright, Outsider reportedly provided customers with step-by-step instructions to prompt Gemini and other AI platforms with seemingly harmless requests — asking the assistant to generate HTML for a "gift redemption page," for instance — then paste that code into the Outsider kit to turn a shell site into a working phishing page. The kit, sold for as little as $88 a week through a self-service Telegram ordering bot, also offered more than 290 pre-built templates impersonating trusted institutions, real-time keystroke logging and a campaign-performance dashboard.
Google says the operation victimized more than 100,000 people and caused millions of dollars in losses, and that it identified 9,000 fake websites and more than 1.59 million fraudulent URLs tied to the service between November 2025 and April 2026. The company added that it is working with AT&T, T-Mobile and Verizon to intercept spam messages before they reach customers, and is pushing for legislation to address the broader smishing problem. "Litigation alone won't end this," Google general counsel Halimah DeLaine Prado wrote.
The $1.9B Context — How the Losses Break Down
The headline figure — an estimated $1.9 billion in losses — is the FBI's, and it spans the full life of the network since July 2023 and across all 55 countries where Outsider-enabled phishing landed. It is a measure of the harm attributed to the service's customers in aggregate, not a single theft, and it reflects the leverage of the phishing-as-a-service model: one developer group can multiply its impact across a large population of affiliates.
The supporting numbers give that figure texture. The FBI traced Outsider's domains to nearly 3.9 million stolen credit cards. Google's complaint, focused on the smishing side, points to more than 1.59 million fraudulent URLs and 9,000 fake websites over a roughly five-month window, and says that during a two-week stretch in late May and early June 2026, Android users flagged about 55,000 spam texts tied to the operation while 2.5 million messages carried links to Outsider-generated sites.
The structure behind those numbers is what makes the network resilient. Google describes the Outsider Enterprise as a set of interconnected groups with distinct roles and overlapping infrastructure — a developer group supplying the software and templates, a data-broker group curating target lists, a spammer group sending the texts in bulk, a theft group monetizing and laundering stolen data, and a Telegram group recruiting members and coordinating it all. That division of labor is precisely why a takedown aimed at the shared infrastructure can disrupt many downstream operators at once.
Open Questions
Several material questions remain unresolved. The available statements describe infrastructure seizures and a financial confiscation, but do not confirm that arrests were made — and that should not be assumed. Google has said it does not know the real names of the people or entities behind Outsider, noting only that the operation is supported by multiple cybercrime groups with overlapping infrastructure. The China-based attribution, the $1.9 billion figure and the named roles all trace to the FBI and Google's own statements rather than to independent confirmation, and the full identities of the operators are not public. The case adds to a steady drumbeat of China-linked cyber activity drawing U.S. enforcement attention in 2026, though Outsider is financially motivated fraud rather than state espionage.
The relationship between the two actions is now clearer than it first appeared: the FBI's takedown and Google's lawsuit are not unrelated, parallel events but coordinated prongs of the same effort under Operation Ghost Hook, with the seizures and the civil suit both aimed at dismantling the network's infrastructure. What is firmly established is the shape of the disruption — a multi-country phishing-as-a-service operation, a $1.9 billion loss estimate, roughly $100,000 in seized funds, and a mainstream AI model bent to industrial-scale fraud. The figures, the attribution and the legal outcomes may all evolve as the case proceeds; for now, the confirmed facts are enough to mark it as a significant 2026 enforcement milestone.
