The FBI, Google and Lumen Technologies seized the core infrastructure of Outsider Enterprise, a China-based phishing-as-a-service operation linked to 3.87 million stolen credit cards and an estimated $1.9bn in losses since July 2023.
Operation Ghost Hook, part of the FBI's broader Operation Riptide, took down admin domains, servers, a Shopify storefront and roughly $100,000 in USDT from the group's payment wallets. Thousands of previously active phishing domains now redirect to an FBI splash page.
The scale of the operation is striking. The method is more striking still.
$88 franchise
Outsider sold phishing kits through a Telegram bot for as little as $88 per week or $200 per month. The kits included more than 290 pre-built templates impersonating banks, wireless carriers, government agencies, state DMVs, the US Postal Service and toll systems including New York's E-ZPass.
A subscriber with no technical skill could spin up a functioning scam page in minutes. The kit captured victim data in real time and could request SMS codes, PINs, email codes and app approvals, defeating two-factor authentication by intercepting the one-time passcodes as victims entered them.
The business model is franchise crime. Outsider built the infrastructure. Its customers ran the campaigns. The Telegram bot handled distribution, payment and customer support.
Gemini abuse
Google's civil complaint includes a detail that should concern every AI company. Outsider supplied step-by-step prompts and a tutorial showing customers how to make Google's Gemini generate the HTML for phishing pages. The technique involved framing requests as innocuous "gift redemption pages" using inline CSS and no JavaScript, a formulation designed to evade the model's safety filters.
The tutorial turned a commercial AI product into a phishing page generator. The prompts worked because they described the output in terms that did not trigger content restrictions, while producing pages functionally identical to credential-harvesting sites.
FBI turned the tool against its users
Investigators used Outsider's own Telegram bot to harvest customer data, turning the distribution channel into an intelligence collection mechanism. The irony is precise: the tool that sold anonymised crime kits to thousands of operators was itself the means by which those operators were identified.
Enforcement limits
Google is pursuing civil claims under the Racketeer Influenced and Corrupt Organizations Act and for trademark infringement in the Southern District of New York. The company acknowledged that named defendants are unlikely to be extradited from China.
The infrastructure has been seized. The operators remain free. The 290 templates have been distributed to thousands of customers who downloaded them before the takedown. The Telegram bot is offline but the methodology is documented, shared and replicable.
Brett Leatherman, assistant director of the FBI's Cyber Division, said criminals are increasingly using AI to make fraud more convincing and harder to detect. Outsider did not need sophisticated AI. It needed a Telegram bot, a $88 subscription model and a tutorial that taught customers how to ask Gemini politely for a phishing page.
The takedown is real. The model has already been copied. Operation Ghost Hook shut down one operation. The phishing-as-a-service market it served remains open for business.
