Google filed a civil lawsuit against a cybercrime operation it calls the Outsider Enterprise, alleging the group is based in China, coordinates through Telegram and operates a large-scale phishing infrastructure that powers brand-impersonation text scams.
The scale is striking. Google said the operation is linked to 9,000 fake websites and more than a million fraudulent URLs. In a two-week period in May, the group sent 2.5 million messages to Android users. In the same window, Android users flagged 55,000 of those messages as spam.
The company said hundreds of thousands of victims have lost millions of dollars.
How it works
The Outsider Enterprise sells phishing kits to other criminals through Telegram channels. The kits contain pre-built fake websites that impersonate trusted brands, complete with payment forms designed to capture credit card details and personal information.
The buyer does not need technical skill. They purchase the kit, deploy it to a disposable domain and distribute the link through text messages that impersonate shipping companies, banks, toll authorities or retailers. The victim clicks, enters their details and the money is gone.
The operation is not a single scammer. It is an organised supply chain: developers build the tools, distributors sell them, and operators run the campaigns. Google is targeting the infrastructure layer, the kits and the coordination channels, rather than individual operators.
FBI involvement
Brett Leatherman, assistant director of the FBI's Cyber Division, said the criminals "built a business out of impersonating trusted brands to defraud hundreds of thousands of victims." The FBI's involvement signals that the Outsider Enterprise is considered a priority target, though enforcement against China-based operations faces obvious jurisdictional limits.
The civil lawsuit allows Google to seek court orders to take down domains, disable infrastructure and disrupt the operation's ability to function, actions that can move faster than criminal proceedings in a foreign jurisdiction.
Defensive layer
Google said its AI-powered scam detection on Android and built-in messaging filters intercept more than 10 billion malicious messages each month. The company is coordinating with AT&T, T-Mobile and Verizon to block scam traffic at the network level, with carriers investing in labelling, blocking and traceback capabilities.
Google is also backing seven bipartisan bills aimed at combating AI-enabled scams, urging Congress to formalise protections that currently depend on voluntary cooperation between technology companies and carriers.
Unfathomable scale
Ten billion malicious messages intercepted monthly means the volume that reaches users, the texts that get through, is a fraction of the total. The 2.5 million messages sent in two weeks by a single operation represents one group among many.
The phishing kit model means the problem scales faster than the defences. Every kit sold creates a new operator. Every operator creates thousands of fake URLs. The lawsuit targets one enterprise. The infrastructure it built has already been copied, distributed and deployed by others.
Google can sue the Outsider Enterprise. It cannot sue the model.
