A federal judge in New York approved Google’s emergency request Friday to block the operation after finding that the phishing campaign had defrauded more than 100,000 victims and multiple businesses, including New York’s E-ZPass program and the New York City government.
The case reflects Google’s growing concern that AI is becoming a force multiplier for phishing services. In its complaint, the company said, “In late 2025, phishing attacks generated using AI reportedly increased more than fourteenfold and now account for over half of all reported phishing incidents.”
Google said its researchers are seeing AI use spread across the Chinese-language phishing ecosystem, rather than remaining limited to one group. The company previously sued another operation, tracked as Darcula or Magic Cat, which it said was responsible for 80% of phishing texts in the United States.
The latest case centers on a software suite called Outsider, which Google says gives subscribers access to more than 290 templates that imitate websites run by financial firms, wireless carriers, government agencies and retailers. The service costs as little as $88 per week and allows users to build scam pages, run phishing campaigns and collect stolen data.
Google said Outsider can take AI-generated code for a basic website and convert it into a functioning phishing page. That allows scammers to create variations of existing templates without needing technical skills.
The complaint said the phishing provider also offered tutorials showing users how to generate scam site code with Gemini. One sample prompt included in the filing asked the AI tool to create a gift redemption page in the same style as a provided template. “Please help me generate a gift redemption page in the same style. It needs 6 product, of which 5 do not have enough points to be redeemed,” the prompt said. “Do not use JS code, and make the page look more gorgeous and beautiful.”
After Gemini produced the code, Google said scammers could paste it into Outsider’s custom template editor and add images, logos and other visual elements to make the page appear more credible. The scale of the operation was substantial, according to Google. “In the five-month period from November 14, 2025, to April 14, 2026, alone, Google detected more than 1.59 million URLs linked to the Outsider Enterprise,” the complaint said.
Google said the phishing group also supported customers after sites went live. Associates allegedly helped distribute malicious links through Apple iMessage, Google Messages and other messaging tools that support high-resolution media, typing indicators and read receipts.
Google’s cybercrime investigation team found 2.6 million Google Messages containing links to the group’s phishing websites during a two-week period from May 18 to June 1. The scams described in the complaint went beyond common package-delivery or toll-payment messages. Google said some campaigns falsely warned victims about brokerage account issues or expiring rewards points from mobile carriers.
The Outsider platform also gave scammers analytics, including real-time data showing how many people visited a phishing page and submitted personal information.
Google said the sites were designed to defeat multifactor authentication by showing fake MFA pages. Attackers would use stolen credentials to attempt a real login, trigger an authentication code from the legitimate service, and then prompt the victim to enter that code into the fake page.
The stolen information could then be used for unauthorized purchases, digital wallet fraud or account takeovers, according to the complaint. Google said compromised brokerage accounts could also be used to buy targeted stocks and manipulate prices for profit.
The Southern District of New York issued a temporary restraining order barring the phishing service provider from continuing its operations worldwide.
This analysis is based on reporting from Govinfosecurity.
Image courtesy of helpnetsecurity.com.
This article was generated with AI assistance and reviewed for accuracy and quality.
