FBI/Google Disrupt 'Outsider Enterprise' AI-Powered (Gemini) Phishing-as-a-Service and Smishing Network (Operation Riptide / Operation Ghost Hook) — Threadlinqs Intelligence
Threat ID: TL-2026-0787 · Severity: HIGH · Status: RESOLVED · Category: PHISHING
Attribution: Outsider Enterprise · China · FINANCIAL
Outsider Enterprise was a China-based phishing-as-a-service (PhaaS) and mass-smishing syndicate, active since July 2023, that sold a Telegram-distributed phishing kit for as little as $88/week and
Outsider Enterprise operated one of the largest commodity phishing-as-a-service (PhaaS) and SMS-phishing (smishing) ecosystems documented in the United States. Coordinated entirely through Telegram and based in China, the operation lowered the technical bar for fraud: subscribers paid as little as $88 per week (or $200 per month) for a self-service kit that included 290+ pre-built fraudulent website templates impersonating trusted brands, a campaign-performance dashboard, and built-in keystroke logging to capture victim input in real time. License sales and provisioning were automated through a Telegram bot, @OutsiderCodeBot.
A defining feature of the operation was the deliberate weaponization of generative AI. According to Google's civil complaint, Outsider encouraged and provided step-by-step instructions for customers to prompt Google Gemini (and other AI platforms) to write the HTML for phishing pages — for example, framing the request as building a benign 'gift redemption page,' instructing the model to avoid JavaScript and to use inline CSS, then copying the generated code into Outsider's interface. This prompt-laundering approach used innocuous framing to evade AI safety guardrails and rapidly mass-produce convincing brand-impersonation pages.
The enterprise was structured into five interconnected divisions: a Developer Group (software and templates), a Data Broker Group (targeting/victim lists), a Spammer Group (bulk SMS tooling), a Theft Group (monetizing and laundering stolen data), and a Telegram Group (coordination and recruitment). Smishing lures impersonated USPS/missed-package notices, unpaid toll and highway-violation notices (e.g., E-ZPass), parking violations, brokerage-account problems, wireless-carrier rewards, and Google itself, steering recipients to credential- and payment-card-harvesting sites. Over a two-week window (May 18-June 1, 2026), roughly 2.5 million scam texts were sent to Android users, 55,000 of which were flagged as spam.
The disruption — branded Operation Ghost Hook within the FBI's broader Operation Riptide — was announced June 12, 2026. The FBI, in partnership with Google, Lumen Technologies (Black Lotus Labs), and carriers AT&T, T-Mobile, and Verizon, seized multiple administration servers, a Shopify e-commerce storefront, a threat-actor testing account, the Telegram bot containing customer data, and approximately $100,000 in USDT from payment wallets, and rerouted thousands of U.S.-registered phishing domains to an FBI splash page. Google simultaneously filed a civil lawsuit in Manhattan federal court. The operation parallels the separately disrupted China-based 'Lighthouse' PhaaS platform (November 2025). No software CVE is involved; this is a criminal-service and abuse-of-AI threat, scored HIGH on the basis of its scale and confirmed financial impact.
Target sectors: consumers, financial, government, telecommunications, logistics, transportation, retail
Target regions: United States, North America, Global (55 countries)
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 16 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
PHISHING, HIGH, threat intelligence, cybersecurity, T1583, T1583, T1587, T1608, T1608, T1588, T1598, T1589, T1566, T1660