Google Kills 1.9B Phishing Ring That Ran on Gemini Code

Google's own AI wrote the phishing code that stole payment cards from hundreds of thousands of victims in 95 countries. The FBI dismantled the operation on June 12, 2026. Google simultaneously sued the operators in federal court. The case is the first known instance of a major AI company filing civil litigation against a criminal organization for misusing its own platform to defraud the company's users. The precedent it sets for AI liability, terms of service enforcement, and the question of who is responsible when a frontier model is weaponized against the public has not yet been tested at trial.

What Actually Happened

The operation, named Outsider Enterprise, ran as a phishing-as-a-service platform from at least July 2023 through June 2026. According to TechCrunch, the defendants, identified in Google's complaint as "foreign-based cybercriminals whose real identities are unknown" operating under the Outsider Enterprise name, used Google's Gemini AI platform to generate code and templates for fake websites impersonating telecom companies, financial institutions, and retailers. The platform sold subscriptions at $88 per week or $200 per month and offered paying criminal customers more than 290 pre-built phishing templates, a real-time credential transmission system, and a campaign dashboard for tracking active fraud operations. Two and a half million SMS text messages were sent to Android users over a two-week period in May 2026 alone, with 55,000 flagged as spam in that month. By the time the operation was dismantled, Outsider Enterprise had enabled the theft of payment card data resulting in an estimated $1.9 billion in total losses since July 2023.

The FBI's Operation Ghost Hook, coordinated with Google's threat intelligence team and Lumen Technologies' Black Lotus Labs, executed a multi-front takedown on June 12, according to BleepingComputer. Federal agents seized administration servers, a Shopify storefront used by the operators to test and distribute phishing kits, and cryptocurrency accounts holding approximately $100,000 in Tether (USDT). The FBI also used Outsider Enterprise's own Telegram bot to access and preserve records of the network's paying criminal customers. Black Lotus Labs identified and redirected thousands of phishing domains to FBI splash pages, effectively disabling the operation's active infrastructure. Google's civil complaint filed the same day accused the defendants of impersonating Google and its brands, copyright infringement, racketeering, wire fraud, and false advertising under the Computer Fraud and Abuse Act. Across the operation's three-year lifespan, Outsider Enterprise deployed over 9,000 fake websites and more than 1 million fraudulent URLs targeting victims in 95 countries.

Why This Matters More Than People Think

Gemini's role in this operation represents a structural shift in the criminal use of generative AI that the security industry has been warning about since 2024. Prior AI-assisted phishing operations used AI primarily for content generation: writing more convincing email text, personalizing messages at scale, or translating campaigns into additional languages. Outsider Enterprise went a step further. The operators used Gemini to generate actual code and functional website templates, automating the technical construction of fake infrastructure that would previously have required skilled web developers. The result was a platform where criminal customers without any development background could subscribe, select a brand template, and launch a convincing phishing site within hours. The labor cost of the attack dropped from skilled developer time to $88 per week. That pricing model is accessible to criminal operations that could never have financed a development team.

The scale metrics tell a specific story about what happened to attack economics when code generation became automated. More than 1 million fraudulent URLs over three years represents an average of roughly 333,000 new phishing URLs per year. That velocity is not achievable by human developers working at production rates. AI code generation allowed Outsider Enterprise to operate at the pace of software deployment pipelines rather than the pace of criminal organizations hiring and coordinating developers. Every time Google or a telecom company identified and blocked a phishing domain, the platform could generate replacement infrastructure faster than defenders could remove it. The $1.9 billion in total losses is the financial output of an arms race where the attacker gained an asymmetric speed advantage by adopting AI tooling that the defenders were simultaneously trying to learn to use.

The irony embedded in this case is worth stating clearly: Google built Gemini, Google's platform was used to generate phishing infrastructure that targeted Google's own users, and Google is now suing the operators in federal court while its own terms of service enforcement failed to prevent the misuse for at least three years. The gap between when Outsider Enterprise started using Gemini to build criminal infrastructure and when Google's legal team filed a complaint spans the period during which Gemini was publicly available, extensively used by legitimate developers, and presumably monitored by Google's trust and safety systems. Google's suit is legally coherent, but it also represents an acknowledgment that the platform's abuse detection failed to catch an active phishing-as-a-service operation for years at scale.

The Competitive Landscape

Outsider Enterprise is documented as having used Gemini specifically, but the broader phishing-as-a-service ecosystem has been integrating AI tooling across multiple platforms since at least 2024. Security researchers at Black Lotus Labs and similar teams have identified phishing kit infrastructure incorporating AI from multiple providers. The question of which AI platform a criminal operation used is less consequential than the structural fact that AI code generation has become standard tooling in the phishing-as-a-service market. The Outsider Enterprise case is the first operation of this scale where a specific AI provider has been named in a civil lawsuit, creating a legal record that will force a factual accounting of how the capability was accessed and when abuse was detectable.

The critics of the "Google should have caught this" framing argue, however, that terms of service enforcement at the scale of a frontier AI platform is genuinely hard. Gemini processes hundreds of millions of queries per day. A phishing template request, in isolation, looks indistinguishable from a legitimate web development query: "Create a login page that looks like [brand]'s portal" is a request that legitimate front-end developers make constantly for white-labeling, internal tools, and authorized red-team exercises. The attacker intent is not visible in the code generation query. Google's detection problem is not incompetence. It is the dual-use problem that every general-purpose AI platform faces at scale, and Outsider Enterprise's three-year operational run before takedown suggests the challenge is real and not solved by existing automated content moderation at the API layer. Decrypt reported that Google's complaint specifically cited Gemini misuse as one of the core grounds for the racketeering claim.

Hidden Insight: The Liability Frontier

Google's decision to sue Outsider Enterprise in civil court rather than simply cooperating with the FBI on criminal enforcement is a strategic choice with long-term implications for the AI industry. Civil litigation creates a public record, forces discovery of technical evidence, and can result in legal precedents about AI platform liability that criminal proceedings do not establish. By filing suit, Google is not just seeking damages from operators whose real identities it may never determine. It is establishing, in a court of record, that Outsider Enterprise violated Google's terms of service and that Google actively cooperated with federal law enforcement to stop the abuse. That record matters if regulators or Congress ever pursue a framework that assigns partial liability to AI platforms for harms caused by misuse of their products.

The timing of the lawsuit, filed on the same day as the FBI enforcement action, suggests coordination rather than a reactive response. Google's legal and threat intelligence teams have been building the evidentiary record for this case. That level of preparation implies Google had detailed knowledge of Outsider Enterprise's use of Gemini before the FBI seizure. The question that the discovery process may eventually answer: at what point did Google's systems identify anomalous patterns in Outsider Enterprise's API usage, and what actions were taken between that identification and the June 12 lawsuit? If Google can demonstrate that it escalated to law enforcement immediately upon developing actionable intelligence about criminal use, the case strengthens the argument that AI platform liability should require actual knowledge and reasonable response time. If the discovery record shows extended periods of known abuse without action, the implications for platform liability are the opposite.

The $1.9 billion in losses figure, if established at trial, also creates a data point for future regulatory debates that the industry has been trying to avoid. AI safety discussions have primarily focused on catastrophic risk, bioweapons potential, and autonomous system failures. The Outsider Enterprise case establishes that AI-enabled financial crime at scale is not a hypothetical. It is a documented category of harm with a specific dollar figure attached, occurring through legitimate API access to a commercially deployed frontier model. Policymakers who have struggled to attach concrete harm numbers to AI risk arguments now have a case study with $1.9 billion in losses and a three-year operational timeline. The EU AI Act's risk classification framework, the U.S. Commerce Department's ongoing export control work, and congressional testimony about AI safety will all reference this case.

What to Watch Next

In the next 30 days, watch for whether Google's civil complaint produces any defendant identification. The complaint names "Outsider Enterprise" as an unnamed organization of foreign-based cybercriminals. Federal court discovery procedures can compel cryptocurrency exchanges, Telegram, and domain registrars to provide account information. The Tether seizure in Operation Ghost Hook means federal agents have cryptocurrency wallet addresses connected to the operation's payment flow. Tracing those addresses through blockchain analytics to exchange accounts where funds were converted to fiat currency is a standard law enforcement technique that has successfully identified operators in prior cybercrime cases. If federal investigators can identify named defendants within 60 days, the case transitions from a civil action against unknown parties to a criminal prosecution that tests extradition frameworks for China-based cybercrime.

In the next 60 to 90 days, watch for other AI providers to either proactively file similar actions or face pressure to demonstrate equivalent cooperation with law enforcement. Google's lawsuit sets a precedent that AI platforms can be effective co-plaintiffs in cybercrime enforcement actions. If the Outsider Enterprise case proceeds and produces any monetary recovery or identified defendants, it creates a template for OpenAI, Anthropic, and others to adopt. Regulators in the EU and FTC are watching whether voluntary AI platform cooperation with law enforcement is sufficient to address misuse at scale, or whether mandatory reporting and cooperation requirements are needed. The outcome of the Google case will directly shape that policy debate over the next two legislative cycles.

The longest-horizon implication is the API access architecture question. Outsider Enterprise accessed Gemini through Google's commercial API, presumably under terms of service that prohibit illegal use. The operation ran for at least three years before detection. The technical question that the industry has not yet answered publicly: what does anomaly detection at frontier AI API scale actually look like, and what usage patterns are reliably detectable versus genuinely indistinguishable from legitimate developer activity? If the answer is that AI-assisted phishing template generation is undetectable at the API layer without behavioral context that only emerges weeks or months into an operation, the detection problem is structurally unsolved for every general-purpose AI platform in commercial deployment. That structural gap is worth more attention than the specific dollar figure in the Outsider Enterprise complaint.

A criminal operation ran for three years using Google's own AI to build fraud infrastructure targeting Google's users. The lawsuit that resulted is the industry's first admission that this was happening and that it took law enforcement to stop it.

---