Chinese Smishing Network Allegedly Used Gemini AI to Launch Massive Fraud Campaign Affecting Over 100,000 Victims

Severity: High
Category: Cybercrime & Artificial Intelligence

Executive Summary

Google Moves to Dismantle Large-Scale AI-Assisted Phishing Operation

Google has filed a lawsuit against a China-based cybercrime network accused of operating a sophisticated Phishing-as-a-Service (PhaaS) platform known as Outsider. According to Google, the group leveraged Gemini AI to help generate phishing websites and execute large-scale SMS phishing campaigns targeting U.S. consumers.

The criminal operation allegedly impersonated trusted brands, mobile carriers, financial institutions, and brokerage services to trick victims into revealing sensitive personal and financial information.

Furthermore, investigators estimate that the campaign impacted more than 100,000 individuals, generated millions of fraudulent messages, and contributed to significant financial losses.

Key Insight: Cybercriminals are increasingly using AI tools to automate phishing attacks, create convincing fraudulent websites, and scale operations faster than ever before.

How the Operation Worked

AI Helped Criminals Build Convincing Phishing Infrastructure

According to court filings, the Outsider platform allowed cybercriminals to create realistic phishing websites with minimal technical expertise.

Instead of developing websites from scratch, attackers reportedly used AI-generated code to build fake login portals, reward redemption pages, and account verification sites.

Consequently, even inexperienced threat actors could launch professional-looking phishing campaigns within minutes.

The operation primarily relied on SMS phishing, commonly known as smishing, to lure victims into clicking malicious links.

Common phishing themes included:

• Mobile carrier rewards programs
• Brokerage account alerts
• Banking security notifications
• Package delivery updates
• Account verification requests

As a result, victims often believed they were interacting with legitimate organizations.

Massive Infrastructure Uncovered

Thousands of Websites and Millions of Malicious Links Identified

Google's investigation revealed the enormous scale of the operation.

Researchers identified:

• More than 9,000 fraudulent websites
• Over 1.59 million malicious URLs
• Millions of phishing messages
• More than 290 phishing templates
• Real-time victim tracking capabilities

Additionally, Android users reported approximately 55,000 phishing texts during a two-week monitoring period alone.

Investigators also discovered that attackers distributed approximately 2.5 million phishing messages containing links to Outsider-generated websites.

Inside the Outsider Phishing Platform

A Subscription Service for Cybercriminals

Unlike traditional phishing operations, Outsider functioned as a commercial cybercrime service.

For as little as $88 per week, criminals could access a complete toolkit designed to launch phishing campaigns.

The platform reportedly included:

• Ready-made phishing website templates
• Real-time keystroke logging
• Campaign performance dashboards
• Automated deployment tools
• Credential harvesting capabilities
• Credit card theft functionality

Moreover, the service operated through Telegram, making distribution and customer support easier for threat actors.

Criminal Ecosystem Behind the Campaign

Multiple Specialized Groups Worked Together

Google's complaint describes Outsider as a coordinated cybercrime ecosystem rather than a single threat actor.

The operation reportedly consisted of several specialized groups:

Developer Group

Created and maintained phishing kits and website templates.

Data Broker Group

Supplied target lists containing potential victims' information.

Spammer Group

Distributed large volumes of phishing messages through SMS channels.

Theft Group

Monetized stolen credentials, banking information, and payment data.

Telegram Group

Facilitated communications, customer support, and recruitment.

Because each group focused on a specific function, the overall operation achieved significant efficiency and scale.

AI's Growing Role in Cybercrime

Threat Actors Continue Leveraging Generative AI

The Outsider case demonstrates how cybercriminals increasingly use artificial intelligence to enhance attack effectiveness.

According to Google, attackers crafted prompts that appeared harmless and requested assistance building simple web pages. However, those pages ultimately became phishing portals designed to steal sensitive information.

As AI tools become more accessible, threat actors can:

• Create phishing pages faster
• Improve language quality
• Generate convincing content
• Automate campaign creation
• Reduce technical skill requirements

Consequently, phishing operations can expand rapidly while maintaining a professional appearance.

Law Enforcement Response

Operation Ghost Hook Targets Criminal Infrastructure

Authorities have already taken significant action against the network.

As part of Operation Ghost Hook, investigators:

• Seized multiple domains
• Disrupted phishing infrastructure
• Confiscated approximately $100,000 in cryptocurrency
• Redirected malicious domains to FBI warning pages
• Gathered intelligence from criminal Telegram infrastructure

Furthermore, law enforcement agencies continue investigating additional participants connected to the operation.

Recommended Actions

CyberShelter Recommendations

01 — Verify SMS Messages Carefully

Never trust unsolicited messages requesting account verification, rewards redemption, or urgent action.

02 — Avoid Clicking Unknown Links

Instead of following links from text messages, visit websites directly through official channels.

03 — Enable Multi-Factor Authentication

MFA significantly reduces the risk of account compromise even if credentials are stolen.

04 — Monitor Financial Accounts

Review banking and credit card activity regularly for unauthorized transactions.

05 — Strengthen Employee Awareness

Conduct ongoing phishing awareness training and educate users about AI-generated scams.

Strategic Perspective

AI Is Lowering the Barrier to Entry for Cybercrime

The Outsider operation highlights a major shift in the cybercrime landscape. Previously, criminals needed technical expertise to build phishing infrastructure. Today, AI-powered tools can automate much of that work.

As a result, cybercriminal groups can launch larger campaigns, reach more victims, and continuously improve their tactics.

Organizations must therefore assume that future phishing attacks will become increasingly sophisticated, highly personalized, and more difficult to distinguish from legitimate communications.

CyberShelter believes that combining strong security controls, user awareness, and proactive monitoring remains the most effective defense against the next generation of AI-assisted phishing threats.