Checking your Browser…
Image Credits: Beata Zawrzel/NurPhoto / Getty Images
Share on FacebookShare on XShare on LinkedInShare on RedditShare over EmailCopy Share Link
Chinese cybercrime operation that used AI to scam ‘hundreds of thousands of victims’ sued by Google
1:38 PM PDT · June 12, 2026
Share on FacebookShare on XShare on LinkedInShare on RedditShare over EmailCopy Share Link
Google is suing to dismantle the infrastructure behind an alleged massive AI-powered cybercrime operation.
On Friday, the tech giant announced a lawsuit against an alleged Chinese cybercrime network called Outsider Enterprise, which Google says uses AI in its campaigns to send scam text messages impersonating Google and other brands to steal passwords and credit card numbers.
Outsider Enterprise has financially scammed “hundreds of thousands of victims” with losses “estimated in the millions.” The group deployed 9,000 fake websites, one million fraudulent web domains, and 2.5 million texts sent to Android users in a two-week period, according to Google.
The company said, “55,000 spam texts were flagged by Android users in just two weeks this past May — that’s more than two text spam complaints a minute.”
Google said it uses “AI-powered tools to fight AI-powered scams,” which enable the company to detect scams and alert users of suspicious calls and text messages, leading to the interception of more than 10 billion scam messages a month.
The company said it has been collaborating with AT&T, T-Mobile, and Verizon to block the scam text messages, and said it is coordinating with the FBI.
An FBI spokesperson told TechCrunch that the bureau, in coordination with Google and Lumen’s Black Lotus Labs, seized several domains used by the cybercriminals, as well as Shopify storefronts and accounts used to test the operation’s phishing service.
The spokesperson said that since July 2023, Outsider Enterprise’s phishing platform enabled cybercriminals to steal “at least an estimated 3,870,000 stolen credit cards and a corresponding estimated $1.9B in losses.”
Inside Outsider Enterprise
In its complaint filed as part of the lawsuit, Google laid out the evidence it gathered against people involved in the Outsider Enterprise operations, whom the company said are foreign-based cybercriminals whose real identities are unknown. This group “built, maintains, and uses a turn-key, online software suite that enables criminals, regardless of technical skill, to publish fraudulent websites designed to rob victims and enrich themselves,” according to the complaint.
Google said this “phishing-for-dummies” software called Outsider, which costs $88 per week or $200 per month, allows operators to create fake websites with the help of AI platforms, including Google’s own Gemini. The fake sites impersonate several services and companies, such as telecom providers, financial institutions, government agencies, and retailers.
To lure people to the fake websites, the cybercriminals collaborate with one another to send victims malicious text messages, or purchase ads. The common goal is to steal passwords and corresponding multi-factor codes as well as financial information, which the scammers can do by receiving the data that victims input into the fake websites, with the information being transmitted through Outsider’s platform in real time.
“Part of the Outsider software’s appeal is the ease with which someone with limited technical expertise — like many members of the Enterprise— can purchase the software, execute various phishing attacks, and, upon purchase, meet other members of the Enterprise who are proficient in other areas,” Google wrote, referring to Telegram channels where the cybercriminals can collaborate, train each other, discuss strategies, and develop phishing attacks. “The Enterprise brazenly coordinates its efforts in open and largely uncoded discussions on Telegram.”
According to Google, the Outsider platform allegedly offers cybercriminals “more than 290 pre-built templates that mimic the legitimate websites” that generate replicas of real websites “in minutes,” along with guides on how to “weaponize AI-generated code,” as well as a dashboard to track progress of phishing campaigns. The cybercriminals have allegedly used Google Drive and Google Cloud infrastructure to host the phishing websites.
“The Outsider software has been used to create over a million phishing websites to swindle innocent victims out of millions of dollars,” Google wrote in the complaint.
To give an idea of the scale of Outsider Enterprise’s operation, Google said that over a five-month period, from November 14, 2025 to April 14, 2026, the company detected more than 1.59 million URLs connected to it.
Google said the Outsider Enterprise operation is made up of several groups of cybercriminals: those who develop and maintain the phishing software and website templates; those who supply lists of targets curated from public records, social media, and data breaches; a “spammer group” that provides tools and the infrastructure to send scam texts in bulk, which includes smartphone banks, SIM cards, and modems; and those who monetize the stolen credentials and launder the stolen money.
A screenshot showing a Telegram message where a cybercriminal advertised stolen digital credit cards on several cellphones. Image Credits: Court document
The cybercriminals have stolen “at least 36,000 payment cards issued by financial institutions in 95 countries,” according to Google.
The company accused the people behind Outsider Enterprise of impersonating Google and its brands, of infringing its copyright, of racketeering activities, of committing wire fraud, and false advertising. With the lawsuit, Google is seeking compensatory and punitive damages, and an order to stop the criminals from carrying out their activities.
This story was originally published at 10:26 a.m. PDT and has since been updated with new information from Google’s complaint, and the FBI’s comment.
Topics
AI, Android, cybercrime, cybersecurity, Google, In Brief, scams, Security
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.
Share on FacebookShare on XShare on LinkedInShare on RedditShare over EmailCopy Share Link
Lorenzo Franceschi-Bicchierai
Senior Reporter, Cybersecurity
Lorenzo Franceschi-Bicchierai on TwitterLorenzo Franceschi-Bicchierai on BlueskyLorenzo Franceschi-Bicchierai on Mastodon
Lorenzo Franceschi-Bicchierai is a Senior Writer at TechCrunch, where he covers hacking, cybersecurity, surveillance, and privacy.
You can contact or verify outreach from Lorenzo by emailing lorenzo@techcrunch.com, via encrypted message at +1 917 257 1382 on Signal, and @lorenzofb on Keybase/Telegram.
June 18
Los Angeles
Get an inside look at what it takes to scale and succeed from leaders at Mach Industries, Founders Fund, and Shinkei Systems. Through candid fireside chats and high-impact networking, you’ll walk away with valuable insights and new connections.
Most Popular
-
Jeff Bezos’s Prometheus raises $12B to build an ‘artificial general engineer’ for the physical world
-
Cybersecurity researchers aren’t happy about the guardrails on Anthropic’s Fable
-
Google just fired a warning shot in the AI subscription price wars
-
WWDC 2026: Everything announced on Siri AI, iOS 27, Apple Intelligence, and more
-
Anthropic’s Claude Fable 5 is a version of Mythos the public can access today
-
It’s not FAANG anymore. It’s MANGOS.
-
Microsoft’s open source tools were hacked to steal passwords of AI developers
Keep reading
Image Credits: Michael Nagle/Bloomberg / Getty Images
Share on FacebookShare on XShare on LinkedInShare on RedditShare over EmailCopy Share Link
Oracle warns of security bug that hackers abused to breach 100+ companies
1:27 PM PDT · June 11, 2026
Oracle warned its corporate customers that there is a critical-rated vulnerability in its PeopleSoft software, which is used by large companies to manage payroll and human resources, a day after a cybercrime group took credit for abusing the flaw as part of a mass-hacking campaign.
The company published the security advisory on Thursday after the hacking group ShinyHunters claimed to have breached more than 100 organizations that use PeopleSoft servers.
Mandiant, the Google-owned security unit that investigates cyberattacks, warned in a blog post that the new Oracle flaw is the same bug that the ShinyHunters group is abusing in its hacking campaign targeting PeopleSoft customers.
Oracle, which has not released a patch for the vulnerability at the time of writing, said in the advisory that the bug can be exploited over the internet without needing any authentication, such as a password.
The tech giant recommended that customers who use PeopleSoft software apply its mitigations to prevent exploitation.
On Wednesday, a ShinyHunters member told TechCrunch that the gang compromised the companies by abusing an unpatched flaw in PeopleSoft servers. The bug is known as a zero-day because the company affected, in this case Oracle, had no time to fix it before it was discovered and exploited.
Mandiant confirmed that it has also notified more than “100 global organizations,” most of them in the United States, in an effort to restrict access to their potentially vulnerable systems. The cybersecurity group said that about two-thirds of these organizations are in higher education, which aligns with what ShinyHunters previously claimed.
“While several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters [Data Leak Website],” Mandiant wrote.
Oracle did not respond to TechCrunch’s request for comment.
Contact Us
Do you have more information about this hacking campaign? Or other data breaches? We’d love to hear from you. From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email .
The ShinyHunters member told TechCrunch this week that some of the hacked organizations are universities and colleges.
The hacker shared a message they said was sent to one of the victim schools, in which the hackers claimed to have stolen “hundreds of thousands of student records containing full name, home address, phone, email, date of birth, gender, ethnicity, enrollment status, GPA, major, and student ID across all campuses,” among other data.
PeopleSoft, and its customers, are the latest victims in a long series of hacking campaigns where the ShinyHunters gang targeted organizations that all share the same vulnerable software.
In the last year, the group targeted several companies that use Salesforce and Gainsight, as well as software provided by education giant Instructure, and among others.
Once the hackers identify vulnerable software and companies that use it, they try to steal corporate or customer data and then threaten to release it unless the victims pay a ransom.
Earlier this year, education tech company Instructure said it paid the hackers after they breached the company’s systems twice. As part of the hacking campaign, ShinyHunters defaced the login pages of several schools that use Instructure’s popular school information portal Canvas.
Topics
cybercrime, data breach, hackers, hacking, oracle, Security, shinyhunters
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.
Share on FacebookShare on XShare on LinkedInShare on RedditShare over EmailCopy Share Link
Lorenzo Franceschi-Bicchierai
Senior Reporter, Cybersecurity
Lorenzo Franceschi-Bicchierai on TwitterLorenzo Franceschi-Bicchierai on BlueskyLorenzo Franceschi-Bicchierai on Mastodon
Lorenzo Franceschi-Bicchierai is a Senior Writer at TechCrunch, where he covers hacking, cybersecurity, surveillance, and privacy.
You can contact or verify outreach from Lorenzo by emailing lorenzo@techcrunch.com, via encrypted message at +1 917 257 1382 on Signal, and @lorenzofb on Keybase/Telegram.
Newsletters
Subscribe for the industry’s biggest tech news
TechCrunch Daily News
Every weekday and Sunday, you can get the best of TechCrunch’s coverage.
Startups Weekly
Startups are the core of TechCrunch, so get our best coverage delivered weekly.
TechCrunch Week in Review
Get the best of our coverage, delivered to your inbox every Saturday.
TechCrunch Mobility
TechCrunch Mobility is your destination for transportation news and insight.
No newsletters selected.
Subscribe
By submitting your email, you agree to our Terms and Privacy Notice.
Loading the next article
Error loading the next article
Some areas of this page may shift around if you resize the browser window. Be sure to check heading and document order.
Read Original at TechCrunch →