Get fresh insights, pro tips, and thought starters–only the best of posts for you.
Google has filed a lawsuit against individuals allegedly linked to a phishing-as-a-service operation known as Outsider, claiming the group used Gemini and other AI tools in an alleged Gemini phishing and large-scale smishing operation. The case highlights growing concerns about how generative AI may be used to scale phishing infrastructure.
According to Google, the operation was linked to approximately 9,000 fake websites and more than 1.59 million fraudulent URLs. The company also alleges the network targeted mobile users through large-scale SMS phishing campaigns.
For security teams, the incident demonstrates how AI can help attackers create convincing phishing content faster and scale credential-harvesting operations. As AI-assisted phishing evolves, organizations may face greater identity and mobile security risks.
Phishing kits have long lowered the barrier to entry for cybercriminals. What makes this case notable is Google’s allegation that the operators used generative AI to help build phishing infrastructure.
The lawsuit does not describe a compromise of Gemini. Instead, Google alleges the defendants used prompts framed as legitimate web-development requests to generate components of phishing websites.
The case reflects a broader shift in cybercrime operations. Rather than building every phishing page manually, attackers may increasingly rely on AI tools to accelerate website creation, modify templates, and scale campaigns more efficiently.
Google alleges the defendants operated Outsider, a phishing-as-a-service platform distributed through Telegram. According to the lawsuit, the platform reportedly offered:
Google linked the operation to approximately 9,000 fake websites and more than 1.59 million fraudulent URLs between November 2025 and April 2026.
The company also reported that the network sent roughly 2.5 million messages to Android users between May 18 and June 1, 2026. During the same period, Android users flagged approximately 55,000 spam texts linked to the campaign.
The allegations against Outsider combine several trends security teams have been tracking for years: phishing-as-a-service operations, SMS-based phishing, Telegram-hosted criminal marketplaces, and AI-assisted content generation.
Together, these capabilities can lower the technical barrier for launching phishing campaigns. Operators no longer need to build phishing infrastructure from scratch, allowing campaigns to scale more quickly and adapt to new targets.
The case also highlights the growing role of mobile devices in phishing operations. SMS messages often reach users outside traditional email security controls, reducing the effectiveness of email-focused phishing defenses.
| Category | Details |
|---|---|
| Threat Type | AI-assisted phishing and smishing |
| Alleged Platform | Outsider phishing-as-a-service kit |
| Reported Delivery Method | SMS phishing messages |
| Reported Infrastructure | Approximately 9,000 fake websites |
| Reported URLs | More than 1.59 million fraudulent URLs |
| Alleged AI Usage | Google alleges Gemini and other AI tools were used to generate phishing website components |
| Primary Risk | Credential theft and financial fraud |
| Enterprise Concern | Identity compromise through mobile phishing campaigns |
Several aspects of the case have not been publicly verified. Public reporting and court filings have not disclosed:
Security teams should treat the incident as an evolving threat event rather than a fully documented breach case.
Although several details remain under investigation, the case highlights risks organizations should consider as phishing campaigns become more automated and mobile-focused.
Employees who enter credentials into fraudulent portals may expose corporate accounts, SaaS applications, and sensitive business data.
Smishing campaigns target users through mobile devices, often operating outside traditional email security controls.
AI-assisted phishing infrastructure may allow threat actors to create and modify phishing content more rapidly, increasing campaign scale and adaptability.
Although the full scope of the operation remains unclear, the case highlights the need for layered defenses that address identity compromise, mobile phishing, and endpoint visibility.
When responding to phishing incidents such as the alleged Outsider campaigns, security teams typically focus on three priorities:
Hexnode UEM can help teams review device compliance status and maintain visibility into managed endpoints through centralized device management and compliance monitoring.
Following a phishing incident, security teams often need to understand which users and devices may have been exposed. Device activity and security-event visibility can help establish context and prioritize further investigation.
Hexnode XDR provides endpoint visibility and threat investigation capabilities that can help security teams analyze suspicious activity across managed endpoints.
Learn how to build an effective cybersecurity strategy with practical guidance, trends, and implementation steps.
DOWNLOADThe allegations against the operators of Outsider underscore a growing challenge for defenders: phishing campaigns no longer rely solely on traditional kits and manual workflows. As attackers experiment with AI tools, organizations may face phishing operations that are faster to build, easier to scale, and harder to distinguish from legitimate services.
As allegations involving Gemini-assisted phishing and other AI-assisted phishing operations continue to emerge, organizations should focus on identity protection, mobile security, and visibility into user and device activity. Strong investigation capabilities remain critical for understanding potential exposure and responding to credential-based threats.
See how Hexnode supports investigation, response, and device security operations.
SIGN UP NOWGoogle alleges the defendants used Gemini and other AI tools to help generate components of phishing websites used in smishing campaigns.
No. Public reporting indicates Google alleges attackers used Gemini as part of phishing operations, not that Gemini itself was compromised.
The case highlights how AI-assisted phishing may help attackers scale credential-theft campaigns targeting employees, corporate identities, and business applications.
