Google sues Chinese cybercrime network for hijacking Gemini to run mass phishing scams

By: Anton Kratiuk | today, 01:58

Google has filed a lawsuit against a China-based cybercrime operation that allegedly weaponized its Gemini AI to generate phishing sites at industrial scale. The group, called Outsider Enterprise, created more than 9,000 fake websites and roughly 1 million fraudulent URLs impersonating Google, YouTube, the US Postal Service, and toll payment system E-ZPass. It's the first time Google has taken legal action specifically over misuse of Gemini.

The scheme

According to Google's complaint, Outsider Enterprise used Gemini to write the HTML code for convincing phishing pages by feeding it prompts framed as harmless requests — asking the AI to build "gift redemption" pages, for example. The operation moved fast. Over just two weeks, it sent 2.5 million messages containing phishing links. In May alone, Android users flagged 55,000 spam texts tied to the network.

Google estimates the scam hit hundreds of thousands of victims, with losses running into the millions of dollars. The FBI puts broader losses from similar smishing (SMS phishing) operations at $1.9 billion since July 2023. A New York federal court issued a temporary restraining order, and Google is seeking a permanent injunction to dismantle the network's infrastructure.

Industry and law enforcement response

Google didn't act alone. The company partnered with the FBI and the three largest US carriers — AT&T;, T-Mobile, and Verizon — to block the messages and take down the infrastructure behind the campaign.

The lawsuit also carries a policy dimension. Google is backing seven bipartisan bills in Congress aimed at curbing AI-assisted fraud. The FBI has noted publicly that criminal groups are increasingly using AI to make scams harder to spot — more polished copy, faster site generation, larger send volumes — and that existing tools for prosecuting them need updating.

What this means

The Outsider Enterprise case makes concrete something that has been theoretical for most people: AI lowers the skill floor for fraud. Building 9,000 convincing fake websites used to require significant technical resources. With a capable language model and a willing operator, it now takes hours.

Whether Google can police its own platform effectively — or whether regulators need to step in — remains an open question. The UK's FCA has reviewed its AI approach and confirmed it has no plans to introduce AI-specific rules, preferring to apply existing frameworks. In the US, the bills Google supports are bipartisan but not yet law. For now, carrier blocking and court injunctions are the main line of defence.