The FBI has dismantled a major Chinese phishing-as-a-service (PhaaS) operation called Outsider Enterprise, according to an announcement reported by TechRadar. The law enforcement agency seized multiple administration servers, a Shopify e-commerce storefront, and an account the attackers used to test the PhaaS, which relied mostly on SMS-based lures. The FBI also seized approximately $100,000 in USDT cryptocurrency, redirected thousands of phishing pages to an FBI announcement site, and seized a Telegram bot used to store stolen information.
The Scope of the Operation
Phishing-as-a-Service is a model where threat actors rent a kit that allows them to easily create fake login pages spoofing major brands, as well as send spam emails and SMS messages in bulk and exfiltrate stolen files. The FBI stated that this particular PhaaS was very popular in the cybercriminal community. It was active for roughly three years and was used to generate around 9,000 fake websites and at least a million fraudulent URLs. Hackers used the service to steal more than 3.8 million credit card records, resulting in approximately $1.9 billion in losses.
| Metric | Value |
|---|---|
| Active period | ~3 years |
| Fake websites created | ~9,000 |
| Fraudulent URLs | 1,000,000+ |
| Credit card records stolen | 3.8 million |
| Estimated losses | $1.9 billion |
| Seized cryptocurrency (USDT) | $100,000 |
Legal and Industry Response
This campaign was followed by legal action from Google, which filed a civil lawsuit against the PhaaS’ infrastructure. Google is working with major telecommunications providers to block fraudulent messages before they reach targets. In a statement, Google said: “Our civil lawsuit targets an organized cybercrime operation known as the 'Outsider Enterprise'. Based in China and coordinating through Telegram, this network distributes 'phishing kits' that allow criminals to blast out fake text campaigns that look like they’re from Google and other trusted brands.”
Google claimed that in just two weeks, crooks sent approximately 2.5 million fraudulent SMS messages to targets using Android devices. Users flagged only 55,000 of them as fraudulent, highlighting the sophistication of the lures and the difficulty of detection.
Implications for Enterprise Security
For enterprise technology leaders, this takedown underscores the persistent threat of AI-powered phishing services that target employees and customers alike. The scale of the operation — over a million URLs and millions of stolen credit cards — demonstrates how cybercriminals can industrialize fraud using readily available phishing kits. Supply chain and logistics companies, which increasingly rely on digital communications and payment systems, must ensure that their security awareness training and anti-phishing defenses are robust. The collaboration between law enforcement (FBI) and technology companies (Google) highlights the importance of multi-stakeholder efforts to disrupt cybercrime infrastructure. Enterprises should monitor for similar PhaaS offerings and invest in advanced threat detection, including AI-based filtering of SMS and email, to reduce the risk of credential theft and financial loss.
Sources:
