The lawsuit targets an anonymous group of China-based cybercriminals whose Outsider phishing kit generated more than 1.5 million malicious URLs in six months by instructing buyers to use Google's own AI tools to build credential-harvesting sites.

 

What happened

Alphabet's Google filed a lawsuit on June 12, 2026, in the US District Court for the Southern District of New York against the anonymous makers of a phishing-as-a-service kit called Outsider, which the complaint alleges illegally impersonates hundreds of trusted websites and provides buyers with step-by-step instructions for using AI tools, including Google's own Gemini to generate their own phishing sites. According to Reuters, Google detected more than 1.5 million URLs linked to Outsider between November 2025 and April 2026. The complaint accuses the defendants of abusing Google Cloud and Google Drive to host malicious infrastructure and misusing Google trademarks to add credibility to fraudulent sites. Google is seeking an injunction blocking the software and an unspecified amount of monetary damages. The defendants are identified as an anonymous group of cybercriminals based in China. Google General Counsel Halimah DeLaine Prado confirmed the company is working with the FBI and telecommunications companies AT&T, T-Mobile, and Verizon to dismantle Outsider's infrastructure.

 

Going deeper

The Outsider kit represents a documented example of what security researchers have been warning about throughout 2025 and 2026, AI tools being weaponized against the very companies that built them. The kit does not require buyers to build phishing pages from scratch. Instead, it provides instructions for using Gemini and other AI platforms to generate convincing credential-harvesting sites that mimic hundreds of legitimate brands, then hosts those sites on Google's own infrastructure to inherit the trust those domains carry with email security tools. Google's complaint argues this constitutes a cybercrime ring that combines trademark misuse, platform abuse, and AI-assisted fraud into a single commercial product. Google's lawsuit follows a November 2025 action in New York in which the company sued to dismantle a separate text-based phishing scheme, part of what appears to be a broader legal strategy to pursue phishing infrastructure operators in federal court.

 

What was said

Google General Counsel Halimah DeLaine Prado stated in a Google blog post that "by combining powerful security defenses with aggressive legal action, we're fighting against scammers and working to build a safer internet for everyone," and that "criminals increasingly use AI to make fraud like this more convincing and harder to detect." FBI Assistant Director Brett Leatherman stated in the same announcement, "Criminals increasingly use AI to make fraud like this more convincing and harder to detect. Together with partners like Google, we can disrupt criminal networks in ways no single organization could on its own." DeLaine Prado also confirmed Google is endorsing seven bills pending in Congress directed at countering AI-enabled scamming.

 

In the know

The Outsider lawsuit follows a pattern of major technology companies using civil litigation to pursue phishing infrastructure operators when criminal prosecution is slow or geographically difficult. According to Reuters, Microsoft previously sued the makers of the Storm-1152 cybercrime service in 2023, obtaining court orders to seize domains used to create millions of fraudulent Microsoft accounts. Microsoft's Digital Crimes Unit executed a similar civil takedown against the Fox Tempest malware-signing service in May 2026, obtaining court orders to seize infrastructure used by ransomware groups including Rhysida, INC, and Qilin. Civil litigation allows companies to obtain emergency domain seizures and injunctions faster than criminal proceedings and across jurisdictions where extradition is not available.

 

The big picture

A phishing kit that instructs buyers to use Google Gemini to generate fake websites for hundreds of trusted brands puts AI-assisted credential theft within reach of operators who could not previously build convincing impersonations at scale. Healthcare organizations whose staff use Google Workspace, Google Drive, or other Google-branded services are within the target profile. The Outsider kit specifically mimics trusted websites, and healthcare platforms and insurance portals are among the most consistently impersonated categories in credential theft campaigns. According to Paubox's 2026 Healthcare Email Security Report, 53% of breached healthcare organizations in 2025 used Microsoft 365, but Google Workspace adoption in healthcare is growing, and both platforms' brands are now documented targets for AI-generated impersonation campaigns. The 1.5 million Outsider URLs detected in six months give some scale to how far this single kit spread before legal action was filed.

 

FAQs

What makes a phishing kit that instructs buyers to use AI different from previous phishing kits?

Earlier phishing kits provided pre-built templates requiring some technical skill to deploy. A kit that instructs buyers to use conversational AI tools to generate new phishing pages on demand removes the need for any design or coding ability, allows rapid creation of unique pages that defeat template-matching detection, and makes the kit's output harder to attribute to a single campaign.

 

Why does hosting phishing sites on Google's own infrastructure help attackers?

Email security tools assess link reputation based on the hosting domain. Links pointing to Google Cloud or Google Drive carry a trusted reputation score that phishing pages hosted on unknown attacker-controlled domains would not. Buyers of the Outsider kit inherited that trust signal for free, increasing the probability that phishing emails containing those links would pass through security filters.

 

What is the legal basis for Google suing anonymous defendants it cannot fully identify?

US federal courts permit civil actions against anonymous defendants designated as "Does" when the plaintiff can demonstrate harm and has exhausted reasonable efforts to identify the parties. Courts can then issue emergency orders, domain seizures, injunctions, and asset freezes that disrupt the operation without waiting for full defendant identification. Subsequent discovery processes and cooperation with the FBI can then produce identifying information.

 

How does endorsing congressional anti-scam legislation fit into Google's legal strategy?

Civil lawsuits and infrastructure takedowns address individual operations but do not change the legal environment in which phishing-as-a-service operators work. Legislation that specifically criminalizes AI-assisted fraud and strengthens penalties for platform abuse would create additional deterrence and give prosecutors clearer statutory authority to pursue cases that cross international jurisdictions.

 

What should healthcare organizations do if they discover their brand or login portal is being impersonated in a phishing campaign?

Report the impersonation to the hosting platform, in this case, Google, Microsoft, or whichever provider is hosting the fraudulent page using their abuse reporting channels, which can trigger emergency takedowns within hours. Simultaneously report to the FBI's Internet Crime Complaint Center at ic3.gov and notify affected users through official channels to be alert to fake login pages using the organization's branding.