Google Sues Chinese Phishing Service Over Gemini Abuse
Google has filed a lawsuit against a Chinese phishing-as-a-service provider accused of using its Gemini AI to generate over 1.59 million scam URLs, victimizing more than 100,000 people.
Google has filed a lawsuit against a Chinese phishing-as-a-service provider accused of abusing its Gemini AI system to generate and customize scam websites at scale. The complaint alleges the service produced more than 1.59 million phishing URLs and victimized over 100,000 people through credential and financial theft. The case highlights how threat actors are weaponizing generative AI tools to automate and enhance cyberattacks.
The lawsuit targets an entity described as a Chinese phishing-as-a-service operation that taught customers how to use Gemini to create convincing phishing pages. According to Google, the service provided templates and instructions for crafting scam websites that mimicked legitimate brands, making them difficult for users to distinguish from authentic sites. The scale of the operation is staggering, with over 1.5 million malicious URLs generated, many of which were used in SMS and email campaigns.
The phishing kits leveraged Gemini's ability to generate realistic text and layouts, allowing even low-skilled attackers to produce professional-looking scams. Victims were tricked into entering credentials, financial information, and other sensitive data, which was then harvested and used for identity theft or sold on underground markets. Google's security teams detected the abuse through its automated threat detection systems and traced the infrastructure back to the Chinese service.
This lawsuit is part of Google's broader effort to combat AI-powered cybercrime. The company has invested heavily in AI safety and security, including developing tools to detect and block AI-generated phishing content. However, the case underscores the dual-use nature of generative AI: the same technology that powers helpful applications can be repurposed for malicious ends.
The phishing-as-a-service model is a growing trend, where cybercriminals offer turnkey solutions for launching attacks, lowering the barrier to entry. By integrating AI, these services can produce highly personalized and convincing phishing campaigns at scale. Google's legal action aims to disrupt this ecosystem and send a message that abusing AI for fraud will not be tolerated.
Google is seeking damages and an injunction to shut down the operation. The company has also reported the activity to law enforcement and is working with industry partners to identify and mitigate the impact. Users are advised to remain vigilant against phishing attempts, especially those that appear unusually polished or personalized.
The case highlights the urgent need for robust AI governance and cross-border cooperation to address the misuse of generative AI. As AI tools become more accessible, the potential for abuse grows, requiring proactive measures from technology companies, regulators, and law enforcement.
Google's lawsuit, filed in Manhattan federal court, reveals that the Outsider Enterprise operates as a structured network of five specialized groups—Developer, Data Broker, Spammer, Theft, and Telegram—and that the phishing kit includes over 290 pre-built templates, real-time keystroke logging, and a performance dashboard. The complaint details how Gemini was weaponized via prompts framed as harmless requests for HTML code to design a 'gift redemption page,' with the AI generating the fraudulent site code that was then deployed through Outsider. Google is partnering with AT&T, T-Mobile, and Verizon to block the scam messages, and the FBI's Cyber Division has publicly condemned the operation.