Google filed a civil lawsuit on June 12, 2026, in a New York federal court against an organized cybercrime group it calls the "Outsider Enterprise," targeting operators of an AI-assisted phishing kit that has been abusing Google's own infrastructure to harvest credentials at scale. Reuters

The complaint invokes both RICO statutes and trademark law — a pairing that signals Google intends to pursue the defendants as a structured criminal enterprise, not merely as individual bad actors. RICO, typically the instrument of prosecutors, is available to civil plaintiffs when they can demonstrate a pattern of racketeering activity connected by a common enterprise. Trademark claims layer on top, addressing the kit's systematic impersonation of Google's own brand alongside hundreds of other trusted domains.

The Outsider phishing kit — the operational core of the alleged enterprise — spoofs a wide range of legitimate websites to manufacture convincing credential-harvesting pages. What distinguishes it from commodity phishing toolkits is the use of AI to automate and refine that mimicry: realistic lure pages that previously required manual effort can apparently be generated at volume and with greater fidelity. The group also abused Google Cloud and Google Drive as delivery and hosting infrastructure, routing malicious content through services that carry implicit trust signals for both end users and security tooling alike.

That last detail carries operational weight. When phishing lures are hosted on *.googleapis.com or *.drive.google.com endpoints, they inherit a degree of brand legitimacy and, critically, they can bypass reputation-based URL filters that would flag unknown or low-reputation domains. Security teams maintaining SEG or CASB policies based on allowlisting Google's infrastructure face a direct policy conflict: block the domain and break legitimate productivity workflows; permit it and absorb the risk. The Outsider kit appears to have been deliberately engineered to exploit that tension.

Worth flagging: Google using civil RICO in this context is not unprecedented — the company has invoked similar legal frameworks in prior suits against botnet operators and ad fraud rings — but the explicit callout of AI tooling as a component of the scheme is newer terrain, legally speaking. Whether "used AI tools" can be meaningfully distinguished in court from "used scripting and automation" will depend on how Google's complaint characterizes the specific capabilities involved. That distinction matters for how courts might frame liability and, further downstream, for whether the lawsuit establishes any precedent around AI-assisted criminal enterprise.

The civil route also serves a purpose that criminal referrals cannot. A civil judgment can yield injunctions that compel hosting providers, registrars, and infrastructure intermediaries to act — sometimes faster than a parallel DOJ or FBI process. Google has used this mechanism effectively in the past; the CryptBot lawsuit in 2023, for example, produced court orders that let Google directly disrupt the malware's distribution infrastructure. A similar outcome here could mean forced takedowns of the spoofed domains and revocation of the abused cloud accounts without waiting for a criminal conviction.

The broader context is a measurable acceleration in phishing kit sophistication. Large language models have reduced the skill floor for producing convincing, localized, grammatically fluent lure content. Adversarial use of trusted cloud infrastructure — not just Google's, but Microsoft's, Amazon's, and Cloudflare's — has become a documented evasion technique precisely because defenders cannot simply blocklist those providers. The Outsider Enterprise, as described, sits at the intersection of both trends.

For security practitioners, the immediate operational note is to audit how tightly scoped your outbound trust policies are for Google-origin URLs. Generic allowlisting of *.google.com or *.googleapis.com without path- or behavior-based controls is the attack surface this kit was built to exploit. Defense-in-depth here means layering browser isolation, sandboxed link evaluation, and user-reported phishing pipelines on top of domain-reputation filters — none of which alone is sufficient against infrastructure-abuse techniques.

Google's willingness to file and publicize this suit also functions as a deterrent signal to the broader threat actor ecosystem: abusing the company's own cloud services to attack its users will draw not just technical countermeasures but legal ones. How far that deterrent reaches is an open question. The Outsider defendants are not yet publicly identified by name, which suggests the investigation — whether solely Google's or in coordination with law enforcement — is still active.