Google filed a civil lawsuit on June 12, 2026, in a New York federal court against a cybercrime group called the "Outsider Enterprise," which has been using an AI-assisted phishing kit to steal login credentials at scale. Reuters

The complaint invokes RICO statutes — a racketeering law normally used by prosecutors — alongside trademark claims. This dual approach signals Google's intent to treat the defendants as an organized criminal enterprise rather than isolated bad actors. RICO allows civil plaintiffs to sue when they can show a pattern of criminal activity orchestrated through a single organization.

The core of the scheme is a phishing kit — a toolkit that creates fake login pages mimicking legitimate websites. What sets the Outsider kit apart is its use of AI to generate these convincing forgeries at scale. Instead of manually crafting each fake page, the kit uses AI to produce realistic-looking credential-harvesting sites in bulk and with higher fidelity than commodity phishing tools. The group also hosted malicious content on Google Cloud and Google Drive, leveraging Google's own infrastructure to deliver their attacks.

This detail matters operationally. When phishing pages live on domains like *.googleapis.com or *.drive.google.com, they inherit Google's legitimate reputation. More importantly, they can bypass security filters that flag unknown or low-reputation domains as suspicious. For security teams using email filters or cloud access controls that allowlist Google's domains — a standard practice — the situation creates a policy bind: block the domain entirely and break actual work, or allow it and accept the risk. The Outsider kit appears deliberately designed to exploit that tension.

Google's use of civil RICO in this context follows a pattern the company has established before, notably in lawsuits against botnet operators and ad-fraud schemes. What is different here is the explicit identification of AI-assisted tooling as a central component of the criminal operation. How courts will interpret that distinction — whether "used AI" carries separate legal weight from "used scripting and automation" — remains unclear. This matters because it could shape how courts assign liability and, downstream, whether this case sets precedent around AI-assisted criminal enterprise.

The civil route offers a practical advantage that criminal prosecution alone cannot. A civil judgment can produce court orders forcing hosting providers, domain registrars, and infrastructure companies to act — often faster than a parallel DOJ or FBI investigation. Google deployed this approach successfully in 2023 against the CryptBot malware, obtaining orders that let the company directly dismantle the malware's distribution network. A similar outcome here could mean forced removal of spoofed domains and revocation of the compromised cloud accounts without waiting for a criminal conviction.

The broader trend is clear: phishing kits are becoming more sophisticated. Large language models have lowered the skill required to write convincing, grammatically correct lure emails and fake pages tailored to different regions. Attackers have also discovered that routing their payloads through trusted providers — Google, Microsoft, Amazon, Cloudflare — bypasses many defense systems, precisely because defenders cannot simply blacklist those platforms. The Outsider Enterprise sits at the intersection of both trends.

For security teams, the immediate takeaway is to audit how broadly you've allowlisted Google domain categories. A blanket allowlist for all *.google.com or *.googleapis.com addresses without additional path-level or behavior-based controls opens the exact surface this kit was built to exploit. Effective defense here requires layering multiple controls: browser isolation (running web pages in a sandbox), link analysis in real time, and user reporting of suspected phishing — none of which alone can stop infrastructure-abuse techniques.

Google's decision to file and publicize this lawsuit also serves as a warning signal to other threat actors: abusing the company's cloud services to attack users will trigger both technical disruption and legal action. Whether that warning carries far is unclear. The Outsider defendants have not been publicly identified by name, which suggests the investigation — whether led by Google alone or in coordination with law enforcement — is still ongoing.