FBI Disrupts AI-Powered Phishing Service Behind One Million Malicious URLs

The FBI, working alongside Google and Black Lotus Labs, has dismantled a large-scale Chinese phishing-as-a-service operation called Outsider Enterprise, according to BleepingComputer. The platform used AI to generate and manage thousands of phishing websites designed to steal credit card data and passwords. The takedown was announced in mid-June 2026.

What Happened

Outsider Enterprise operated as a phishing-as-a-service platform, meaning it sold ready-made phishing infrastructure to other criminals. At its peak, the operation leveraged roughly one million URLs spread across thousands of individual phishing sites. Attackers using the service could impersonate legitimate brands, lure victims to convincing fake pages, and harvest login credentials and payment information at scale.

What made this operation notable was its use of AI tooling to produce and rotate phishing content rapidly, making it harder for traditional blocklists to keep up. The coordinated response from the FBI, Google's threat intelligence teams, and Black Lotus Labs was needed to identify, track, and ultimately disrupt the infrastructure behind the campaign.

Why This Matters to Small Teams

Phishing-as-a-service platforms lower the barrier for attackers significantly. A criminal no longer needs technical skill to run a sophisticated phishing campaign. They rent the infrastructure, pick a target brand, and launch. That means your users, your customers, and even your own team members are potential targets regardless of how small or obscure your product is.

Free Scan

Run the exact check on your domain

See your security score, grade, and a breakdown of what's exposed. Free. Takes under 2 minutes.

Scan my site free →

For solo developers and startup founders, the threat takes a few specific shapes. Your domain or brand can be spoofed without your knowledge, eroding customer trust even though you did nothing wrong. Your team members may receive highly convincing phishing emails targeting the SaaS tools you rely on: cloud providers, payment processors, or code repositories. If credentials are stolen through a third-party phishing page, attackers can pivot into your systems quickly.

AI-generated phishing content is also harder to spot by eye. The grammar is clean, the logos look right, and the URLs are designed to be plausible. Relying on humans to catch these emails is no longer a reliable defense on its own.

How to Stay Protected

Enable phishing-resistant multi-factor authentication (MFA) everywhere. Passkeys and hardware security keys are the most effective option. Authenticator-app TOTP is better than SMS. Even if credentials are stolen, phishing-resistant MFA blocks account takeover at the login step.
Monitor for domain spoofing. Set up alerts for newly registered domains that closely resemble yours. Services like dnstwist or commercial brand-monitoring tools can flag typosquatted or lookalike domains before attackers scale their campaigns.
Configure DMARC, DKIM, and SPF on your domain. These email authentication records make it significantly harder for attackers to send convincing email that appears to come from your domain. A strict DMARC policy (p=reject) provides the strongest protection.
Audit which third-party services have access to your critical accounts. Reduce your OAuth footprint. Revoke integrations you no longer use. A phished credential on one connected tool can expose more than just that account.
Train your team to verify unexpected login prompts. If someone receives an email asking them to log in to a service, the safest habit is to navigate directly to the known URL rather than clicking any link in the email.
Check if your domain or employee emails appear in credential breach databases. Knowing early that credentials are circulating gives you time to force password resets before attackers act.

How UNPWNED Helps

UNPWNED scans your public-facing website for misconfigured or missing security controls that make you an easier target. Relevant checks include email authentication headers such as DMARC, DKIM, and SPF, which directly limit how easily your domain can be used in phishing campaigns against your customers or partners. Our scanner also surfaces missing security headers and other baseline hygiene issues that indicate your site may not be hardened against web-based credential attacks. While no scanner can detect if your brand is being spoofed on an external server, getting your own domain's defenses right is a concrete first step.

This post was drafted with AI assistance based on authoritative security sources, then published under editorial review.