The FBI, working with Google and the security firm Black Lotus Labs, has shut down one of the largest online scam factories on record: a China-based operation with roughly 9,000 fake websites, more than one million URLs built to steal cards and passwords, and an estimated trail of 3.8 million stolen credit card records and $1.9 billion in losses. It was called Outsider Enterprise and had been running since at least 2023.
The number that matters isn't the loss. It's the "one million". For years, the advice against phishing (the messages and pages that impersonate a trusted brand to steal your data) was always the same: look carefully, check the address, find the padlock, watch for the clumsy wording. That advice rested on a quiet assumption we never said out loud: that a fake site is rare and laborious to build. Not anymore. When the factory churns out a million disposable addresses, no amount of human attention is enough. You catch one, a thousand more are born.
How the factory works
The model is called phishing-as-a-service: fraud sold as a subscription. The attacker doesn't need to know how to code or build anything; they rent the kit ready-made, with the sites, the URLs, and even a support bot on Telegram. Outsider Enterprise put artificial intelligence to work writing the messages and mass-producing the pages, impersonating well-known brands in texts sent across the carriers' networks. In just two weeks of May, 2.5 million messages were fired at Android phones. Google, which also took the operation to court, speaks of hundreds of thousands of victims.
The response matched the target. As part of Operation Riptide, the FBI seized the administration servers, a Shopify storefront used to test the kits and roughly $100,000 in cryptocurrency from the payment wallets, and redirected thousands of domains to an FBI page. It's a real win and deserves to be called one. But it's a win over one instance, not over the method.
Portugal is no exception
This isn't an American problem. In Portugal, smishing (phishing by SMS) is already routine: the fake postal message asking for a customs fee, the fake loyalty-card alert about "expiring points", the fake bank. The Judicial Police recently arrested two foreign nationals in an SMS fraud operation, "Token Out", seizing cryptocurrency along the way; the public security police and the consumer association have warned about spoofed numbers in these scams. The same factory that hits the United States today serves any other market tomorrow, and translation is the cheapest step of all.
The image that helps you see what changed is the chain of custody. For years we asked the user to be the checkpoint, to examine each link the way you would examine a piece of evidence. Except the evidence is now manufactured in bulk and thrown away by the second. You don't ask a person to validate a million pieces of evidence a day. The checkpoint has to move off your eyes and into the architecture: into the system that refuses the stolen credential even when you have already fallen for it.
How to protect yourself
The defence that holds at this scale already exists, and the best part is that it doesn't ask you to detect anything:
- Never act on a link received by SMS. If the message claims to be your bank or the postal service, close it and open the app or official site yourself, your own way.
- Turn on phishing-resistant two-step verification. Passkeys (access keys that replace the password) and physical security keys simply don't work on the wrong site, no matter how perfect it looks.
- Use a password manager. It only fills your credential on the genuine domain; on a fake site it stays silent, and that silence is your warning.
- Treat every password as unique. If a fake page captures one, it can't open any other door.
- Report it. Forward the suspicious SMS and report it to your national police or cybersecurity centre. Every report helps wipe out the next million faster.
The FBI did the hard work, and did it well. But the lesson for you isn't to learn to catch links faster than a machine can make them. It's to stop depending on catching them at all.
Source: Bleeping Computer.
#StaySafe
🙏🖖
