One Million Fake URLs. Fifty Dollars Each Would Have Been a Bargain.

A few months ago I started to write that the total cost of targeting one person with AI tools had dropped to about fifty dollars. A deepfake image, a cloned voice, a phishing page. Fifty dollars to come after a single human being.

Last week the FBI gave us the industrial version of that number.

Working with Google and Black Lotus Labs, the FBI dismantled a China-based phishing operation called Outsider Enterprise. The scale is worth saying slowly. More than nine thousand fake websites. Over one million malicious URLs. In a single two-week stretch in May, two and a half million scam text messages were sent to Android users alone.

The total damage estimate is around 1.9 billion dollars, and more than 3.8 million credit card records were exposed.

This was not a group of skilled hackers working through the night. It was a service. Phishing as a product, sold to customers through a Telegram bot, complete with test accounts and a Shopify storefront to collect the money. The criminals did not need talent. They needed a subscription.

That is the part I want people to sit with. The operation impersonated trusted brands like Google and sent fake messages across major US carrier networks, AT&T, T-Mobile, Verizon. The message looked real because AI made it look real, at a scale no human team could match. One million URLs is not something you write by hand. It is something you generate.

Here is what the takedown also shows. It took the FBI, Google, and a private threat intelligence lab working together to bring down one operation. One. The defenders won this round, and it required that much coordination to do it. Now ask how many operations like this are running that have not been found yet.

The old model of cyber defense assumes a human attacker you can eventually out-think. That assumption is gone. When the attack is generated, priced, and sold like software, the defense cannot stay manual.

So the question I keep coming back to is this. If the next message on your phone looked exactly like it came from your bank, your carrier, or your employer, what would actually tell you it was fake?

Not your password. Not your instinct. Something has to change in how we verify what is real.

That is the subject of Mythos AI Shock. The Kindle edition is free through June 17.

Steve Yun
Author, Mythos AI Shock

Sources
Boannews, June 15, 2026. FBI, in cooperation with Google and Black Lotus Labs, dismantles large-scale AI-driven phishing service. http://www.boannews.com/media/view.asp?idx=144119

Comments

Post a Comment

Popular posts from this blog

The Most Powerful AI in the World Just Went Offline. Here Is What That Means.

 The U.S. Government Just Banned Foreign Access to Mythos. Here Is What That Actually Means. On June 12, the U.S. Department of Commerce sent an urgent notice to Anthropic. The message was direct. Mythos 5 and Fable 5, the company's most advanced AI models, were now subject to export controls. All foreign nationals were to be cut off immediately. Not just users accessing the models from abroad. Foreign nationals inside the United States. Foreign employees working at Anthropic's own offices. All of them, blocked within hours of the order. Anthropic complied and shut the services down. The headline describes a government action. What the pattern behind it means is something different. The U.S. government does not invoke export controls against a software product without a specific trigger. According to Axios, a company came forward claiming it had found a way to bypass Mythos's safety barriers. The Commerce Department reviewed that claim and moved within hours. The admini...
Read more