Malik Haidar stands at the intersection of high-level threat intelligence and corporate defense, having spent years navigating the complex digital battlefields of multinational enterprises. His perspective is uniquely grounded in both the technical minutiae of exploit chains and the broader business implications of systemic fraud. Today, he breaks down the recent legal and tactical offensive against the “Outsider” phishing network, a Chinese-based syndicate that has effectively industrialized the use of generative artificial intelligence to defraud millions.
This conversation explores the disturbing efficiency of the Phishing-as-a-Service (PhaaS) model and how AI agents like Gemini are being manipulated to bypass traditional security filters. We examine the hierarchical structure of modern cybercrime enterprises—spanning from developers to money launderers—and analyze the massive financial impact of campaigns that have resulted in nearly two billion dollars in losses. Haidar also provides insight into the collaborative law enforcement efforts, such as Operation Ghost Hook, that are necessary to dismantle these global networks.
How are modern cybercriminals weaponizing generative AI agents to create deceptive environments that even savvy users might fall for?
The most alarming shift we are seeing is the transition from crude, poorly worded scams to highly polished, professional-looking fraudulent pages generated by AI. By framing their prompts as harmless requests for programming assistance, these actors instruct models like Gemini to build HTML for “gift redemption pages” or “brokerage account alerts” using specific technical constraints like inline CSS and no JavaScript. This isn’t just about speed; it is about creating a “shell” website that looks indistinguishable from a legitimate institution’s branding. When a victim receives a text about a “mobile phone carrier reward” or a “brokerage issue,” the visual fidelity of the site they land on is often enough to bypass their natural skepticism. The cold reality is that the Outsider kit provided 290 of these pre-built templates, ensuring that once the AI-generated code was pasted in, the deception was almost perfect.
What does the “Phishing-as-a-Service” model reveal about the accessibility and commercialization of high-level cybercrime tools today?
We have reached a point where the barrier to entry for a novice fraudster has been almost entirely removed. For as little as a week or a flat 0 a month, a criminal with zero programming knowledge can purchase a license through a self-service bot on Telegram and launch a global campaign. This commercialization means that the “Outsider” network isn’t just a group of hackers; it is a business providing a plug-and-play dashboard for other criminals. They even offer real-time keystroke logging, allowing a subscriber to watch as a victim types in their bank credentials or credit card number. It turns the act of digital theft into a mundane, subscription-based administrative task, which is a terrifying evolution in the threat landscape.
Could you break down the organizational structure of a group like the Outsider Enterprise and why this division of labor is so effective?
The efficiency of the Outsider Enterprise comes from its highly specialized five-tier structure, which mirrors a legitimate multinational corporation. You have the Developer Group building the software and templates, and the Data Broker Group which provides the curated lists of potential targets to ensure the messages land in the right hands. The heavy lifting of distribution is handled by the Spammer Group, who sent 2.5 million messages to Android users in just a two-week window between May and June of 2026. Once the credentials are harvested, the Theft Group handles the “monetization”—laundering the funds and moving stolen data. This specialization allows each group to perfect their craft, making the entire machine much harder to disrupt than a single, centralized threat actor.
With over 1.5 million fraudulent URLs identified in a short window, how do we begin to grasp the sheer scale of the damage inflicted by these networks?
The numbers associated with this single network are staggering and represent a massive amount of human misery. Between July 2023 and the present, this specific platform is estimated to have facilitated the theft of 3,870,000 credit cards, leading to approximately $1.9 billion in total losses. If you look at the activity between November 2025 and April 2026, they managed to deploy over 1.59 million fraudulent URLs. It’s a literal flood of deception; in one two-week period, 55,000 spam texts were flagged by Android users alone. This volume ensures that even if only a tiny fraction of a percent of people click the link, the “Enterprise” still walks away with millions of dollars.
What is your assessment of the recent law enforcement actions, such as Operation Ghost Hook, in terms of their long-term impact on global cybercrime?
Operation Ghost Hook is a significant victory because it went after the infrastructure and the money, rather than just the individual messages. By seizing $100,000 in USDT from payment wallets and rerouting thousands of phishing domains to an FBI splash page, authorities are disrupting the “trust” and the financial incentive within the criminal ecosystem. Using the network’s own Telegram bot to gather information on its customers was a brilliant tactical move that turns the criminals’ tools against them. However, while dismantling a network like Outsider or the previously seen Lighthouse platform is a win, these actors are resilient. As long as the PhaaS model remains profitable and AI tools are available, we will see new iterations of these groups emerge, meaning our defensive strategies must be just as modular and persistent as their attacks.
What is your forecast for the future of AI-driven phishing?
I expect to see an even deeper integration of AI that moves beyond just generating static HTML code and into the realm of real-time conversational manipulation. We will likely see bots that can engage in two-way SMS or voice communication, mimicking the exact tone and urgency of a bank representative or a technical support agent. As these tools become cheaper—even less than the $88 weekly fee we saw with Outsider—the volume of these attacks will likely triple or quadruple within the next two years. The only way to counter this is through the same partnership we saw in this case, where tech giants like Google work alongside carriers and federal agencies to block the messages at the network level before they ever reach a consumer’s screen.
