A newly filed lawsuit targets a China-based cybercrime group accused of enabling over a million phishing attacks using Google’s own platforms and branding.
According to Techradar, Google has filed a federal lawsuit in the Southern District of New York against an alleged Chinese cybercrime group known as Lighthouse Enterprise. The group is accused of operating a global phishing-as-a-service (PhaaS) platform that enabled the theft of up to $1 billion from over a million victims worldwide.
The lawsuit claims the Lighthouse phishing kit was used to create over 200,000 fake websites in just 20 days. These sites impersonated government agencies, financial institutions, and tech platforms, often including Google, and were used to trick users into revealing personal and financial information.
The phishing kit offered by Lighthouse included templates and tools advertised on platforms like Telegram and YouTube. It allowed even inexperienced criminals to run large-scale scams, including smishing (SMS phishing), fake e-commerce stores, and spoofed payment portals.
Researchers estimate that Lighthouse-powered attacks may have compromised between 12.7 million and 115 million U.S. credit cards. Common tactics included fake USPS delivery email alerts and toll payment scams, which redirected users to fake sites to harvest payment details. In some cases, stolen information was used to make unauthorized purchases via digital wallets.
Google says the fraud operation not only violated its terms of service but also misused its branding, ran deceptive ads through Google Ads, and uploaded scam tutorials to YouTube. The company claims it was forced to spend massive internal resources investigating and taking down accounts linked to the operation.
In the complaint, Google refers to the defendants as “Doe 1–25” because their real identities remain unknown. The company acknowledged that the actual number of individuals involved is likely much higher.
Google alleges the scammers damaged its reputation and security infrastructure by using its services to distribute phishing campaigns. The company also noted that while it has previously sued Chinese nationals for similar cybercrimes, enforcement is often limited due to the lack of extradition agreements.
The lawsuit comes as lawmakers and tech companies push for stronger tools to counter large-scale fraud operations. According to NPR, Google has publicly endorsed several bipartisan bills directed at strengthening law enforcement’s ability to disrupt international scam networks. The GUARD Act would let local agencies “use grant funding to investigate financial fraud targeting retirees,” while the Foreign Robocall Elimination Act would establish a task force to block overseas robocalls. Google also backed the SCAM Act, which seeks to develop a national strategy to counter “compounds where people are trafficked to work in scam operations.” These efforts reflect growing concern that phishing-as-a-service groups like Lighthouse exploit gaps in global enforcement, allowing anonymous actors to run billion-dollar fraud schemes with minimal risk of prosecution.
Phishing-as-a-service refers to ready-made tools and templates sold or shared by cybercriminals, allowing users to launch phishing campaigns without technical expertise.
Civil lawsuits allow companies like Google to seek injunctions, shut down malicious infrastructure, and publicly document criminal behavior, even if criminal prosecution is difficult.
Lighthouse-affiliated actors allegedly ran fraudulent Google Ads, uploaded scam tutorials to YouTube, and impersonated Google brands to gain user trust.
These platforms distribute responsibility across many users and often operate anonymously across borders, making them difficult to dismantle through traditional legal or criminal channels.
Google has previously sued cybercriminals based in China and elsewhere, but enforcement remains limited, particularly when defendants reside in countries that do not extradite for cybercrime.