Google sues Chinese SMS scammers behind lighthouse phishing kit

Google filed a lawsuit against 25 unnamed individuals believed to reside in China who operate Lighthouse, a phishing-as-a-service kit that has victimized over 1 million people through SMS scams impersonating brands like E-Z Pass and the U.S. Postal Service.

What happened

On Wednesday, Google filed a lawsuit in the U.S. District Court for the Southern District of New York against suspected Chinese cybercriminals behind Lighthouse, a "phishing for dummies" operation. The civil suit alleges the defendants violated the Racketeer Influenced and Corrupt Organizations Act, the Lanham Act governing trademark law, and the Computer Fraud and Abuse Act. Google is seeking a temporary restraining order, damages, and court orders compelling hosting providers to block Lighthouse-connected IP addresses and fraudulent domains. The lawsuit targets those behind a smishing operation that floods victims with fake notifications about unpaid tolls or waiting packages. Some messages illegally use Google product logos and target Google customers. Google also endorsed three congressional bills aimed at combating fraud: the GUARD Act, Foreign Robocall Elimination Act, and SCAM Act.

Going deeper

The Lighthouse operation's scope:

• One firm tracked 200,000 Lighthouse-created websites that attracted more than 1 million victims across 121 countries during a 20-day period
• Between July 2023 and October 2024, Chinese smishing syndicates compromised between 12.7 million and 115 million payment cards in the United States alone
• Over that same timeframe, Lighthouse users launched 32,094 distinct U.S. Postal Service phishing sites

How the scam works: Criminals send text messages prompting recipients to click a link and share information such as email credentials and banking information. They exploit brand reputations by illegally displaying trademarks and services on fraudulent websites.

What was said

In the lawsuit filed in the U.S. District Court for the Southern District of New York, Google stated, "Defendants are a group of foreign cybercriminals who have engaged in relentless phishing attacks against millions of innocent victims, including Google customers, to steal personal and financial information. These attacks have collectively swindled innocent victims out of millions of dollars and harmed Google through the unauthorized use of its trademarks and services."

In a blog post announcing the suit, Google's general counsel Halimah DeLaine Prado wrote, "Legal action can address a single operation; robust public policy can address the broader threat of scams."

Google explained the scam methodology, "The scam is simple: criminals send a text message, prompting recipients to click a link and share information such as email credentials, banking information and more. They exploit the reputations of Google and other brands by illegally displaying our trademarks and services on fraudulent websites."

By the numbers

Lighthouse operation impact:

• Over 1 million victims targeted
• 25 unnamed defendants believed to reside in China
• 200,000 Lighthouse-created websites in a 20-day tracking period
• 121 countries where victims were located
• 12.7 million to 115 million payment cards compromised in the U.S. between July 2023 and October 2024
• 32,094 distinct U.S. Postal Service phishing sites launched during that same period

In the know

SMS phishing, or "smishing," combines the immediacy of text messaging with social engineering tactics to create urgency and prompt quick action from victims. The messages impersonate trusted organizations like postal services, toll authorities, or financial institutions to trick recipients into clicking malicious links and surrendering sensitive personal and financial information. The Chinese-operated syndicates behind these operations can scale their attacks by creating thousands of fraudulent websites and targeting millions of victims across multiple countries simultaneously.

Why it matters

Google's lawsuit represents a corporate attempt to disrupt foreign-based phishing operations. Over 100 million compromised payment cards in the U.S. alone show how phishing-as-a-service platforms have industrialized cybercrime, making attacks accessible to less technically skilled criminals. The case also highlights the challenge of combating cross-border cybercrime when perpetrators operate from jurisdictions like China where U.S. law enforcement faces limited reach. By seeking court orders to compel hosting providers to block Lighthouse infrastructure, Google is attempting to create barriers that could slow these operations even without apprehending the individuals behind them. The company's endorsement of three congressional bills signals recognition that individual lawsuits, while important, cannot fully address the threat posed by international scam operations targeting American consumers and businesses.

The bottom line

This lawsuit exemplifies how major tech companies are taking direct legal action against cybercriminals when traditional law enforcement faces jurisdictional limitations. Organizations must remain vigilant about protecting their brand identities from being exploited in phishing schemes, while individuals should maintain skepticism toward text messages requesting personal information, regardless of how legitimate they appear.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

What is the Lighthouse phishing kit?

Lighthouse is a phishing-as-a-service platform that lets criminals easily create fake websites for SMS scams.

Why did Google decide to file this lawsuit now?

Google took legal action to disrupt Lighthouse’s operations and prevent further brand misuse and victim targeting.

How does SMS phishing differ from email phishing?

SMS phishing, or “smishing,” uses text messages instead of emails to lure victims into revealing personal data.

What are the U.S. laws Google cited in its lawsuit?

The lawsuit invokes the RICO Act, the Lanham Act, and the Computer Fraud and Abuse Act.

How do Lighthouse scammers choose their targets?

They impersonate trusted organizations like toll authorities or delivery services to exploit public trust.