Google filed a lawsuit against 25 unnamed individuals believed to reside in China who operate Lighthouse, a phishing-as-a-service kit that has victimized over 1 million people through SMS scams impersonating brands like E-Z Pass and the U.S. Postal Service.
On Wednesday, Google filed a lawsuit in the U.S. District Court for the Southern District of New York against suspected Chinese cybercriminals behind Lighthouse, a "phishing for dummies" operation. The civil suit alleges the defendants violated the Racketeer Influenced and Corrupt Organizations Act, the Lanham Act governing trademark law, and the Computer Fraud and Abuse Act. Google is seeking a temporary restraining order, damages, and court orders compelling hosting providers to block Lighthouse-connected IP addresses and fraudulent domains. The lawsuit targets those behind a smishing operation that floods victims with fake notifications about unpaid tolls or waiting packages. Some messages illegally use Google product logos and target Google customers. Google also endorsed three congressional bills aimed at combating fraud: the GUARD Act, Foreign Robocall Elimination Act, and SCAM Act.
The Lighthouse operation's scope:
How the scam works: Criminals send text messages prompting recipients to click a link and share information such as email credentials and banking information. They exploit brand reputations by illegally displaying trademarks and services on fraudulent websites.
In the lawsuit filed in the U.S. District Court for the Southern District of New York, Google stated, "Defendants are a group of foreign cybercriminals who have engaged in relentless phishing attacks against millions of innocent victims, including Google customers, to steal personal and financial information. These attacks have collectively swindled innocent victims out of millions of dollars and harmed Google through the unauthorized use of its trademarks and services."
In a blog post announcing the suit, Google's general counsel Halimah DeLaine Prado wrote, "Legal action can address a single operation; robust public policy can address the broader threat of scams."
Google explained the scam methodology, "The scam is simple: criminals send a text message, prompting recipients to click a link and share information such as email credentials, banking information and more. They exploit the reputations of Google and other brands by illegally displaying our trademarks and services on fraudulent websites."
Lighthouse operation impact:
SMS phishing, or "smishing," combines the immediacy of text messaging with social engineering tactics to create urgency and prompt quick action from victims. The messages impersonate trusted organizations like postal services, toll authorities, or financial institutions to trick recipients into clicking malicious links and surrendering sensitive personal and financial information. The Chinese-operated syndicates behind these operations can scale their attacks by creating thousands of fraudulent websites and targeting millions of victims across multiple countries simultaneously.
Google's lawsuit represents a corporate attempt to disrupt foreign-based phishing operations. Over 100 million compromised payment cards in the U.S. alone show how phishing-as-a-service platforms have industrialized cybercrime, making attacks accessible to less technically skilled criminals. The case also highlights the challenge of combating cross-border cybercrime when perpetrators operate from jurisdictions like China where U.S. law enforcement faces limited reach. By seeking court orders to compel hosting providers to block Lighthouse infrastructure, Google is attempting to create barriers that could slow these operations even without apprehending the individuals behind them. The company's endorsement of three congressional bills signals recognition that individual lawsuits, while important, cannot fully address the threat posed by international scam operations targeting American consumers and businesses.
This lawsuit exemplifies how major tech companies are taking direct legal action against cybercriminals when traditional law enforcement faces jurisdictional limitations. Organizations must remain vigilant about protecting their brand identities from being exploited in phishing schemes, while individuals should maintain skepticism toward text messages requesting personal information, regardless of how legitimate they appear.
Related: HIPAA Compliant Email: The Definitive Guide
Lighthouse is a phishing-as-a-service platform that lets criminals easily create fake websites for SMS scams.
Google took legal action to disrupt Lighthouse’s operations and prevent further brand misuse and victim targeting.
SMS phishing, or “smishing,” uses text messages instead of emails to lure victims into revealing personal data.
The lawsuit invokes the RICO Act, the Lanham Act, and the Computer Fraud and Abuse Act.
They impersonate trusted organizations like toll authorities or delivery services to exploit public trust.