Identity & Access Management
,
Litigation
,
Security Operations
More Than 1M Victims Affected Globally
Tech giant Google sued the Chinese-speaking operators of a phishing-as-a-service operation in what it hopes will be a first step to deterring the prolific service behind hundreds of thousands of fraudulent websites used to steal credentials from millions of victims.
See Also: OnDemand Webinar | AI & Automation for Compliance Strategy: Trends, Measures & Regulations
The Lighthouse phishing is an offering from a Chinese financially-motivated group known as the Smishing Triad. Google calls the group the “Lighthouse Enterprise.”
The company sued in Manhattan federal civil court 25 individuals it accused of developing and administering the platform, identifying targets, inundating victims with SMS spam messages and using stolen credentials to steal money from compromised bank accounts or obtain sensitive information from sources such as email inboxes.
Access to Lighthouse gives cybercriminals access to phishing templates, site-building tools and tools to send out malicious SMS messages allowing low-skill operators to impersonate major brands, including Google. Analysts tracking the activity say Lighthouse has produced more than 100 counterfeit website templates copying Google login, Gmail, YouTube and Google Play interfaces.
The lawsuit accuses the Lighthouse Enterprise of stealing up to 115 million credit cards from U.S. payment card holders. From July 2023 to October 2025, its operators impersonated the U.S. Postal Service on more than 32,000 separate phishing websites.
The individual defendants – Google only knows their online handles, not their real names – are likely beyond the reach of U.S. courts. But the tech giant is asking the court for a ruling prohibiting third parties from actively supporting the platform. “Filing a case in the U.S. actually allows us to have a deterrent impact outside of the U.S. borders,” a Google executive told Wired. An injunction favoring Google’s petition could “be used for good to help dismantle the actual infrastructure of the operation.”
The platform rotates infrastructure rapidly and uses evasion features to minimize exposure to browser warnings or Safe Browsing flags, enabling campaigns to resume with minimal downtime.
Smishing Triad has also offered other phishing-tool providers such as Dracula and Lucid. The group uses high-volume text distribution to reach victims through Apple iMessage and Google Messages’ RCS features. Researchers said operators pair large data sets with regional templates to deliver messages that align with targets’ locations and service providers.
In parallel with the legal action, Google called for passage legislation beefing up law enforcement response to phishing.
Google previously said cross-border smishing operations scale faster than current enforcement mechanisms can respond. In a November 2024 policy note, the company said stronger public-private coordination is needed, stating that expanded collaboration would allow governments “to more effectively investigate and dismantle criminal scam networks.”
The company said it has strengthened internal safeguards, including automated detection of suspicious links, improved filtering in Google Messages and expanded support options for compromised accounts.
