Google has filed a civil lawsuit in the US Southern District of New York against 25 individuals alleged to be behind a large-scale phishing-as-a-service operation known as Lighthouse. The company accuses a Chinese cybercriminal group of selling "phishing for dummies" kits that enable even inexperienced fraudsters to launch widespread SMS and e-commerce scams. These kits provide hundreds of templates for fake websites, domain setup tools, and other resources, allowing attackers to impersonate well-known brands, government agencies such as USPS, and toll collection firms, tricking victims into disclosing sensitive information like passwords and financial details.
The Lighthouse network, also referred to as part of the "Smishing Triad," is accused of targeting millions of people in over 120 countries, including a significant number of Americans. Google alleges that the group has generated over a billion dollars through these scams and has abused Google's logos and technology to increase the credibility of their fraudulent sites. The lawsuit represents one of the most high-profile legal actions against transnational smishing operations, highlighting the growing threat posed by organized cybercrime groups leveraging phishing-as-a-service platforms.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
10 events from the most recent confirmed update back to the earliest known activity.
On November 14, 2025, follow-up reporting said Google and outside researchers were seeing indications that Lighthouse text-scamming activity had been disrupted after the legal action. The reports suggested the lawsuit was already affecting parts of the group's infrastructure and operations.
By November 13, 2025, Google said the text-scamming operation had lost a cloud server, describing it as an early disruption following the lawsuit. The development was presented as an initial operational setback for Lighthouse infrastructure.
At the time of the lawsuit announcement, Google endorsed proposed U.S. legislation aimed at combating overseas scam and phishing operations, including the SCAM Act and related anti-fraud measures. The company framed the legal action as part of a broader policy push against transnational scam networks.
When announcing the lawsuit, Google said the broader Lighthouse enterprise had victimized more than 1 million people across roughly 120 countries and cited a DHS estimate of more than $1 billion in losses. Google also said the operation abused Google branding and services to facilitate fraud.
On November 12, 2025, Google filed a civil lawsuit in the U.S. District Court for the Southern District of New York against 25 alleged China-based operators of the Lighthouse phishing platform. The complaint seeks an injunction and damages under statutes including RICO, the Lanham Act, and the CFAA.
Google alleged in its lawsuit that the Lighthouse platform was capable of creating roughly 200,000 fraudulent websites in a 20-day period, underscoring the industrial scale of the phishing-as-a-service operation.
Cisco Talos reported that Lighthouse-linked smishing kits were being used in U.S. toll-road scam operations starting in October 2024. The campaigns relied on typosquatted domains and fake toll-payment pages targeting multiple states.
Resecurity first publicly reported on the Smishing Triad in August 2023, describing a global smishing operation distributing Lighthouse phishing kits via Telegram and using templates that impersonated organizations such as USPS, UPS, government entities, and telecom providers.
According to Google's complaint, Lighthouse operators impersonated the U.S. Postal Service across more than 32,000 phishing websites over a period beginning in July 2023. The infrastructure was used to support large-scale SMS phishing and credential theft.
Google alleges Lighthouse-linked smishing campaigns began compromising U.S. payment cards during a period starting in July 2023, with eventual exposure estimated at 12.7 million to 115 million cards. The campaigns used fake payment and login pages tied to delivery and toll-payment lures.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
20 references tracked. Mallory keeps watching after this page renders.
austinlarsen.me
Open sourcegovinfosecurity.com
Open sourcebankinfosecurity.com
Open sourcecyberscoop.com
Open sourcethehackernews.com
Open sourcetherecord.media
Open sourcecsoonline.com
Open sourceaustinlarsen.me
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.