Google files lawsuit to dismantle alleged China-based smishing network Lighthouse

Google filed a lawsuit seeking to shut down an alleged phishing-as-a-service network that targeted millions of Americans with scam text messages designed to steal personal and financial information. The operation, known as “Lighthouse,” allegedly generated hundreds of millions of dollars for cybercriminals and created a massive infrastructure for large-scale smishing campaigns.

The complaint, filed Wednesday in the U.S. Southern District of New York, named 25 unidentified individuals who allegedly operated the Lighthouse enterprise. Google, a global technology company that provides search, cloud services, and consumer software, stated that the group ran what it described as a sprawling scheme that sent millions of fraudulent texts urging recipients to click malicious links.

The network allegedly operated from China and provided what functioned as a turnkey system for cybercriminals. Lighthouse allegedly sold monthly subscriptions for SMS and e-commerce software that included hundreds of templates designed to mimic banks, government agencies, toll systems, and delivery services. Those templates allegedly helped scammers build convincing phishing pages that captured email logins, credit card information, banking credentials, and other sensitive data.

The operation reached significant scale. In a 20-day period, Lighthouse allegedly generated 200,000 fraudulent websites that drew more than a million potential victims. An April analysis showed a 604 percent rise in scam texts claiming unpaid toll fees, a trend consistent with Lighthouse-enabled campaigns. Estimates indicated that the scheme compromised between 12.7 million and 115 million credit cards in the United States.

Google stated that Lighthouse also misused the company’s branding to increase the credibility of the scams. Investigators identified at least 107 website templates that featured Google logos on sign-in screens designed to appear legitimate. Google’s general counsel, Halimah DeLaine Prado, wrote that the practice misled the public and abused the company’s systems and infrastructure.

Details outlined in the lawsuit described what allegedly occurred when victims clicked a link. A scammer would log into a Lighthouse account using a login page displaying a Google logo and use a dashboard to send texts claiming, for example, that the U.S. Postal Service required a fee to complete a delivery. The link in the message would direct the recipient to a spoofed USPS page that requested personal and payment details. The page allegedly captured keystrokes, allowing scammers to obtain information even if a victim hesitated before submitting. The stolen data then appeared directly on the Lighthouse dashboard. Similar tactics allegedly targeted toll collection systems such as E-ZPass, financial institutions, and major retailers.

The lawsuit alleged violations of the Racketeer Influenced and Corrupt Organizations Act, as well as fraud and trademark infringement laws. Google stated that the identities of the defendants remained unknown but were believed to be based in China. The company asked the court to declare Lighthouse illegal, which would allow other technology providers to block the group’s operations, though such a ruling would not guarantee that the network would be fully dismantled.

Google sought to use the legal action as part of a broader effort to curb large-scale smishing schemes that continued to proliferate across the United States.