Google has taken decisive legal action against a group of China-based cybercriminals, filing a civil lawsuit in the Southern District of New York. The lawsuit targets the operators of “Lighthouse,” a massive Phishing-as-a-Service (PhaaS) platform. This criminal enterprise is accused of orchestrating a global scam that has ensnared over one million users and illegally amassed more than a billion dollars in revenue over three years.

How the Lighthouse Phishing Scheme Operates

The Lighthouse platform provides cybercriminals with a ready-made toolkit to conduct large-scale SMS phishing, or “smishing,” campaigns. The operation’s success hinges on social engineering, exploiting the trust consumers place in reputable brands like E-ZPass and the U.S. Postal Service (USPS). Potential victims receive deceptive text messages containing urgent lures, such as notifications about fake toll fees or pending package deliveries. These messages prompt users to click a malicious link, which leads them to a convincing but fraudulent website designed to steal their financial details, passwords, and other personal information.

Dismantling a Billion-Dollar Criminal Enterprise

While the phishing tactic itself is not new, the industrial scale of the Lighthouse operation sets it apart. The platform has enabled attacks on a global level, impacting users in at least 120 countries. According to Halimah DeLaine Prado, General Counsel at Google, the hackers deliberately “exploit the reputations of Google and other brands” to lend legitimacy to their scams. The lawsuit details how the platform utilized at least 107 fraudulent website templates that illegally incorporated Google’s branding and trademarks. By pursuing this civil lawsuit, Google aims not only to seek damages but also to disrupt and dismantle the core infrastructure of this highly profitable criminal network, protecting users from further harm.