Google Files Lawsuit Against China-Based “Lighthouse” Smishing Network in Landmark Cybercrime Action

Date: November 12, 2025

In a major legal escalation in the fight against global cyber-fraud, Google LLC has filed a civil lawsuit in the U.S. District Court for the Southern District of New York targeting a China-based cybercrime network dubbed “Lighthouse.” The complaint accuses the network of operating a large-scale “phishing-as-a-service” platform that facilitated text-message scams (so-called smishing) and the theft of massive volumes of personal and financial information.

Scope and scale of the alleged operation

According to Google’s filing, the Lighthouse network enabled cybercriminals to send deceptive SMS, RCS and iMessage messages impersonating trusted brands such as postal services, toll-collection agencies, banks and Google itself. The attack messages often alerted recipients to alleged “undelivered packages,” “toll violations” or urgent account issues, then directed them to fraudulent websites where they were tricked into disclosing credentials, credit-card information and one-time passcodes.

The lawsuit claims that over a 20-day span the network spawned approximately 200,000 fraudulent websites, and more broadly may have been used across 120 + countries. Google estimates that between 12.7 million and 115 million U.S. credit and banking cards could have been compromised through schemes facilitated by Lighthouse.

Mechanics of the Lighthouse platform

Google identifies Lighthouse as a subscription-based phishing toolkit sold to criminal actors. Features alleged in the suit include: hundreds of ready-made scam templates impersonating over 400 organizations (including more than 100 templates spoofing Google services such as Gmail, YouTube and Google Play); mass message-delivery infrastructure; backend dashboards for managing stolen credentials; dynamic domain rotation and IP filtering evasion capabilities to avoid detection.

The malware service model appears to have operated in tiers: data-brokers supplying target phone numbers, spammers delivering the messages, template developers building phishing sites, and payout infrastructure finalising stolen funds. Google asserts that Lighthouse marketed itself in underground forums, Telegram channels and YouTube ads, offering “weekly, monthly, seasonal, annual or lifetime” licenses to operators.

Legal strategy and precedent setting

The lawsuit (Case No. 1:25-cv-09421) lists “John Does 1–25” as defendants and brings claims under the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act (trademark infringement) and the Computer Fraud and Abuse Act (CFAA). Although the defendants are anonymous and likely located outside U.S. jurisdiction, Google says the action is designed to enable the company to subpoena registrars, registries and hosting providers for domain- and IP-take-down, and set a precedent for tech-industry litigation against global fraud networks.

Impact on victims and consumer risk

The perpetrators duped unsuspecting recipients with familiar brand logos and text-message urgencies. Once victims clicked links, they were prompted to input sensitive information such as usernames, passwords, credit-card numbers and sometimes one-time codes—all of which allowed subsequent fraudulent access or funds transfer. Google’s complaint cautions that data from U.S. victims may now be entering dark-web markets or being used for card-fraud, account takeover and identity theft.

Consumer-advice experts emphasise the necessity of vigilance: unsolicited texts referencing tolls or packages should be treated with suspicion. Recipients are urged not to click links, verify sender authenticity, and use trusted vendor portals rather than SMS links for account issues.

What Google and policy makers are doing

Google states this legal action is part of a dual strategy: courtroom litigation plus advocacy for tougher anti-scam legislation. The company is backing three federal U.S. bills—the GUARD Act, the Foreign Robocall Elimination Act and the SCAM Act—designed to bolster law-enforcement cooperation, impose stricter services-provider obligations and increase penalties for overseas scam networks.

In its public statement, Google explained that the brand’s logos and ecosystems were being exploited by Lighthouse scam pages, thereby undermining consumer trust in Google services and posing reputational risk alongside fraud losses. Halimah DeLaine Prado, Google’s Chief Legal Officer, said the company will allocate engineering, legal and regulatory resources to dismantle the infrastructure used by the scam network.

Challenges ahead and international dimensions

One key challenge is the transnational nature of the operation. Lighthouse is believed to operate primarily out of China (and potentially other jurisdictions such as Cambodia or Southeast Asia) where U.S. extraterritorial enforcement is limited. Even so, Google’s complaint aims to establish legal grounds for third-party compliance (registrars, telecoms, payment processors) and act as a deterrent to other service-providers who might enable scam infrastructure.

Court observers note that while obtaining a judgment is one step, enforcement of injunctions, domain seizures and asset recovery will involve cooperation across multiple jurisdictions. Analysts say the case may prompt other large tech firms to pursue similar lawsuits, shifting the balance in favour of proactive private-sector disruption of phishing networks.

Defensive guidance for organisations and consumers

From an enterprise perspective, the case highlights the risks of global smishing campaigns and underscores the need for corporate-SMS risk management, RCS/spam filtering, employee education and incident-response readiness for credential theft. For consumers, practical steps include enabling spam-filtering on messaging apps, using official apps rather than SMS-delivered links for account actions, enabling multi-factor authentication and reporting suspicious texts to telecom providers.

Takeaway

Google’s lawsuit against Lighthouse marks a significant escalation in tech-industry efforts to combat large-scale smishing operations. By targeting not only end-users but the service-platform enabling the fraud, the company is signalling that phishing-as-a-service networks will face legal and regulatory pressure. While dismantling such global criminal ecosystems remains complex, the action may shift cost and risk lines for future offenders and offers a model for other platform-holders to pursue similar disruption campaigns.