On November 12, 2025, Google filed a civil lawsuit in the U.S. District Court for the Southern District of New York against a group of 25 anonymous individuals allegedly running a massive China-based text-message phishing operation known as Lighthouse. According to the complaint, Lighthouse operates a “phishing-as-a-service” (PhaaS) platform that has generated around 200,000 fake websites, impersonating trusted entities like the U.S. Postal Service, toll roads, banks, and even Google itself. Lighthouse is accused of scamming over a million victims across more than 120 countries, and of compromising between 12.7 million and 115 million U.S. credit cards alone — turning what might look like a suspicious “package delivery” or “unpaid toll” text into a massive, organized cyber-fraud operation. Google is seeking injunctions and damages under laws including the RICO Act, the Lanham Act, and the Computer Fraud and Abuse Act, while also backing legislative efforts to strengthen anti-scam protections.
Sources: Krebs on Security, Reuters
Key Takeaways
– The Lighthouse operation reportedly created ~200,000 fraudulent websites in a short span, using “phishing-as-a-service” software to make large-scale scams accessible to low-tech criminals.
– By posing as trusted institutions (postal services, toll roads, banks, Google itself), Lighthouse allegedly tricked over 1 million people worldwide and compromised millions of U.S. credit cards — showcasing how smishing can be far more dangerous than random spam.
– Google’s lawsuit aims not only to dismantle this particular network, but also to set a legal precedent under U.S. racketeering, trademark and computer-fraud laws. The company is also actively pushing for broad bipartisan legislation to help prevent similar schemes in the future.
In-Depth
In what may prove to be a landmark legal and cybersecurity showdown, Google has moved beyond blocking scam emails and spam websites — the company is now going on offense. On Nov. 12, 2025, Google filed suit in federal court in New York against 25 unnamed defendants alleged to be part of a sprawling smishing network called Lighthouse. Rather than targeting just a few bad actors, the lawsuit aims to uproot an entire criminal business model: phishing-as-a-service.
Lighthouse allegedly sold ready-made phishing kits — with hundreds of templates mimicking everything from government postal agencies and toll authorities to banks, e-commerce retailers, and Google services like Gmail and Google Play. For a monthly subscription fee, “customers” of Lighthouse gained access to a fully built scam infrastructure: disposable domains, fake sign-in pages, automated SMS distribution, and backend tools to harvest usernames, passwords, credit-card data, and one-time verification codes. The results, according to Google’s filings: roughly 200,000 fraudulent sites in use over just a few weeks, with phishing messages blasting across SMS, RCS, and other messaging platforms — targeting more than 1 million potential victims in over 120 countries. In the United States alone, the group is accused of compromising between 12.7 million and 115 million credit-card records.
The typical pitch looks innocuous — a text about a missed package delivery, an unpaid toll, or a refund due. But the link leads to a convincing fake website where victims might enter billing or personal data. Once the scammers obtained payment credentials, they could drain cards, launder funds, or resell the data — all while hiding behind pseudonyms like “John Doe 1–25.”
Google’s legal team is invoking the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act, and the Computer Fraud and Abuse Act — statutes normally used against organized crime, trademark infringement, and hacking. The goal: shut down Lighthouse’s infrastructure, disable its domains and servers, and deter would-be scammers from joining or building similar services. With trademark issues (scammers using Google’s branding) in play, the company aims not only to protect consumers but to defend its own brand integrity.
But the risks are broader than just brand damage. As phishing and smishing continue to evolve, such industrialized scam operations can scale indefinitely — making everyday consumers and even businesses vulnerable. Experts warn that even if Lighthouse is dismantled, other groups may quickly fill the void, perhaps with more sophisticated techniques.
That’s why Google’s lawsuit is only part of the strategy. The company is also lobbying Congress to pass bipartisan legislation aimed at cracking down on foreign-based scam operations. Proposed bills like the GUARD Act, the Foreign Robocall Elimination Act, and the SCAM Act would give law enforcement and regulators more tools to hold international scammers accountable, strengthen consumer protections, and potentially impose harsher penalties on organized smishing and robocall rings.
For those receiving unexpected texts — claiming postal or delivery issues, unpaid fees, or urgent refunds — the practical advice remains unchanged: don’t click links; don’t reply; and when in doubt, contact the entity directly through verified channels.
In effect, Google is signaling this may be the beginning of a new front in the ongoing war against cybercrime: rather than just patching holes, big tech may start leading coordinated legal and policy-based efforts to dismantle the underlying criminal infrastructure.