Summary: Google has filed a lawsuit in the U.S. District Court for the Southern District of New York against a China-based cybercriminal group accused of running the “Lighthouse” phishing-as-a-service platform. The kit enabled large-scale smishing attacks worldwide, stealing financial data from millions of victims and generating billions in illicit profits.
⚖️ Legal Action
The lawsuit names 25 unidentified Chinese hackers linked to Lighthouse. Google is pursuing charges under the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act, and the Computer Fraud and Abuse Act (CFAA). The case marks one of the most aggressive legal moves by a tech giant against a phishing-as-a-service operation.
📱 The Lighthouse Kit
Lighthouse offered cybercriminals ready-made templates and fake websites mimicking trusted brands. Victims were targeted through SMS phishing campaigns, tricked into entering sensitive data such as credit card details and login credentials. Investigators say the kit facilitated:
- More than 115 million stolen credit card numbers in the U.S.
- Over 600 phishing websites, including 116 impersonating Google
- Illicit revenues exceeding $1 billion
🌍 Global Reach
The phishing network has impacted users in over 120 countries, exploiting the reputations of global brands to maximize credibility. Victims ranged from individual consumers to businesses, making Lighthouse one of the largest smishing operations ever documented.
🛡️ Google’s Response
Google’s general counsel, Halimah DeLaine Prado, said the company is determined to protect users and hold cybercriminals accountable. The lawsuit is part of Google’s broader strategy to disrupt phishing networks and push for stronger international cooperation against cybercrime.
🔎 Industry Context
Security experts warn that phishing-as-a-service platforms are reshaping the cybercrime landscape by lowering barriers for entry. The Lighthouse case highlights the need for legal, technical, and diplomatic measures to counter industrial-scale cyberattacks.
