Google Sues Cybercrime Group Behind Global SMS Phishing Scams
Key Takeaways
- Google files lawsuit against Lighthouse cybercrime group operating Phishing-as-a-Service
- Group created 200,000+ fake websites targeting millions of users globally
- Scams impersonated banks, courier services, and government portals
- Lighthouse allegedly exposed up to 115 million US credit cards
Google has taken legal action against the Lighthouse cybercrime group, accusing them of running massive SMS phishing operations that targeted users worldwide through sophisticated fake websites and stolen corporate logos.
The lawsuit reveals Lighthouse operated a “Phishing-as-a-Service” model, selling user-friendly kits that enabled even technically unskilled criminals to create convincing fake websites. These sites mimicked legitimate entities including nationalized banks, major courier services like Blue Dart and DTDC, and government portals including post offices and regional transport offices.
Massive Scale of Operation
According to court documents, Lighthouse established approximately 200,000 rogue websites in just 20 days, attracting over one million potential victims. The operation may have exposed between 12.7 million and 115 million credit cards in the United States alone.
The phishing kits included sophisticated tracking capabilities that captured user keystrokes even before victims clicked “submit,” ensuring private information was stolen regardless of user hesitation.
Deceptive Tactics Exposed
Lighthouse allegedly used Google’s own logo on spoof login pages to gain credibility. Scammers could log into a dashboard to send messages impersonating organizations like USPS or toll collection services, luring users to input sensitive details on convincing fake pages.
Victims typically received texts claiming small fees were needed to complete deliveries or resolve urgent matters. Every keystroke – from names to credit card numbers – was recorded and appeared on the scammer’s Lighthouse dashboard in real-time.
Legal Strategy and Objectives
Google’s lawsuit accuses Lighthouse of violating the Racketeer Influenced and Corrupt Organizations (RICO) Act, along with fraud and trademark infringement laws. The company argues its reputation was harmed when its name and logo were used to mislead victims.
The complaint lists 25 unnamed “Doe defendants” believed to be part of Lighthouse, with Google suspecting the network operates primarily from China, though exact identities remain unknown.
Broader Industry Impact
Google’s General Counsel Halimah DeLaine Prado stated Lighthouse caught the company’s attention due to the scale and rapid growth of its phishing services this year. Google tracked the group’s activities on Telegram and YouTube, where they allegedly used public channels for recruitment and customer support before both platforms removed the accounts.
Phishing-as-a-Service operations represent a growing challenge for the tech industry, democratizing cybercrime by making sophisticated tools accessible to scammers with minimal technical knowledge. This lawsuit marks one of Google’s most aggressive steps to date in disrupting organized cybercrime that exploits its platforms and brand.
