Google files lawsuit against Lighthouse ‘phishing for dummies’ text scammers
Google on Wednesday filed a lawsuit against pesky text message scammers — like those who flood targets with notices that they have unpaid road tolls, or have a package waiting — in an attempt to disrupt a “phishing for dummies” operation the company accuses of victimizing more than 1 million people.
The lawsuit against 25 unnamed individuals believed to reside in China takes aim at those behind the phishing-as-a-service kit known as Lighthouse and its “staggering” scale.
“Defendants are a group of foreign cybercriminals who have engaged in relentless phishing attacks against millions of innocent victims, including Google customers, to steal personal and financial information,” the lawsuit filed in the U.S. District Court for the Southern District of New York reads. “These attacks have collectively swindled innocent victims out of millions of dollars and harmed Google through the unauthorized use of its trademarks and services.”
Google alleges that the defendants violated multiple laws in their SMS phishing, or “smishing,” operation: the Racketeer Influenced and Corrupt Organizations Act, the Lanham Act that governs trademark law and the main federal anti-hacking statute, the Computer Fraud and Abuse Act. Some of the smishing messages make use of Google product logos, and target Google customers.
The civil suit seeks a temporary restraining order and damages against the unnamed individuals. Google is asking the court to compel hosting providers to block Lighthouse-connected IP addresses and fraudulent domains from using those services. The company also hopes that it can help raise user awareness by filing the suit.
Other organizations have tracked the scope of Lighthouse and its ilk. One firm found that in a 20-day period, 200,000 Lighthouse-created websites attracted more than 1 million victims in 121 countries.
Another said that between July 2023 and October 2024, Chinese smishing syndicates compromised between 12.7 million and 115 million payment cards in the United States alone. Over that same timeframe, Google’s suit states, Lighthouse users also launched 32,094 distinct U.S. Postal Service phishing sites.
“The scam is simple: criminals send a text message, prompting recipients to click a link and share information such as email credentials, banking information and more,” Google explained in a blog post announcing the suit. “They exploit the reputations of Google and other brands by illegally displaying our trademarks and services on fraudulent websites.”
In addition to the lawsuit, Google on Wednesday endorsed three bills from House and Senate members to combat fraud. Those bills are the Guarding Unprotected Aging Retirees from Deception (GUARD) Act, which would permit state and local law enforcement to use federal grants to investigate financial scams aimed at retirees; the Foreign Robocall Elimination Act, which would create a task force to fight foreign-originated robocalls; and the Scam Compound Accountability and Mobilization (SCAM) Act, which would direct an executive branch national strategy to counter scam compounds.
“Legal action can address a single operation; robust public policy can address the broader threat of scams,” Halimah DeLaine Prado, general counsel for Google, wrote in the blog post.
