Google has filed a civil suit in the U.S. District Court for the Southern District of New York against China-based operators of a large Phishing-as-a-Service platform called Lighthouse, alleging the network has ensnared over 1 million victims across 120 countries and generated more than $1 billion in illicit revenue over three years. The complaint seeks to dismantle the platform’s infrastructure using civil remedies under RICO, the Lanham Act, and the Computer Fraud and Abuse Act.
What Lighthouse does, at scale
Lighthouse is a commercial PhaaS kit that simplifies large scale SMS phishing, also known as smishing. Operators license turnkey templates that impersonate trusted brands, including Google, E-ZPass, and USPS, to lure victims with fake toll fees, package delivery notices, and similar pretexts. Google’s legal filing identified at least 107 template pages that misuse Google branding, often presenting fraudulent sign-in screens to harvest credentials and payment data.
Marketed like a legitimate product, Lighthouse offers tiered subscriptions, with templates priced from about $88 for a one week license to roughly $1,588 for an annual plan. Security researchers and industry telemetry indicate the PhaaS ecosystem, which includes platforms such as Darcula and Lucid, is tightly connected, enabling syndicates to launch thousands of smishing messages via Apple iMessage and RCS capable Google Messages.
Scope of impact and criminal ecosystem
Independent research has tied Lighthouse and Lucid to more than 17,500 phishing domains targeting 316 brands across 74 countries. Industry reporting estimates that Chinese smishing operations may have compromised between 12.7 million and 115 million payment cards in the U.S. alone during July 2023 to October 2024. Attack techniques have also matured, with tools like Ghost Tap enabling fraudsters to add stolen card details to mobile wallets on iPhones and Android devices.
PhaaS platforms support an entire underground supply chain, from template marketplaces to disposable infrastructure, including bulk domain registration and reseller networks that sell access to criminal buyers. Smishing syndicates such as Smishing Triad are among the groups known to exploit these kits, registering hundreds of thousands of malicious domains while mimicking banks, delivery services, government agencies, toll operators, and cryptocurrency platforms.
Google’s legal and practical goals
Google’s lawsuit frames Lighthouse not merely as a collection of malicious pages, but as an organized commercial enterprise that profits from trademark misuse, fraud, and large scale deception. By suing under RICO and trademark law, Google aims to:
- disrupt the criminal infrastructure that hosts and distributes phishing templates,
- seize or take down domains and payment mechanisms tied to the service,
- hold platform operators and facilitators legally accountable for enabling fraud.
Google’s action also seeks to pressure service providers and hosting intermediaries, by providing a legal lever to take down abusive sites more rapidly than typical takedown requests allow.
Why this matters for organizations and users
The case highlights a broader threat vector that combines social engineering, mobile messaging protocols, and commodity crimeware. Because smishing leverages widely used messaging channels, it scales quickly and can be difficult to block with conventional email security controls. For individuals and organizations, the key risks include credential theft, payment card fraud, and account takeover, often followed by further abuse of compromised accounts.
Mitigation advice includes:
- treat unsolicited SMS messages requesting urgent payment or personal details as suspicious, verify through official channels,
- avoid clicking links in unexpected messages, use the verified app or vendor site instead,
- enable multi factor authentication on accounts where possible, prefer passkeys or hardware security keys,
- monitor payment activity and enable bank alerts for unusual charges,
- organizations should monitor domain registrations and brand abuse, and work with registrars to speed takedowns.
