Google Takes Smishing Kingpin to Court

In a bold move that underscores how corporate cybersecurity strategy is evolving into the courtroom, Google filed a civil lawsuit Wednesday in the U.S. District Court for the Southern District of New York against an anonymous group of roughly 25 individuals accused of running one of the largest SMS-phishing—or “smishing”—operations on record.

The group, according to Google’s complaint, built and sold a phishing-as-a-service kit called Lighthouse, a turnkey platform that powered thousands of fraud campaigns across more than 120 countries.

Lighthouse: Phishing Goes Industrial

Unlike old-school phishing kits aimed at email inboxes, Lighthouse was engineered for SMS and RCS delivery. Google and independent researchers describe it as a professionalized “phishing-as-a-service” ecosystem where even novice scammers could select website templates mimicking trusted brands—including Google itself—deploy fake login pages, and collect stolen credentials in real time.

According to the filing, the scale was staggering:

• Roughly 200,000 fake websites generated in just 20 days.

• More than 1 million victims across 121 countries.

• Between 12.7 million and 115 million credit-card credentials potentially compromised in the U.S. alone.

Investigators say the operation was largely based in China and coordinated over Telegram, with a sophisticated supply chain for recruitment and infrastructure management.

“With the rise in scams, it’s largely due to the action of organized-crime networks, and most of them are transnational,” said Halimah DeLaine Prado, Google’s general counsel. “The Lighthouse network has an enormous reach.”

Legal Strategy and Global Leverage

Google’s legal assault cites the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act, and the Computer Fraud and Abuse Act (CFAA). Beyond damages, the company seeks an injunction to compel telecoms, web hosts, and platforms to disrupt Lighthouse’s technical backbone.

“The idea is to prevent its continued proliferation, deter others from doing something similarly, as well as protect both the users and brands that were misused in these websites from future harm,” Prado said.

By filing in a U.S. court, Google hopes to project global deterrence. “Filing a case in the U.S. actually allows us to have a deterrent impact outside of the U.S. borders,” she added. “That court order can be used for good to help dismantle the actual infrastructure of the operation.”

Why Now? Smishing Has Become a Business Model

Once dismissed as a nuisance, smishing has evolved into a high-margin criminal enterprise. With corporate email systems hardened by filters and AI detection, cybercriminals have shifted to the mobile channel—where users are more likely to trust familiar brands and act quickly.

“The wider Chinese-speaking smishing actors and fraud ecosystem are continually evolving and growing, and they have been incredibly innovative at every step,” said one investigator familiar with the case.

Cofense, which tracks large-scale phishing infrastructure, called Lighthouse emblematic of a deeper transformation in the underground economy. “Phishing-as-a-service operations like Lighthouse have professionalized fraud,” a Cofense spokesperson said. “They’re lowering the barrier to entry for attackers and scaling deception faster than many organizations can respond.”

What Happens Next

Platform enforcement ripple: If Google secures a favorable judgment, other firms could use the precedent to request domain takedowns or message-blocking orders targeting smishing infrastructure.

Policy momentum: The company has voiced support for pending U.S. bills targeting robocall and scam networks—the GUARD Act, the Foreign Robocall Elimination Act, and the SCAM Act—signaling that tech firms are ready to fight fraud on both technical and legislative fronts.

Adversary adaptation: Even if Lighthouse is dismantled, researchers warn that copycats and forks will emerge—likely powered by generative AI, deepfake voices, and even “agentic” automated scam bots.

Brand-defense implications: For any organization that customers might expect to text them—banks, delivery companies, agencies—the lesson is clear: SMS impersonation is no longer fringe.

The Takeaway

Google’s lawsuit marks a turning point: a tech giant treating mobile phishing not just as a security incident but as a transnational criminal enterprise that demands legal and infrastructural disruption. Whether Lighthouse survives this assault is beside the point. The message to cybercriminals—and to industry alike—is unmistakable: the era of industrialized smishing has arrived, and the counterattack has gone legal.