On November 12, 2025, Google took a dramatic step in the ongoing battle against cybercrime, filing a landmark federal lawsuit targeting a sprawling China-based cybercriminal network known as "Lighthouse." The group, which has been dubbed the "Smishing Triad" by cybersecurity researchers, is accused of orchestrating one of the largest text-message phishing (or "smishing") operations ever seen—a campaign that has targeted more than one million victims across over 120 countries, including the United States.
According to CBS News, Google’s lawsuit alleges that Lighthouse operates a sophisticated "Phishing-as-a-Service" platform. This service provides would-be scammers with the tools and templates needed to launch mass text-message attacks. The texts, often disguised as urgent notifications from trusted brands like E-ZPass, the U.S. Postal Service, or even Google itself, direct recipients to fake websites designed to steal sensitive information. The messages might warn of a "stuck package" or an "unpaid road toll," urging recipients to click a link and resolve the supposed issue. In reality, these links lead to sites that harvest passwords, Social Security numbers, banking credentials, and credit card information.
Halimah DeLaine Prado, Google’s general counsel, explained the scale and sophistication of the operation in an interview with CNBC: "They were preying on users' trust in reputable brands such as E-ZPass, the U.S. Postal Service, and even us as Google. The 'Lighthouse' enterprise or software creates a bunch of templates in which you create fake websites to pull users' information."
Google’s complaint, filed under the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act, and the Computer Fraud and Abuse Act (CFAA), targets unknown operators listed as John Does 1 through 25. The lawsuit seeks to dismantle Lighthouse’s infrastructure and set a legal precedent for how organized cybercrime can be tackled using laws traditionally reserved for mafia-style racketeering.
The numbers involved are staggering. Google estimates that the Lighthouse network has compromised between 12.7 million and 115 million U.S. credit card numbers, with global financial losses reaching as high as $1 billion. The company found more than 100 fake websites using its own branding, and at least 107 sign-in screen templates designed to dupe users into sharing their credentials. According to data cited in the lawsuit from cybersecurity firm Silent Push, the "Smishing Triad" created 200,000 fake websites, which received up to 50,000 visits per day, compromising millions of credit cards in just a 20-day period.
But the operation goes even deeper. As CNBC reported, around 2,500 members of the syndicate coordinated on a public Telegram channel—recruiting new scammers, sharing advice, and maintaining the Lighthouse software. The group was organized into specialized teams: a "data broker" group supplied lists of potential victims, a "spammer" group handled the mass SMS messages, and a "theft" group coordinated the use of stolen credentials.
Despite the lawsuit’s ambitious scope, Google acknowledges the challenges ahead. Many of the alleged perpetrators are based overseas, particularly in China and other countries with limited extradition agreements. "It will be very hard for Google to go after cybercriminals overseas since a lot of them also operate in countries like Cambodia, where there are limited extradition laws," Kevin Gosschalk, CEO of cybersecurity firm Arkose Labs, told CBS News. "But it does mean the individuals behind those things will not be able to travel to the U.S. in the future, so it does add extra risk."
For Google, the motivation behind the lawsuit is clear: deterrence. "The goal is deterrence," DeLaine Prado told NPR. "Even if we can't get to the individuals, the idea is to deter the overall infrastructure in some cases." She emphasized that the lawsuit is not about recovering losses for victims, but about disrupting the ecosystem that allows such scams to thrive and signaling to other would-be criminals that these activities will not go unchallenged.
Google’s litigation is just one part of its broader strategy. The company is also actively supporting a trio of bipartisan bills in Congress designed to bolster the fight against cyber scams. The first, the Guarding Unprotected Aging Retirees from Deception (GUARD) Act, would empower state and local law enforcement to use federal grant funding to investigate financial fraud targeting retirees. The second, the Foreign Robocall Elimination Act, aims to establish a task force to block illegal robocalls originating from overseas. The third, the Scam Compound Accountability and Mobilization (SCAM) Act, seeks to develop a national strategy to counter scam compounds and provide support to survivors of human trafficking forced to work in scam operations.
"From the courtroom to the Capitol, we are taking action to stop these attacks. But this is a shared fight," DeLaine Prado wrote in a statement published by Fox News. "While we take on criminal networks and advocate for stronger laws, we are also building smarter, AI-driven tools to help you spot and avoid these scams. Together, we can make the digital world a much harder place for criminals to do business."
To help users protect themselves, Google has rolled out new safety features such as a Key Verifier tool and AI-powered spam detection in its Messages app. The company also advises users to avoid clicking on suspicious links or replying to unknown messages. Simple steps like enabling "Filter Unknown Senders" and "Filter Junk" on iPhones, or activating Spam Protection on Android devices, can help filter out malicious texts—though users should periodically check their spam folders to ensure legitimate messages aren’t missed.
Google’s legal offensive comes at a time when the tech giant is facing its own regulatory challenges. The company is currently embroiled in antitrust lawsuits related to its search and advertising businesses. Yet, as DeLaine Prado pointed out to NPR, the fight against cybercrime is central to Google’s mission to protect user trust: "We're concerned about the damage to user trust and not knowing what websites are safe."
As cybercriminal tactics evolve at breakneck speed, Google’s lawsuit against Lighthouse marks a significant escalation in the battle to secure the digital landscape. Whether the effort succeeds in dismantling the network or simply makes cybercrime a riskier proposition for would-be scammers, the message is unmistakable: the world’s largest tech companies are no longer content to play defense.
