Google has sued a cybercrime group called Lighthouse for running global SMS phishing scams using fake websites and stolen logos.
Lighthouse allegedly sold “Phishing-as-a-Service” kits that helped criminals create fake bank, courier, and government pages to steal personal and financial data.
Google aims to dismantle the network and set a legal precedent to help other tech firms and law enforcement fight large-scale online scams.
Google has filed a lawsuit against an alleged cybercrime group named Lighthouse. The organisation is accused of operating a vast SMS phishing, or smishing, network that has targeted users globally. The tech giant’s complaint suggests Lighthouse runs a ‘Phishing-as-a-Service’ model, which democratises cybercrime by selling user-friendly ‘phishing kits’. These kits reportedly empower technically unskilled criminals to create convincing fake websites masquerading as legitimate entities such as nationalised banks, major courier services like Blue Dart or DTDC, or even official government services, perhaps mimicking a post office or a regional transport office (RTO) portal. The ultimate aim is to trick users into revealing critical personal and financial data, often through texts about unpaid fees, failed deliveries, or other urgent scams familiar to the Indian audience. Google aims to dismantle this operation that fuels large-scale digital deception.
SurveyHow Lighthouse allegedly operated
According to Google, Lighthouse had been charging its customers a monthly subscription in exchange for SMS software and e-commerce software, complete with hundreds of pre-designed website templates emulating the look of legitimate institutions in an effort to dupe users into revealing personal and payment information.
In only 20 days, the network reportedly established approximately 200,000 rogue websites that attracted over one million potential victims. According to Google, this may have exposed between 12.7 million and 115 million credit cards in the United States alone.
The complaint also reveals that the phishing pages allegedly from Lighthouse tracked user keystrokes, meaning that even if a user hesitated and didn’t hit “submit”, private information could be captured and sent to scammers.
Also read: Apple iOS 26.2 roll out timeline, key features, compatible devices and all other key details
Using fake Google and USPS pages to trick victims
One of the tactics that Lighthouse used was employing Google’s logo on spoof login pages to gain credibility. Scammers could log into its dashboard, send out messages impersonating organisations like USPS or toll collection services, and lure users to input details on spoofed pages.
For example, victims might get a text saying the USPS needed a small fee to complete a delivery. The link would go to a very convincing mock-up of a USPS site, and every keystroke from name to credit card number would be recorded and appear on the scammer’s Lighthouse dashboard.
The same approach was allegedly used to impersonate financial institutions, retail brands, and government portals in order to make such scams appear very genuine and urgent.
Also read: iPhone, iPad, Mac users alert! Govt warns of critical Apple bugs that could expose your data
Google’s legal response and claims to the cybercrime group
Google’s lawsuit accuses Lighthouse of violating the Racketeer Influenced and Corrupt Organisations (RICO) Act, along with laws against fraud and trademark infringement. The company says its name and logo were used on fake websites, harming its reputation and misleading victims into believing the scams were legitimate.
The lawsuit lists 25 unnamed defendants, referred to as “Doe defendants”, believed to be part of Lighthouse. Google suspects the network operates primarily from China but says the exact identities of those involved remain unknown.
Also read: What is Landfall spyware, and how to protect your Samsung Galaxy phones from it
What Google hopes to achieve from this lawsuit against cybercrime group
Beyond stopping Lighthouse, Google’s broader goal is to get a court declaration that the group’s operations are illegal. This would enable other technology companies to remove Lighthouse-related tools and help law enforcement agencies gather more information through discovery.
In an interview with The Verge, Google’s General Counsel Halimah DeLaine Prado said that Lighthouse caught the company’s attention due to the scale and rapid growth of its phishing services this year. Google reportedly tracked Lighthouse’s activities on Telegram and YouTube, where it allegedly used public channels for recruitment and customer support. Both platforms have since removed the related accounts.
Growing challenge for tech companies
Phishing-as-a- Service operations, like Lighthouse, have become a large problem for the tech industry. By making phishing tools more accessible, these networks allow scammers, even ones with minimal technical knowledge, to commit large-scale fraud.
The lawsuit is among the most aggressive steps to date by Google to disrupt organised cybercrime group that have exploited the company’s platforms and brand. Whether this will help track down the individuals behind Lighthouse is yet to be seen, but it marks a hardening stance against the growing wave of digital scams that are targeted at everyday users.
Follow Us
Bhaskar Sharma
Bhaskar is a senior copy editor at Digit India, where he simplifies complex tech topics across iOS, Android, macOS, Windows, and emerging consumer tech. His work has appeared in iGeeksBlog, GuidingTech, and other publications, and he previously served as an assistant editor at TechBloat and TechReloaded. A B.Tech graduate and full-time tech writer, he is known for clear, practical guides and explainers. View Full Profile
