Google has filed a civil suit in Manhattan against the operators of a large phishing‑as‑a‑service platform known as Lighthouse. The company says the system, run by a group it links to the Smishing Triad, lets criminals build fake sites and send mass SMS messages to steal login details and bank data.
The complaint names 25 online handles said to run Lighthouse. Google accuses them of providing ready‑made phishing templates that imitate Google services, creating thousands of counterfeit pages, and sending high volumes of SMS lures. Access to the platform, the suit says, made it easy for low‑skill actors to pose as major brands and harvest credentials.
Google claims the operation led to the theft of data on a very large scale, including as many as 115 million U.S. payment cards. Between July 2023 and October 2025, the company says Lighthouse operators set up more than 32,000 phishing sites that pretended to be the U.S. Postal Service.
Because many of the defendants are known only by online names and operate overseas, U.S. courts may have limited reach. Still, Google is asking the court to bar third parties from supporting Lighthouse and its infrastructure. The company says a U.S. ruling could help disrupt the service worldwide.
Researchers note Lighthouse uses rapidly changing hosting and other evasive steps to avoid browser warnings and Safe Browsing detections. The Smishing Triad also offers or shares tools with other phishing providers such as Dracula and Lucid, and it uses rich messaging features like RCS and iMessage to push crafted texts that match local carriers and services.
In parallel with the lawsuit, Google urged lawmakers to strengthen rules and cross‑border enforcement against smishing and related scams. The company has also boosted its own protections, adding automated link detection, better filtering in Google Messages, and more help for users with compromised accounts.
Leave a comment