Google Sues ‘Lighthouse’ Cybercrime Group For Running Global Phishing-As-A-Service Network

Google has filed a lawsuit against a cybercrime organisation known as Lighthouse, accusing it of running one of the most expansive SMS phishing (smishing) networks in the world. The group allegedly sold “Phishing-as-a-Service” tools that allowed even inexperienced criminals to launch sophisticated scams impersonating banks, courier services, and government agencies.

According to the lawsuit, Lighthouse’s network has targeted millions of users globally — including those in India — using fake messages about unpaid fees, failed deliveries, and account verifications to steal sensitive personal and financial data. Google says the goal of the legal action is to dismantle the group’s operations and set a precedent against industrialised phishing.

How Lighthouse Operated

In its complaint, Google describes Lighthouse as a subscription-based cybercrime platform. For a monthly fee, customers gained access to phishing kits and software capable of sending mass SMS campaigns.

ALSO READ: Elden Ring Nightreign Expansion ‘The Forsaken Hollows’ Launches December 4: New Bosses, Characters, And A Shifting World Await

These kits reportedly included:

- Hundreds of ready-to-use templates mimicking major entities like banks, courier services (Blue Dart, DTDC), post offices, and RTO portals.

- Built-in dashboards for tracking victims’ input in real time.

- Hosting and automation tools for deploying large volumes of fraudulent websites.

In just 20 days, Lighthouse allegedly created 200,000 fake websites that collectively attracted over one million potential victims. Google estimates that between 12.7 million and 115 million credit card numbers in the United States alone may have been exposed.

Perhaps most concerning, the phishing pages reportedly logged keystrokes — meaning even incomplete form entries could still be stolen before submission.

Using Fake Google and USPS Pages to Gain Credibility

Lighthouse’s operations frequently leveraged Google’s brand to appear trustworthy. According to the lawsuit, the group used Google’s logos and branding on spoofed login pages to deceive users.

Scammers could log into Lighthouse’s internal dashboard, select templates impersonating companies such as USPS, Google, or financial institutions, and then mass-distribute messages like:

“Your package is pending delivery. Pay ₹50 to complete it.”

Clicking the link would lead victims to a convincing replica of an official USPS or bank webpage. Every keystroke — from name to credit card details — would appear live on the scammer’s Lighthouse panel.

This approach was replicated for banks, retail brands, and government agencies, increasing the appearance of legitimacy and urgency.

Google’s Legal Claims Against Lighthouse

In the lawsuit, filed in a U.S. federal court, Google accuses Lighthouse of:

- Racketeering under the RICO Act (Racketeer Influenced and Corrupt Organiations Act).

- Fraud and trademark infringement for misuse of Google’s logos and intellectual property.

- Violating cybersecurity and consumer protection laws by enabling large-scale digital fraud.

The complaint names 25 “Doe defendants” — unidentified individuals believed to be involved in the Lighthouse network. Google suspects the group’s operations are primarily based in China, though its true scope and membership remain unclear.

Google’s Broader Goal: Shutting Down Phishing-as-a-Service

Beyond halting Lighthouse’s operations, Google’s legal team is pursuing a court declaration that officially deems Lighthouse’s business model illegal.

Such a ruling would:

- Empower other tech platforms to immediately ban Lighthouse-related domains or tools.

- Help law enforcement agencies demand cooperation from hosting providers.

- Strengthen the legal basis for dismantling similar phishing service networks.

Google’s General Counsel Halimah DeLaine Prado told The Verge that the case was initiated due to the scale and velocity of Lighthouse’s expansion this year. The company discovered that Lighthouse had been advertising on Telegram and YouTube, offering support and tutorials for potential buyers. Both platforms have since taken down the related accounts.

A Growing Threat to the Tech Industry

The Lighthouse case underscores a disturbing trend: phishing as a service is making cybercrime easier and more scalable.

These networks allow even non-technical actors to deploy convincing scams at scale — often impersonating trusted brands to harvest financial and identity data. What once required skilled hackers can now be done by anyone with a credit card and access to such services.

ALSO READ: Lava To Enter UK Market In 2026, Aiming To Build A Global ‘Made-in-India’ Smartphone Brand

Google is taking one of its boldest legal steps yet against organised online crime with this lawsuit, filing one of their most aggressive legal steps yet against large-scale phishing operations like Lighthouse. While its effect remains uncertain, this action sends a clear signal: tech companies no longer view large-scale phishing operations as isolated incidents but instead as criminal enterprises posing threats to global digital safety.

Final Thoughts

Google’s lawsuit against Lighthouse represents a turning point in the fight against commercialised phishing. The case highlights how cybercrime has evolved from small-scale scams to subscription-based operations — complete with customer support and marketing.

If Google succeeds, it could set a precedent for tech-driven legal action against similar networks, helping to curb a growing wave of phishing-as-a-service threats worldwide.

For now, the message is clear: the fight against large-scale digital fraud is moving from the inbox to the courtroom — and Google intends to make an example out of Lighthouse.