What just happened? Phishing has become a full-fledged cybercrime industry powered by automation and global marketplaces. Now Google is taking the unusual step of fighting back in court, targeting a company it says built and sold tools that made large-scale scams possible.
Google has launched a sweeping legal challenge against a China-based network accused of selling subscription software that enables large-scale phishing operations. Financial Times notes that the search giant's civil complaint, filed in the Southern District of New York, names the operators of a system known as "Lighthouse," which Google says facilitated scams that stole more than $1 billion from about one million victims across 121 countries.
The lawsuit represents one of Google's most aggressive attempts yet to disrupt online criminal infrastructure directly in court. The company seeks damages under US racketeering and computer fraud statutes, and aims to secure court authority to coordinate takedowns of domains and servers underpinning the Lighthouse platform.
"Criminals are leveraging the trust and reputation of our brand to lure users into unsafe phishing attacks," Google general counsel Halimah DeLaine Prado told FT.
Prado said the lawsuit gives the company a way to defend users targeted by phishing campaigns that impersonate Gmail, YouTube, and other service providers.
Court filings allege that Lighthouse runs a phishing-for-hire service that bundles nearly every component of online fraud into a monthly subscription. Subscribers get customizable toolkits that generate fake login pages and message templates impersonating legitimate organizations – including Google services, the US Postal Service, and even municipal governments.
The system splits its architecture among several specialized units. A developer branch updates the toolkit with hundreds of spoofed website templates exchanged for cryptocurrency payments. A data unit compiles databases of potential victims – often scraped or purchased on dark web forums – and passes them to spammers. This final group uses automated messaging systems to send millions of SMS phishing texts, each linking to counterfeit websites that steal credentials, credit card information, and authentication codes.
Google's complaint says Lighthouse promotes its services through online forums, YouTube tutorials, and encrypted Telegram channels, where operators recruit new customers and trade technical updates. One prominent Telegram administrator identified in the filing declined to comment on the allegations. The channel remains active, with participants advertising their ability to send up to 200,000 text messages a day to users in Japan, Australia, and other regions.
Security data cited in the lawsuit illustrates phishing on a scale previously seen only in state-sponsored disinformation campaigns. Cybersecurity firm Silent Push tracked activity allegedly linked to Lighthouse users over 20 days this year, recording the creation of 200,000 fraudulent websites that collectively drew roughly 50,000 daily visits. A Chinese group called Smishing Triad reportedly controlled many of those sites, using Lighthouse's automation tools to compromise thousands of US credit card accounts.
The scams most often impersonate postal delivery alerts, tricking recipients into paying a small fee to "reschedule delivery" of a supposedly missed package. After users enter their payment details, attackers harvest the credentials and reuse them to access bank, email, and mobile wallet accounts.
While Google cannot directly prosecute criminal cases, its lawsuit under the RICO Act and the Computer Fraud and Abuse Act enables it to seek court orders compelling US service providers to dismantle infrastructure linked to Lighthouse. The company hopes that coordinated legal action and industry cooperation can erode the group's operations faster than they can recover.
"It becomes a bit of a game of whack-a-mole, but we're now able to identify the offenders and go after them individually," Prado said. "That has a ripple effect of deterrence."
The case comes as the US Cybersecurity and Infrastructure Security Agency estimates that more than 3.4 billion phishing emails are sent globally each day, with over 90 percent of successful cyberattacks starting as a deception in an inbox or text message. Attackers now increasingly use AI-generated content and social media data to craft highly personalized lures.