Google has filed a groundbreaking lawsuit against a Chinese cybercrime syndicate responsible for a global smishing operation that has scammed over a million victims across 120 countries. The lawsuit, filed under the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act, and the Computer Fraud and Abuse Act (CFAA), targets the group’s phishing-as-a-service platform known as “Lighthouse.”
The operation, dubbed the “Smishing Triad” by cybersecurity researchers, used sophisticated SMS phishing messages to impersonate reputable brands like Google, E-ZPass, and the U.S. Postal Service. Victims were tricked into clicking malicious links that directed them to counterfeit websites designed to steal Social Security numbers, bank credentials, and credit card information.
Google alleges the gang may have compromised between 12.7 million and 115 million U.S. credit cards. Halimah DeLaine Prado, Google’s general counsel, stated the Lighthouse software was built to mimic real brands, enabling criminals to launch coordinated attacks at scale.
The smishing network is organized and multi-layered, with public Telegram channels used to coordinate attacks. Roles within the operation include “data brokers” who provide contact lists, “spammers” who distribute phishing texts, and a “theft” group that exploits stolen data. Over 2,500 individuals are estimated to be involved.
The scam relies on SIM farms—industrial setups loaded with thousands of SIM cards—to blast text messages globally. These scams are also linked to a broader fraud ecosystem where stolen credit card numbers are installed on digital wallets and used to purchase iPhones, luxury goods, and gift cards.
While legal experts question how much impact a U.S. civil lawsuit can have against criminals in communist China, Google is also backing three bipartisan anti-fraud bills to enhance protections: the GUARD Act, the Foreign Robocall Elimination Act, and the Scam Act.
