Google has filed a lawsuit claiming it identified and is now targeting a sprawling scam operation that uses text messages and fake websites to steal personal and financial data.
The accused network, referred to as “Lighthouse”, allegedly provides a “phishing-as-a-service” platform: ready-made templates, bulk SMS tools, and backend infrastructure for scammers to impersonate legitimate brands and institutions.
According to the complaint, Lighthouse’s reach spans at least 120 countries, may have created hundreds of thousands of fake websites and compromised millions of banking/credit-card details in the U.S. alone.
Scammers usually operate in relative anonymity and are rarely held accountable for ripping off consumers. But Google has filed a civil suit in the U.S. District Court for the Southern District of New York against 25 unnamed defendants it says are behind Lighthouse — a China-based network of cybercriminals.
Google alleges the defendants offered subscription services to technically less-skilled criminals. In exchange for a fee paid in cryptocurrency, buyers received access to mass-texting tools (SMS, iMessage, RCS), a library of more than 600 phishing templates, fake domains mimicking major brands—some using Google’s own logo—and dashboards tracking stolen credentials.
One dramatic claim in the company’s filing: in a 20-day span, Lighthouse-linked activity alone reportedly created roughly 200,000 phishing websites and may have targeted 12.7 million to 115 million U.S. card-holder records.
Why this matters
The case reflects how large-scale text-based scams have evolved from simple spam to sophisticated infrastructures. According to a recent Google report, the so-called “Spray and Pray” and “Bait and Wait” models are increasingly used to trick users via SMS, group messaging, and social-engineered links.
Because the scammers impersonate trusted entities (postal services, toll-charges, delivery notices) and use familiar branding – including Google’s – the risk goes beyond small-time phishing: it undermines trust in digital messaging and makes detection harder for users.
By filing this lawsuit, Google isn’t just going after the alleged operators. The company says it seeks a legal finding that enables it (and other infrastructure providers) to better coordinate takedowns of domains, servers and payment systems used by the network.
What’s next
Global cooperation may be required: Although Google has filed suit in the U.S., the defendants are believed to be overseas and anonymous, so enforcing judgments may be a challenge.
Legislative angle: Google also voiced support for several bipartisan bills in the U.S. designed to combat scams, including the GUARD Act (targeting fraud against the elderly), the SCAM Act (addressing scam-compounds) and robo-call/foreign robocall legislation.
User impact: For consumers, this case stresses the need to treat unexpected texts or messages—especially those urging immediate action or asking for credentials—with suspicion. Google’s own help guidance lists steps to avoid scams like this.