A sign at Google’s headquarters on Thursday, October 23, 2025, in Mountain View, California, USA.
Benjamin Fanjoy | Bloomberg | Getty Images
google filed a lawsuit Wednesday against a foreign cybercrime group behind a massive SMS phishing, or “smishing” operation.
The organization, dubbed the “Smishing Triad” by some cyber researchers, is primarily based in China, Google said, and uses a phishing kit-as-a-service called Lighthouse to create and deploy attacks using deceptive texts.
Google said in a release that the criminal group has caused more than 1 million victims in 120 countries.
“They were preying on users’ trust in reputable brands like E-ZPass, the U.S. Postal Service, and even Google,” Google general counsel Halima Delaine Prado told CNBC. “‘Lighthouse’ companies or software create a large number of templates that create fake websites to extract user information.”
Google is seeking to dismantle the group and its Lighthouse platform, filing charges under the racketeer law, the Lanham Act, and the Computer Fraud and Abuse Act (CFAA).
The texts typically contain malicious links to fake websites designed to steal victims’ sensitive financial information, including Social Security numbers and banking credentials.
Messages often appear in the form of fake fraud alerts, delivery information updates, unpaid government fee notices, or other seemingly urgent texts.
According to Google, the criminal group has stolen approximately 12.7 million to 115 million credit cards in the United States alone.
“The aim is to prevent its continued spread, deter others from doing the same, and protect both the users and brands exploited on these websites from future damage,” Delaine Prado said.
The Alphabet company said it had discovered more than 100 website templates generated by Lighthouse that used Google branding on the sign-in screen to trick victims into believing the site was legitimate.
Internal and third-party investigations revealed that approximately 2,500 members of the syndicate communicated on public Telegram channels to recruit more members, share advice, and test and maintain the “Lighthouse” software itself, DeLaine Prado said.
She added that the organization also had a “data broker” group that provided lists of potential victims and contacts, a “spammer” group that was responsible for SMS messages, and a “thief” group that coordinated attacks using credentials obtained on Telegram’s public channels.
Google said it was the first company to take legal action against SMS phishing scams and supports three bipartisan bills aimed at protecting against further fraud and cyberattacks.
“While litigation is one vector through which we may be able to stop it, we also believe that this type of cyber activity requires a policy-based approach,” Delaine Prado said.
The three bills include the Protecting Unsheltered Elderly Retirees from Deception (GUARD) Act, the Alien Robocall Elimination Act, which would establish a task force to target illegal foreign robocalls, and the Fraud Combined Responsibility Mobilization Act, which would target fraud and assist survivors of human trafficking in centers.
The lawsuit is part of Google’s broader strategy to instill cyber protection awareness among its users.
The company recently introduced additional safety features, including a Key Verifier tool in Google Messages and artificial intelligence-powered spam detection.
