Google sues China-based cybercrime syndicate behind global SMS phishing scams

Google has filed a lawsuit against a foreign cybercriminal syndicate accused of orchestrating one of the world’s largest SMS phishing operations, targeting millions of users across 120 countries through fraudulent text messages posing as trusted brands such as E-ZPass, the U.S. Postal Service, and even Google itself.

The company stated that the criminal organisation, referred to by cybersecurity researchers as the ‘Smishing Triad’ and allegedly based primarily in China, operated a phishing-as-a-service network known as ‘Lighthouse’, which enabled attackers to design and deploy large-scale “smishing” campaigns using ready-made templates for fake websites, as reported by CNBC.

Google’s General Counsel Halimah DeLaine Prado informed that the syndicate had amassed over a million victims globally, preying on users’ trust in well-known institutions and luring them into entering sensitive data such as Social Security numbers, banking credentials and other financial details through fraudulent links. She explained that the Lighthouse software was capable of generating hundreds of cloned websites, some even mimicking Google’s own login screens to trick victims into believing the sites were authentic.

The tech giant has brought charges under the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act, and the Computer Fraud and Abuse Act (CFAA), seeking to dismantle both the criminal network and the Lighthouse infrastructure that powered its operations. Prado stated that the objective was to curb the group’s continued proliferation, deter similar criminal activities, and safeguard users and brands misused in these scams from further harm.

Investigations revealed that the cybercrime ring had stolen between 12.7 million and 115 million credit cards in the United States alone, while internal and third-party research uncovered over 100 website templates created with Google’s branding. The probe also found that around 2,500 members of the syndicate were active on a public Telegram channel, using it to recruit participants, exchange techniques, and maintain the Lighthouse software. Prado informed that the organisation was structured into several units, including a “data broker” division responsible for sourcing potential victim lists, a “spammer” team managing the bulk SMS operations, and a “theft” group coordinating credential exploitation.

Google noted that this marks the first legal action taken by a company against SMS phishing schemes and forms part of its broader effort to combat cybercrime and raise awareness about online fraud. The company also announced its endorsement of three bipartisan U.S. bills aimed at tackling fraud and cyberattacks: the GUARD Act (Guarding Unprotected Aging Retirees from Deception), the Foreign Robocall Elimination Act, and the Scam Compound Accountability and Mobilisation Act, which targets scam compounds and provides support for human trafficking survivors operating within them.

Prado stated that while the lawsuit represents one avenue to disrupt such criminal activity, a broader policy-based approach is necessary to strengthen protections against sophisticated phishing operations that continue to evolve across digital platforms.