A major lawsuit has been filed by Google against an international group of cybercriminals who organized a large-scale SMS phishing campaign. Investigative materials mention a community known as the Smishing Triad, primarily based in China. According to the plaintiff's estimates, over 1 million people in 120 countries have fallen victim to these attacks, and the perpetrators are using a phishing toolkit called Lighthouse, which operates on a "phishing as a service" model (according to media reports).
The lawsuit encompasses three U.S. laws: RICO, which combats organized crime; the Lanham Act, which pertains to trademarks and unfair competition; and the CFAA, which regulates computer fraud and abuse. Google is asking the court to shut down the criminals' services and close the Lighthouse platform, which, according to lawyers, produces templates for data theft.
The attack method is quite simple: the victim receives a message with an "important notification" containing a link to a fake website. On this site, users are persuaded to enter their confidential information, including social security numbers, banking details, and other payment information. Typically, the pretexts for such manipulations include a fictitious card block, a threat of "debt" for taxes, "delivery updates," or notifications of "suspicious transactions."
The criminals exploited trust in well-known brands such as E-ZPass, the U.S. Postal Service, and even Google itself. During internal investigations, over 100 login page mockups were discovered, where Google logos and design were used to mimic real authorization and steal passwords.
Google estimates the damage from the criminals' actions in the U.S. to be very high: in this country alone, the perpetrators could have stolen between 12.7 and 115 million bank cards. This wide range in numbers is explained by differences in methods and data sources; however, even the minimum estimate indicates the serious aggressiveness of the phishing ecosystem.
The investigation also touched on the organizational structure of the criminal network. The company's general counsel noted that about 2,500 participants coordinated their actions in an open Telegram channel. In this channel, they recruited performers, discussed strategies, and supported the operation of Lighthouse. Within the group, there were separate divisions: data brokers collected databases of potential victims, spammers handled message distribution, and another group used stolen credentials for further thefts.
This lawsuit marks the first instance of a technology company suing specifically for SMS phishing operations. Lawyers emphasize that, in addition to legal measures, policy-level changes are also necessary. In this context, Google has supported three bipartisan initiatives in Congress: the GUARD Act (to protect seniors from fraud), the Foreign Robocall Elimination Act (to create a special group to combat foreign "robocalls"), and the Scam Compound Accountability and Mobilization Act (measures against "scam centers" and assistance for their victims).
Recently, Google has implemented new features in Google Messages, including Key Verifier and AI-based algorithms for more effective filtering of suspicious messages, allowing harmful links to be blocked before the user clicks on them.
The company has set its goal to stop the spread of Lighthouse, create a precedent that would deter future criminals, and minimize risks for users and organizations whose brands were used to "legitimize" phishing sites. If the court accepts the lawsuit, the Smishing Triad will lose an important platform, making it easier for law enforcement to dismantle the remaining elements of this network.
