Google lawsuit takes aim group behind text message scams

Google took action Wednesday against a group behind millions of scam text messages impersonating USPS, E-ZPass, banks and more by filing a lawsuit against individuals behind the Lighthouse SMS phishing-as-a-service (PhaaS) kit.

Lighthouse facilitates widespread text message scams such as USPS “stuck package” scams and “unpaid road toll” scams impersonating E-ZPass or other toll collectors, Google General Counsel Halimah DeLaine Prado said in a blog post announcing the lawsuit.

The lawsuit, acquired by Reuters, also highlights scams impersonating banks and e-commerce websites tied to the Lighthouse operation. Scam texts sent using the Lighthouse phishing kit include malicious links to spoofed websites designed to harvest users’ credentials and payment card information.

According to Google, the phishing kit has led to the victimization of more than 1 million people across more than 120 countries and is responsible for the theft of between 12.7 million and 115 million U.S. credit cards.

Google is suing Lighthouse’s operators in the United States District Court for the Southern District of New York on the basis of damages caused to Google and its users by Lighthouse’s use of Google trademarks and Google Ads in its schemes, as well as the group’s unauthorized use of Google users’ credentials.

The suit contains multiple examples of Google logos and trademarks used on Lighthouse phishing templates including the Google Play logo, YouTube logo and prompts to sign in with Google. Google is suing for violations of the Racketeer Influenced and Corrupt Organizations Act, the Lanham Act and the Computer Fraud and Abuse Act.

The operators of Lighthouse are suspected to be based in China, with its developers known online by the aliases Wang Duo Yu and CoSmile. However, as the true identities and number of people in the Lighthouse operation are unknown, the defendant in Google’s lawsuit is listed as "Does 1-25."

Silent Push reported in April 2025 that the Lighthouse operation was tied to a Chinese cybercrime group known as the Smishing Triad, which has been operating since 2023. The Smishing Triad is believed to use its phishing kits, including Lighthouse, to send up to 100,000 scam texts daily.

Lighthouse has claimed to have “300+ front desk staff worldwide,” Silent Push reported, and Google’s lawsuit stated that a Telegram channel dedicated to discussing the Lighthouse PhaaS has more than 2,500 members with seven administrators, including Wang Duo Yu and CoSmile.

Palo Alto Networks' Unit 42 reported last month that the Smishing Triad has leveraged nearly 195,000 domains since January 2024, with USPS being the most impersonated brand and toll road agencies being the most spoofed category overall. Google said SMS phishing attacks in total have increased five-fold since 2020.

Google also announced Wednesday its endorsement of three proposed bills designed to strengthen defenses and take action against similar fraud campaigns. These include the Guarding Unprotected Aging Retirees from Deception (GUARD) Act, the Foreign Robocall Elimination Act and the Scam Compound Accountability and Mobilization (SCAM) Act.