WASHINGTON—If you’ve ever received a text message claiming to be from the United States Postal Service about an undelivered package — or from E-ZPass demanding payment for an unpaid toll — you may have been targeted by a Chinese phishing operation.
Lighthouse, a China-based Phishing-as-a-Service operation, has targeted over a million victims through its elaborate text message scam, Google alleges in a lawsuit filed Wednesday in the United States District Court for the Southern District of New York. The company says Lighthouse’s scheme “swindled innocent victims out of millions of dollars.”
“Defendants have affirmatively directed actions at the United States, including the Southern District of New York, by creating fake websites mimicking the New York City government website (nyc.gov) and New York E-ZPass website (e-zpassny.com), among many others, for use in these phishing schemes,” the complaint said.
According to the filing, the software used by the defendants allowed cybercriminals to send mass text messages to large numbers of victims simultaneously.
Google says it was also harmed by the misuse of its trademarks and services.
“In facilitating and executing these phishing campaigns, the Lighthouse Enterprise preys on the public trust in Google, a leader in the technology space, by misappropriating Google branding, including by using Google logos on fraudulent websites,” the complaint said.
Google’s logos were used on spoofed websites to trick victims into providing personal and financial information, according to the company.
The court this week granted Google a temporary restraining order against Lighthouse, which has since gone dark.
“This shutdown of Lighthouse’s operations is a win for everyone,” Google General Counsel Halimah DeLaine Prado told The Daily Wire. “We will continue to hold malicious scammers accountable and protect consumers.”
The company said it had devoted “substantial resources to investigate and combat the Lighthouse Enterprise’s criminal activity.”
An investigation by SECAlliance revealed that between July 2023 and October 2024, the platform was used to launch fake USPS phishing websites and said somewhere between 12.7 and 115 million credit cards were estimated to have been compromised across the nation.
The texts claim that the victims have an “undelivered package” and lead them to a fake website, which steals their information.
While the full scope of the enterprise remains unclear, the complaint said the Lighthouse Enterprise includes “several connected threat actor groups.”
Google’s efforts to fight cybercriminals don’t end there.
This year, the company launched new features, including using artificial intelligence to flag common scam messages.
The company is also announcing the endorsement of three bipartisan pieces of legislation targeting cyber scams.
This includes the Guarding Unprotected Aging Retirees from Deception (GUARD) Act, the Foreign Robocall Elimination Act, and the Scam Compound Accountability and Mobilization (SCAM) Act.
“From the courtroom to the Capitol, we are taking action to stop these attacks. But this is a shared fight. While we take on criminal networks and advocate for stronger laws, we are also building smarter, AI-driven tools to help you spot and avoid these scams,” Prado said.
The company says it hopes to “make the digital world a much harder place for criminals to do business.”