Google has filed a lawsuit against an international cybercrime syndicate known as the “Smishing Triad”, accused of orchestrating a vast SMS phishing or “smishing” operation that has targeted millions of victims across more than 120 countries.
According to Google, the group based in China used a “phishing-as-a-service” toolkit called Lighthouse to create and deploy fraudulent text messages impersonating trusted brands, including E-ZPass, the U.S. Postal Service, and Google itself.
“They were preying on users’ trust in reputable brands such as E-ZPass, the U.S. Postal Service, and even us as Google.
“The ‘Lighthouse’ software creates fake website templates to steal users’ information.” said Halimah DeLaine Prado, Google’s General Counsel, in an interview with CNBC.
Long-lasting Damage
Google alleges that the Smishing Triad has stolen between 12.7 million and 115 million credit card details in the United States alone. The company’s lawsuit cites violations under the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act, and the Computer Fraud and Abuse Act (CFAA). The tech giant is seeking to dismantle both the group and its Lighthouse platform.
Investigators found that around 2,500 members of the syndicate were active on a public Telegram channel, coordinating recruitment, testing phishing templates, and sharing stolen data. The network reportedly consisted of multiple divisions:
-
a data broker group supplying victim lists,
-
a spammer group sending out fraudulent SMS messages, and
-
a theft group that executed attacks using the stolen credentials.
Google’s legal team said it discovered over 100 website templates created with Google’s branding to mimic legitimate sign-in pages. These fake websites were designed to harvest sensitive information such as banking credentials, Social Security numbers, and other personal data.
“The idea is to prevent continued proliferation, deter others from similar crimes, and protect both users and brands from future harm,” DeLaine Prado said.
Google said this is the first-ever legal action taken by a private company against an SMS phishing network. The move aligns with its broader cybersecurity strategy, which includes new safety tools such as Key Verifier and AI-powered spam detection in Google Messages
“While litigation is one tool to disrupt this kind of activity, we also believe that combating cybercrime requires strong policy and legislative action,” DeLaine Prado added.
