Google has filed a federal lawsuit against Lighthouse, a phishing‑as‑a‑service (PhaaS) platform allegedly used by threat actors to run high‑volume smishing campaigns that impersonate brands such as USPS and E‑ZPass. According to Google’s estimates, Lighthouse‑enabled operations have impacted over 1 million users in 120 countries, and in the United States alone roughly 115 million payment cards were compromised between July 2023 and October 2024. Google seeks to dismantle Lighthouse’s infrastructure under federal statutes addressing racketeering (RICO), fraud, and the Computer Fraud and Abuse Act (CFAA).
Scope of Impact and Targeted Brands
The campaigns typically deliver text messages about “unpaid tolls” or undeliverable parcels, driving victims to cloned portals styled after E‑ZPass or USPS where payment card data is harvested. Beyond transportation and postal services, Google reports lures impersonating banks, healthcare providers, payment platforms, law enforcement, and social networks, broadening the victim pool and boosting conversion through brand trust.
How Lighthouse Operates: Turnkey Smishing at Scale
Lighthouse supplies customizable phishing kits, hosting, and bulk messaging capabilities, lowering the barrier of entry for cybercriminals. Crucially, delivery is pushed via iMessage and RCS—channels that can bypass legacy SMS‑centric spam controls—raising the success rate of initial contact. For would‑be attackers, the model is straightforward: subscribe, select a brand template, and launch a campaign without building bespoke infrastructure.
Brand Abuse, Including Google
Google identified at least 107 phishing templates using its trademarks, logos, and visual elements on fraudulent login and payment pages. The misuse of well‑known marks increases the likelihood that recipients perceive the pages as legitimate, materially elevating credential and card theft.
Legal Strategy: Infrastructure Takedown and Deanonymization
The complaint seeks court‑ordered dismantling of Lighthouse’s infrastructure and access to operational data via warrants and subpoenas. Even without naming all operators, such actions can seize domains and compel registrars, hosting providers, and payment processors to disclose IP addresses, logs, and transaction records. The approach mirrors industry precedents where coordinated civil actions have disrupted PhaaS ecosystems by choking off their technical and financial lifelines.
Attribution, Monetization, and Distribution Channels
Cisco Talos links Lighthouse to a Chinese actor known as Wang Duo Yu, who purportedly distributes and supports the kits via Telegram channels. Since October 2024, multiple crews leveraging Lighthouse have executed large‑scale E‑ZPass lures across Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas.
Netcraft characterizes Lighthouse as a commercial service priced from $88/week to $1,588/year. Beyond payment cards, the platform targets logins, passwords, and 2FA codes, increasing downstream account takeover risk. Investigative reporter Brian Krebs notes that Lighthouse operators previously acted under the Smishing Triad label before rebranding in March 2025.
Risk Mitigation for Consumers and Organizations
Individuals should avoid clicking links in unsolicited “debt” or “delivery” messages and instead verify status via official apps or by manually entering the organization’s URL. Enable transaction alerts and spending limits on cards, and prefer hardware security keys or authenticator apps over SMS codes for multi‑factor authentication.
Enterprises should deploy brand monitoring, mobile message filtering where feasible, and targeted security awareness training focused on smishing. Implement rapid phishing domain takedown processes, and coordinate with registrars and payment providers to accelerate disruption of criminal infrastructure.
Google’s lawsuit underscores an evolution in anti‑phishing strategy: focus on supply‑chain disruption and operator deanonymization. As attackers exploit iMessage and RCS to sidestep traditional SMS defenses, timely blocking of domains and hosting, coupled with skeptical handling of unsolicited links, can materially reduce attacker conversion rates and undermine the economic incentives that fuel PhaaS operations.
