In a landmark move against international cybercrime, Google has filed a sweeping lawsuit targeting a Chinese cybercriminal syndicate responsible for a massive global “smishing” operation—SMS-based phishing scams that have already victimized over a million people in more than 120 countries.
The group, informally dubbed the “Smishing Triad” by cybersecurity researchers, is at the heart of what experts describe as one of the largest coordinated digital fraud efforts ever seen. The operation used a phishing-as-a-service kit called “Lighthouse” to distribute fake text messages impersonating reputable organizations like E-ZPass, USPS, and even Google itself, in order to steal sensitive financial data from unsuspecting victims.
Filed Wednesday in a U.S. federal court, the lawsuit is the first legal action by a major corporation specifically targeting a smishing campaign. Google is bringing claims under the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act, and the Computer Fraud and Abuse Act (CFAA) — a trio of powerful legal tools more commonly associated with organized crime and corporate espionage than phone scams.
According to Google’s legal team, the cybercriminals are believed to have stolen between 12.7 million and 115 million credit card numbers in the U.S. alone — a staggering range that reflects the scale and speed of the operation. Once obtained, the stolen data was used to make fraudulent purchases of everything from iPhones to cosmetics, often through digital wallets like Apple Pay and Google Wallet in Asia, then remotely leveraged in the U.S. through proxy buyers.
“These criminals were preying on users’ trust in reputable brands,” said Halimah DeLaine Prado, Google’s General Counsel. “The ‘Lighthouse’ software is essentially a fraud machine — it generates realistic phishing websites designed to lure users into handing over everything from Social Security numbers to banking credentials.”
The operation’s structure reveals a professionalized and segmented criminal enterprise, according to court filings. Members were divided into distinct groups:
- Data brokers, who sold lists of potential victims.
- Spammers, who used SIM farms — vast banks of mobile devices — to blast out millions of smishing texts.
- Thieves, who executed credential thefts and coordinated purchases on public Telegram channels used to manage operations and recruit new members.
Google alleges it found over 100 fake websites using its branding and login screens, meticulously crafted to fool even the most skeptical users.
The lawsuit raises urgent questions about jurisdiction and enforceability. Can a U.S. court hold Chinese cybercriminals accountable? And will the Chinese Communist Party — long accused of harboring or ignoring state-tolerated cybercrime — do anything to crack down on fraudsters operating inside its borders?
Historically, China has shown little interest in cooperating with U.S. cybercrime enforcement, especially in cases where the perpetrators are not targeting Chinese citizens. In that context, Google’s legal maneuver could be more symbolic than tactical — a public signal to both lawmakers and tech companies that U.S. corporations won’t remain passive in the face of coordinated foreign cyberattacks.
