Google filed a lawsuit on Wednesday accusing a China-based criminal network known as Lighthouse of running a large-scale phishing operation that targeted U.S. credit card holders, company officials said.
The complaint, filed in federal court, says Lighthouse used text messages warning recipients about a stuck package or an unpaid toll to direct people to fake websites that imitated legitimate brands. According to court filings, the campaign sought data tied to between 15 million and 100 million potential U.S. credit cards and affected more than 1 million victims.
Google said it identified more than 100 counterfeit sites that used Google branding and other familiar corporate marks to trick people into surrendering passwords, credit card numbers and other sensitive personal information. The company asked the court to apply the Racketeer Influenced and Corrupt Organizations Act, or RICO, a law commonly used against organized criminal enterprises.
The lawsuit is notable for a technology company invoking RICO against an alleged foreign cybercrime network. It highlights persistent concerns about transnational cyberattacks that impose financial and security costs on U.S. consumers, financial institutions and businesses, and it fits within broader trends covered in our Crime Coverage.
Background
In the complaint, Google lays out a multi-year, automated and manual operation that it says harvested login credentials and payment data through so-called smishing campaigns. Victims received short message service texts that urged them to click links to resolve a delivery problem, dispute an unpaid toll or address another urgent-sounding issue.
Those links led to look-alike web pages operated by the alleged criminals, the filings say. When visitors entered credentials or payment details, the information was collected and then used for fraudulent purchases, unauthorized account access or sold to other actors, according to the complaint.
- Estimated scope: 15 million to 100 million potential U.S. credit cards, according to the complaint.
- Known victims: more than 1 million people affected, the company said.
- Deceptive infrastructure: more than 100 counterfeit websites identified using Google branding and other trademarks.
- Legal approach: Google is seeking civil relief under RICO, as well as injunctive orders to disrupt the operation.
Legal and technical details
RICO is a federal statute that allows both criminal prosecution and civil suits against patterns of racketeering activity. Private plaintiffs who prevail under civil RICO can seek treble damages and injunctive relief, which makes the statute a potent tool for companies trying to freeze assets, seize infrastructure or compel discovery.
Google said its suit names operators, facilitators and infrastructure providers tied to Lighthouse and asks the court to stop the networks that host the counterfeit sites, block domain names used for phishing and return funds traced to the scheme. The complaint describes a combination of automated systems that generated and sent large volumes of SMS messages and manual steps that tailored pages and social engineering pitches to specific consumers and brands.
Company attorneys told reporters the goal is both to obtain civil remedies and to create a public record of the operation’s methods and scope. Google also said it is coordinating with federal law enforcement and industry partners to pursue additional enforcement actions and victim remediation.
Industry and government context
Smishing and related credential-harvesting schemes have grown more sophisticated in recent years, according to cybersecurity firms and government warnings. Criminals increasingly combine automated message distribution with short-lived hosting and frequent domain changes to evade detection and takedown efforts.
U.S. regulators and law enforcement agencies have issued alerts and guidance for businesses and consumers on how to spot and respond to fraud. The Federal Trade Commission and other agencies routinely advise users to be suspicious of unsolicited texts that ask for credentials or payment information and to confirm messages directly with service providers before clicking links.
Private companies, including major tech firms, have used civil litigation and court-authorized actions to disrupt botnets and fraud infrastructure in recent years. Those efforts can lead to expedited court orders that suspend domains or transfer control of servers, but experts caution that civil suits do not replace criminal investigation and international cooperation when perpetrators are overseas.
Reactions and next steps
Google said it will pursue the relief requested in the complaint and work with partners to notify affected institutions and consumers. The complaint seeks an order requiring defendants to stop using Google branding, to transfer control of domains and servers used in the operation and to identify third parties that enabled the campaign.
Industry groups and consumer advocates have long pushed for clearer notification standards and better automated fraud detection among payment processors and card networks. Banks and card issuers typically shoulder a mix of chargeback costs and fraud losses, and large compromises can drive changes in industry practices and authentication requirements.
The complaint also raises questions about attribution and enforcement. Civil discovery may reveal networks of intermediaries and service providers, but criminal prosecutions and international law enforcement cooperation are usually necessary to apprehend operators located abroad.
Analysis
The suit spotlights the limits and possibilities of private litigation as a governance tool for cross-border cybercrime. By invoking RICO, Google is framing the activity as an organized enterprise rather than a series of isolated incidents, which can expand the legal remedies available and increase pressure on intermediaries that enable the operation.
That strategy can produce immediate tactical gains. Court orders can disrupt infrastructure, unmask service providers and create a detailed public record of tactics that defenders can use to harden systems. But civil suits are not a substitute for federal criminal enforcement or diplomatic engagement with foreign jurisdictions where operators are believed to be based.
For policymakers and regulators, the case underscores a persistent governance question: how to allocate responsibility between private companies, financial institutions and government agencies for preventing and responding to large-scale fraud. The answer matters for fiscal outcomes, consumer protection and national security because large phishing operations can fund broader criminal enterprises and erode trust in digital commerce.
Practically speaking, the immediate stakes include whether courts will grant the injunctive relief Google requests, whether discovery will uncover additional victims or intermediaries, and whether the litigation spurs stronger cooperation between private platforms and U.S. law enforcement. The outcome could influence how companies and regulators prioritize civil litigation, technical defenses and cross-border investigative partnerships to deter similar campaigns in the future.
