Google has filed a lawsuit against a group of Chinese hackers that it claims sells software to help criminals run online scams, which the US tech giant said have ensnared 1 million people in 121 countries and stolen $1 billion (€860 million).
The group runs a platform called “Lighthouse”, which charges a monthly fee for “phishing services” that assist criminals to execute massive campaigns to extract sensitive information, according to a complaint filed in the Southern District of New York on Wednesday.
These phishing campaigns generate fake emails, text messages and websites impersonating Google’s brands such as Gmail and YouTube, as well as others including the New York City government or the US Postal Service (USPS).
Google hopes to win a judgment under the US racketeering and computer fraud laws that would allow it to work with cellular networks and companies that host websites to take down the domains and servers underpinning the operation.
RM Block
“Criminals are leveraging the trust and reputation of our brand to lure users into unsafe phishing attacks,” Google’s general counsel Halimah DeLaine Prado said in an interview. “The ability to put our engineers and lawyers to work to actually fight on behalf of those users is a necessary thing to do.”
The China-based “Lighthouse Enterprise” uses online forums, YouTube channels and the messaging app Telegram to market its services and plan attacks, recruiting and training members and using their experiences to fine-tune its software, according to Google’s case.
Will Imagine’s big gamble double its customer base?
Criminals can choose from hundreds of templates for fake websites mocked up by a “developer group” in exchange for a fee paid in cryptocurrency.
A “data group” then provides a list of victims to a “spammer group” to send millions of SMS text messages with links to the sites where victims are encouraged to enter their personal and financial details. These are then stolen and used to access bank or email accounts, populate digital wallets or simply sold for profit.
The Telegram user named in the Google lawsuit as the main administrator of the largest channel selling Lighthouse software declined to respond to questions regarding Google’s allegations.
The user initially said that they were not connected to the channel, then acknowledged being an administrator but said they rarely check it.
The channel remained active, with users making unverified claims to possess passwords for email accounts and selling the capability to send up to 200,000 text messages a day to Japanese, Australian and other phone numbers.
Google cited data from cyber security company Silent Push alleging that in a 20-day period this year a Chinese criminal group called “Smishing Triad” used Lighthouse to make 200,000 fraudulent websites, which received 50,000 visits a day helping compromise millions of US credit cards.
“It becomes a little bit of a game of whack-a-mole, but we’re actually able to identify the offenders and go after them individually,” Ms DeLaine Prado added. “It should provide a pretty decent ripple effect of a deterrent ... by continuing to do this, we make certain types of phishing attacks less desirable.”
The most popular scam involves impersonating the USPS, claiming someone has missed a package and needs to pay a small fee for redelivery.
More than 90 per cent of successful cyber attacks begin with a phishing email and there are 3.4 billion of them every day, according to the US Cybersecurity and Infrastructure Security Agency.
The scams are becoming increasingly sophisticated as criminals learn to use artificial intelligence to create hyper-personalised messages by scraping social media and other online profiles.
Alphabet, Google’s parent company, is also sponsoring three congressional bills designed to protect consumers from scams, Ms DeLaine Prado said. The most notable is Guarding Unprotected Aging Retirees from Deception, which would grant federal funding to investigate networks targeting the elderly. – Copyright The Financial Times Limited 2025
