Google sues 25 China-based scammers behind Lighthouse ‘phishing for dummies’ kit
Summary
Google has filed a US lawsuit against 25 unnamed China-based defendants it accuses of operating Lighthouse, a phishing-as-a-service platform described in the complaint as a “phishing for dummies” kit. The company alleges Lighthouse helped criminals steal more than 115 million US credit card numbers by providing hundreds of ready-made phishing templates, domain setup tools and other services that let crooks impersonate legitimate sites.
Researchers say Lighthouse operators produced more than 200,000 fraudulent sites over a 20-day span and targeted over one million victims across 121 countries. The platform hosts over 600 phishing site templates mimicking more than 400 organisations; at least 116 templates imitated Google services (YouTube, Gmail, Google Play) and used Google branding, prompting the trademark and fraud claims.
The complaint invokes RICO, the Trademark Act and the Computer Fraud and Abuse Act, seeking to disrupt the operation and recover funds. Google also signalled work with US lawmakers, endorsing three bipartisan bills aimed at tackling foreign cybercrime and scam infrastructures, while noting practical limits on prosecuting actors based in China.
Key Points
- Google sued 25 unnamed China-based operators tied to the Lighthouse phishing platform.
- Google alleges Lighthouse helped criminals steal over 115 million US credit card numbers.
- Lighthouse offers a subscription service with hundreds of phishing templates and domain tools; researchers link it to 200,000 fraudulent sites in 20 days.
- At least 116 templates used Google branding to impersonate services such as Gmail and YouTube.
- Google’s suit cites RICO, the Trademark Act and the CFAA and seeks to disrupt the operation and reclaim damages.
- Extradition and US prosecution are unlikely because the defendants are believed to be in China, so Google is also pushing legislative and policy measures.
Context and relevance
Phishing-as-a-service commoditises fraud, letting less-skilled criminals run large-scale campaigns with minimal effort. This case highlights how quickly templates and turnkey tooling can scale attacks and why brand impersonation remains a major risk for both users and platform owners. It also underlines the limits of civil suits and criminal enforcement when alleged operators are overseas, pushing companies to combine legal action with policy advocacy and defensive measures.
Why should I read this?
Because if you care about customer safety, online fraud or brand abuse, this is a neat snapshot of how phishing has industrialised. It explains how a subscription service can turn into a global fraud machine and why legal action alone often isn’t enough — plus it’s useful ammo for security planning and awareness training.
Author
Punchy take: this isn’t just another takedown — it’s a sign that phishing is now sold like SaaS. Security teams, policy makers and product owners should read the detail to understand scale, the legal angles Google is using, and what steps might actually help blunt these operations.