Overview
- Google filed civil claims under RICO, the Lanham Act and the CFAA, seeking injunctions that would let hosts and carriers block Lighthouse-linked domains, servers and IPs, which the company says marks the first suit targeting a PhaaS operation.
- The complaint describes a turnkey kit that lets subscribers spin up spoof sites and blast SMS lures impersonating brands like USPS, E‑ZPass and Google to harvest credentials and payment data.
- Google cites more than 1 million victims in about 120 countries, roughly 200,000 fake sites created in 20 days, up to $1 billion stolen, and an estimated 12.7 million to 115 million U.S. credit cards compromised.
- Lighthouse allegedly offers hundreds of templates, including at least 107 with Google branding, and uses keystroke capture and MFA-code prompts to steal data even without a form submission.
- Investigations found about 2,500 participants coordinating on public Telegram channels with roles spanning development, data brokering, spamming and theft, as Google simultaneously backs the GUARD Act, Foreign Robocall Elimination Act and SCAM Act.