Google has filed a major lawsuit against a China-based cybercriminal group known as the Smishing Triad, accusing it of orchestrating one of the world’s largest and most sophisticated text-message phishing operations.
The complaint, filed in a U.S. federal court, alleges that the syndicate used a phishing-as-a-service (PhaaS) platform called “Lighthouse” to distribute fraudulent text messages through SMS, Apple iMessage, and Android RCS (Rich Communication Services), deceiving millions of victims worldwide into revealing sensitive personal and financial information.
The case marks the first time a major technology company has taken direct legal action against a global smishing network.
Smishing Triad: The Rise of a Global Fraud Syndicate
The Smishing Triad first came to light in August 2023, when Resecurity, a California-based cybersecurity firm, uncovered a large-scale campaign targeting U.S. citizens through iMessage-based postal delivery scams.
Resecurity’s researchers traced the activity to a Chinese-speaking threat group using compromised Apple iCloud accounts to distribute fake delivery messages. These messages impersonated reputable institutions, including the U.S. Postal Service (USPS), Royal Mail, NZ Post, Poste Italiane, and Agenzia delle Entrate (Italian Revenue Agency).
Victims were tricked into clicking on malicious links leading to convincing replicas of legitimate websites. Once there, they were prompted to provide credit card details, personal data, and login credentials — all of which were captured by the attackers for identity theft and financial fraud.
Resecurity’s investigation revealed over 108,000 stolen records after exploiting a vulnerability in the group’s phishing kit, exposing the scale of their global operation.
Read Full Report: “Smishing Triad” Targeted USPS and US Citizens for Data Theft
Phishing-as-a-Service: The ‘Lighthouse’ Platform
At the center of the campaign is “Lighthouse”, a phishing toolkit sold via Telegram channels for around $200 (Rs 16,700) per month.
The kit allowed criminals with minimal technical skills to deploy their own smishing operations. It came with customizable templates impersonating global brands and agencies — from USPS and UPS to E-ZPass and Google itself.
Google’s legal filing revealed that over 100 fake website templates were generated through Lighthouse, many designed to mimic Google’s sign-in pages to harvest credentials.
Investigators also discovered that the Smishing Triad operated a Telegram community of more than 2,500 members, which functioned like a structured cybercrime enterprise.
- Data brokers provided victim databases.
- Spammers distributed phishing messages.
- Theft teams monetized stolen credentials through financial fraud.
Resecurity described the Smishing Triad as a full-fledged Cybercrime-as-a-Service (CaaS) ecosystem — equipping other criminal groups with ready-to-use phishing infrastructure to target consumers globally.
Scale of the Financial Damage
According to Google’s internal investigation, the Smishing Triad may have compromised between 12.7 million and 115 million U.S. credit cards.
The fraudulent text messages typically claimed to be updates about package deliveries, unpaid tolls, or government notices, urging recipients to act immediately. The links then led to fake portals that collected personal and payment information.
Halimah DeLaine Prado, Google’s General Counsel, said the operation exploited public trust in household brands.
“They were preying on users’ trust in reputable services like E-ZPass, the U.S. Postal Service, and even Google. Our goal is to disrupt their operations, deter others, and protect both users and brands from ongoing harm,” said Halimah DeLaine Prado.
Legal Grounds and Broader Impact
Google’s lawsuit cites violations under three major U.S. laws:
- The Racketeer Influenced and Corrupt Organizations (RICO) Act, targeting organized criminal enterprises.
- The Lanham Act, addressing trademark misuse.
- The Computer Fraud and Abuse Act (CFAA), covering unauthorized access to computer systems.
The company emphasized that this legal action is not only about accountability but also about deterrence. “While litigation is one path to disruption, we also need stronger policy frameworks to combat this type of cybercrime,” DeLaine Prado added.
Resecurity’s Findings Support the Case
Resecurity’s earlier reports provide crucial context for Google’s lawsuit. The firm had traced the Smishing Triad’s network across multiple regions, linking its campaigns to attacks on postal, toll, and banking services in countries including India, Italy, the UAE, Pakistan, Japan, and Australia.
The cybersecurity company also identified that the group’s operations were coordinated from Chinese-speaking Telegram channels, where members sold and customized phishing kits for different regions.
Resecurity analysts noted that the Triad’s tactics combined social engineering, compromised cloud accounts, and phishing infrastructure, making detection difficult and enabling large-scale fraud.
Google Pushes for Stronger Consumer Protection Laws
In parallel with its legal action, Google is supporting new bipartisan legislation in the United States aimed at curbing online fraud. These include:
- The GUARD Act, focused on protecting elderly victims from online scams.
- The Foreign Robocall Elimination Act, to disrupt illegal overseas scam operations.
- The Scam Compound Accountability and Mobilization Act, targeting organized scam centers and supporting trafficking victims.
Google has also introduced new AI-driven anti-spam systems and a Key Verifier feature in Google Messages to detect suspicious activity and verify sender authenticity.
A Growing Threat to Global Consumers
The Smishing Triad’s reach — and the accessibility of its tools — underscores the growing industrialization of cybercrime. By turning phishing into a subscription-based business, the group has lowered the barrier for entry for cybercriminals worldwide.
As Resecurity’s findings and Google’s legal pursuit show, smishing has evolved far beyond nuisance texts. It is now a global threat targeting the everyday digital habits of millions.
The lawsuit against the Smishing Triad may be a crucial step toward dismantling one of the most pervasive cyber fraud networks in the world — and a warning to others who trade in digital deception.
