Google filed a civil lawsuit in the US District Court for the Southern District of New York against 25 unnamed defendants tied to a massive phishing operation that has reportedly victimized more than 1 million people across 120 countries.

The target: a phishing-as-a-service platform called Lighthouse, also linked to operations known as Darcula and the Smishing Triad. Google estimates the overall harm from this operation exceeds $1 billion.

What Lighthouse actually does

Instead of running scams directly, the platform provides templates, infrastructure, and tools that let even novice criminals launch sophisticated SMS phishing campaigns, commonly called “smishing.”

The scam texts impersonated trusted organizations like the US Postal Service and the IRS. Victims who clicked through were redirected to convincing but fraudulent websites designed to harvest payment information and personal data.

Google cited estimates that between 15 million and 100 million US credit cards may have been compromised through these campaigns. Other estimates referenced in reporting around the case place the range between 12.7 million and 115 million cards.

Why Google is using the RICO Act

Google is deploying the Racketeer Influenced and Corrupt Organizations Act, a law originally designed to dismantle organized crime syndicates like the Mafia. Using RICO against cybercriminals is described as a pioneering application of the statute in this context.

Google is seeking injunctive relief and aiming to unmask the operators behind the platform. The 25 defendants are currently unnamed, which underscores one of the central challenges in prosecuting cybercriminals who operate from jurisdictions beyond direct US legal reach.

This lawsuit represents a deliberate shift in Google’s approach. Rather than playing whack-a-mole with individual scammers, the company is going after the infrastructure itself.

To complement the legal action, Google has endorsed three bipartisan bills in the US Congress aimed at combating international scams.

The AI question

Reports around the lawsuit have referenced the use of artificial intelligence in crafting scam messages. However, the research around the court filings indicates no concrete evidence has been presented to substantiate AI involvement specifically.

What is clear is that Lighthouse lowered the barrier to entry for smishing dramatically. Whether that involved AI or simply well-designed phishing kits and distribution infrastructure, the end result was the same: millions of fraudulent messages reaching victims worldwide.