Google announced on Tuesday that it has filed a lawsuit against a cybercriminal organization known as Smishing Triad, believed to operate out of China. The lawsuit marks the company’s latest effort to combat global cyber fraud and protect users from large-scale phishing operations exploiting text messaging platforms.

Active since at least 2023, Smishing Triad has conducted widespread SMS phishing (smishing) campaigns targeting victims across the world. The group’s attacks involve sending text messages that impersonate legitimate organizations — such as toll payment services (E-ZPass), postal carriers (USPS), banks, healthcare institutions, law enforcement agencies, and even social media platforms.

The malicious messages typically contain links to fake websites that mimic the legitimate services they claim to represent. Once users click on these links, they are prompted to enter sensitive personal information such as login credentials, banking data, or credit card numbers, which are then stolen and used for financial fraud or identity theft.

At the heart of Google’s lawsuit is Lighthouse, a phishing-as-a-service (PhaaS) kit operated by Smishing Triad. The kit streamlines the process of launching phishing campaigns, allowing cybercriminals to send deceptive messages and set up spoofed websites with minimal technical skill.

Google’s investigation revealed that Lighthouse targeted over one million users across more than 120 countries, with estimates suggesting that 12 million to 115 million credit cards were compromised in the United States alone.

Recent findings from Palo Alto Networks reinforce the scale of this operation, identifying more than 194,000 malicious domains linked to Smishing Triad activity. Google also discovered over 100 phishing templates designed to impersonate its own brand and services.

According to Halimah DeLaine Prado, Google’s General Counsel, “Our legal action is designed to dismantle the core infrastructure of this operation. We are bringing claims under the Racketeer Influenced and Corrupt Organizations Act (RICO), the Lanham Act, and the Computer Fraud and Abuse Act to shut it down and protect users.”

While it’s often difficult to identify the individuals behind cybercriminal operations, such lawsuits empower companies to:

Similar legal approaches have been used successfully by Microsoft to dismantle major phishing and malware networks, such as the ONNX and RaccoonO365 operations.

In addition to direct legal action, Google is advocating for stronger legislation against cyber-enabled crime. The company supports several bipartisan U.S. bills aimed at strengthening protections for vulnerable groups and improving government response, including:

Google’s lawsuit against the Smishing Triad underscores a growing trend: tech companies are taking proactive legal measures to combat cybercrime at its root. By combining legal, technical, and policy-driven approaches, the company aims not only to disrupt ongoing phishing operations but also to establish a stronger global framework for digital accountability and user protection.