If you own a phone, you have met Lighthouse. You may not know its name, but you know its work: the text claiming your USPS package is held pending a small fee, the urgent E-ZPass notice about an unpaid toll, the link that looks just legitimate enough to make your thumb hover over it. Those messages are not the scattered efforts of lone con artists. They are, increasingly, the output of an industrial supply chain — and in November 2025 Google decided to sue the factory.
The lawsuit, filed in the Southern District of New York, names 25 unnamed “foreign cybercriminals” and centers on a phishing-as-a-service platform called Lighthouse. (Worth noting up front: the operation is Lighthouse, not “Outsider Enterprise” — the latter appears to be a mis-recall. The real name matters, because Lighthouse has a paper trail.) Google alleges the platform is run by a China-based actor operating under the handle “Wang Duo Yu,” who previously ran an outfit known as the Smishing Triad before rebranding the kit in early 2025. The complaint brings claims under the RICO Act, the Lanham Act for trademark infringement, and the Computer Fraud and Abuse Act.
Phishing for dummies
What makes Lighthouse worth a federal racketeering suit is not any single clever trick. It is the packaging. Google describes the platform as essentially “phishing for dummies” — a turnkey product for criminals who lack the skill to build a convincing scam campaign themselves. Subscriptions reportedly run from around $88 a week to $1,588 a year, marketed through Telegram channels.
For that price, a subscriber gets a kit reported to include more than 600 templates for fraudulent websites, each engineered to impersonate one of 400-plus real institutions: postal services, toll authorities, banks, and large consumer brands. The pages don’t just harvest a password and stop. They are built to capture login credentials and the two-factor authentication codes that arrive seconds later, defeating the very protection most people assume keeps them safe. Google says it found at least 107 templates dressed up in Google’s own branding — which is both why the company has standing to sue and why it is framing this as trademark abuse rather than a generic act of public-spirited cleanup.
The scale described in the filing is hard to absorb. Google estimates Lighthouse and its predecessors have affected over a million victims across roughly 120 countries. Independent and law-enforcement figures cited alongside the case suggest that smishing operations of this type may have compromised somewhere between 12.7 million and 115 million U.S. payment cards in roughly a fifteen-month window from mid-2023 to late 2024. Even the conservative end of that range describes theft at a population scale.
Where the AI actually fits
The framing that drew attention to this story — that Google sued a group for “using AI tools to help scammers” — deserves a careful reading, because the AI angle is real but more diffuse than a single smoking gun. The court filing is not primarily a document about a rogue chatbot. It is about infrastructure: domains, templates, hosting, and a subscription business model.
Where AI enters is in two directions, and it is worth keeping them separate. The first is offensive. Phishing kits of this generation increasingly lean on automation and generative tools to mass-produce convincing message copy, spin up fresh fake domains faster than they can be blocked, and localize lures across dozens of languages and brands. That is the worrying trend the lawsuit gestures at: AI lowers the skill floor for fraud the same way Lighthouse’s templates do, turning a craft into a commodity. The second direction is defensive, and it is the part Google is loudest about. Alongside the suit, the company announced expanded use of AI to detect scam messages and new protections in Google Messages. The lawsuit and the product announcement are, transparently, two halves of one publicity strategy.
I would hedge here rather than overstate. If you are looking for proof that a specific large language model wrote these specific texts, the public filings do not hand it to you. What they do show is an ecosystem that has fully embraced automation, of which AI is the newest and most powerful layer. The honest version of the headline is that AI is accelerant, not arsonist — it makes an already industrialized fraud machine faster, cheaper, and harder to fingerprint.
Why a lawsuit, and why it may not be enough
There is something telling about Google reaching for civil litigation against 25 people it cannot name, in a jurisdiction the defendants will almost certainly never appear in. This is the same playbook Microsoft has used for years against botnets: you may never collar the operator, but a court order lets you seize domains, pressure registrars and hosts, and disrupt the plumbing. RICO and the Lanham Act are the legal crowbars for prying that infrastructure loose. The realistic goal is not a perp walk. It is friction.
And friction is the right frame, because the uncomfortable truth is that Lighthouse is a rebrand of the Smishing Triad, which itself absorbed earlier operations. Knock down the infrastructure and the model migrates. The economics are simply too good: near-zero marginal cost, a global victim pool, stolen card data that monetizes instantly, and prosecution that stops at the Chinese border.
For the rest of us, the practical lesson is older than any of this technology and still the most reliable defense. Legitimate organizations do not collect tolls or release packages through a link in an unsolicited text. The pressure to act now — a fee, a deadline, a fraud alert — is the tell, and AI makes that pressure more polished, not more trustworthy. Treat the urgency itself as the red flag. Google’s lawsuit may slow Lighthouse down. It will not turn the lights off. That part is still on us.
Sources: BleepingComputer, CNBC, Malwarebytes, Infosecurity Magazine, CBS News.
