Google Takes Legal Action Against Chinese Phishing Platform Linked to US Toll Scams

Google has taken legal action to dismantle the “Lighthouse” phishing-as-a-service (PhaaS) platform, which has been utilized by cybercriminals globally to conduct SMS phishing attacks that imitate the U.S. Postal Service (USPS) and E-ZPass toll systems to steal credit card information.

The lawsuit’s objective is to eliminate the website infrastructure that supports the Lighthouse phishing-as-a-service (PhaaS) platform. According to Google, this platform has impacted over 1 million victims in 120 countries. The scams orchestrated through this platform have resulted in the theft of approximately 115 million payment cards in the U.S. alone between July 2023 and October 2024.

Google’s lawsuit against the Lighthouse platform includes allegations under federal racketeering and fraud laws, such as the Racketeer Influenced and Corrupt Organizations Act, Lanham Act, and the Computer Fraud and Abuse Act.

Lighthouse PhaaS Exploited in Toll and Delivery Scams

Google has revealed that Lighthouse provides phishing templates and infrastructure to enable other cybercriminals to send text messages purporting to be from reputable services like USPS or toll payment systems like EZPass.

Previous reports by BleepingComputer have highlighted large-scale phishing campaigns targeting individuals in the U.S., masquerading as toll authorities.

The hyperlinks within these smishing texts direct recipients to websites that impersonate toll authorities, claiming the individual has outstanding toll charges. However, the primary aim of these websites is to illicitly obtain personal information and credit card details for further financial fraud.

Google has identified at least 107 phishing website templates that feature its branding to enhance the credibility of these sites.

The platform capitalizes on the reputations of Google and other brands by unlawfully displaying their trademarks and services on fraudulent websites. Google has identified at least 107 website templates featuring Google’s branding on sign-in screens designed to deceive users into believing the sites are legitimate.

According to Cisco Talos researchers, Lighthouse has been linked to smishing kits developed by the Chinese threat actor known as “Wang Duo Yu,” who operates Telegram channels to distribute and support the Lighthouse phishing kits.

The phishing platform enables threat actors to send text messages via iMessage (iOS) and RCS (Android), potentially bypassing spam filters.

Talos has observed multiple threat actors utilizing Wang Duo Yu’s kits to execute toll road scams across various states in the U.S., sending fake E-ZPass billing alerts to users in states like Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas since October 2024.

Talos noted the use of thousands of typosquatted domains in these scams, indicating the continued operation of the scheme into 2025.

Netcraft reported that Wang Duo Yu promoted Lighthouse as a commercial phishing kit, offering subscription prices ranging from $88 per week to $1,588 per year.

The platform supported customizable templates capable of stealing login credentials and two-factor authentication (2FA) codes.

Initially known as the “Smishing Triad,” the group rebranded as Lighthouse in March 2025, as reported by Brian Krebs. Similar campaigns have been attributed to other Chinese threat actors operating phishing-as-a-service platforms like Darcula and Lucid.

However, Netcraft highlighted that Lighthouse utilizes the same ‘LOAFING OUT LOUD’ fake shop template as Lucid, suggesting a potential connection between the groups.

Google Endorses New U.S. Policies

Google has also expressed support for several U.S. policy initiatives aimed at safeguarding consumers against scams and cybercrime originating from foreign entities:

• Guarding Unprotected Aging Retirees from Deception (GUARD) Act: Empowers state and local law enforcement to probe fraud targeting retirees.
• Foreign Robocall Elimination Act: Establishes a task force to block unlawful robocalls originating overseas.
• Scam Compound Accountability and Mobilization (SCAM) Act: Sets up a national strategy to combat scam compounds and impose sanctions on operators.

Google has announced the expansion of its AI utilization to identify scam messages, enhancements in Google Messages for added protection, and improvements in account recovery through Recovery Contacts.

The company pledges to continue its efforts in public education and partnerships to help users recognize and avoid falling victim to such scams.

It’s budget season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.

Discover how top leaders are translating investments into measurable impacts.

Download Now