Signage at Google headquarters in Mountain View, California, US, on Thursday, Oct. 23, 2025.
Google filed a lawsuit on Wednesday against a foreign cybercriminal group behind a massive SMS phishing, or "smishing," operation.
Dubbed by some cyber researchers as the "Smishing Triad," the organization, which Google said is largely based out of China, uses a phishing-as-a-service kit named "Lighthouse" to create and deploy attacks using fraudulent texts.
The crime group has amassed over a million victims across 120 countries, Google said in a release.
"They were preying on users' trust in reputable brands such as E-ZPass, the U.S. Postal Service, and even us as Google," Google general counsel Halimah DeLaine Prado told CNBC. "The 'Lighthouse' enterprise or software creates a bunch of templates in which you create fake websites to pull users' information."
Google brought claims under the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act, and the Computer Fraud and Abuse (CFAA) Act and is seeking to dismantle the group and the "Lighthouse" platform.
The texts usually contain malicious links to a fake website designed to steal victims' sensitive financial information, including social security numbers, banking credentials, and more.
The messages can often appear in the form of a fake fraud alert, delivery update, unpaid government fee notification, or other seemingly urgent texts.
The crime group has stolen approximately between 12.7 million and 115 million credit cards in the U.S. alone, Google said.
"The idea is to prevent its continued proliferation, deter others from doing something similarly, as well as protect both the users and brands that were misused in these websites from future harm," DeLaine Prado said.