Google May Have Found the Formula for Taking Down Foreign SMS Phishing Cartels

One of the endemic problems with putting a stop to cybercrime gangs is that they often sit in countries where they are beyond legal consequences, so long as they do not cross certain domestic lines at least. But Google’s new legal tactic against a Chinese SMS phishing gang appears to have immediately had an impact, driving them off of the Telegram channel they used to do business and causing at least one cloud service provider to give them the boot.

Google takes on SMS Phishing triad with racketeering charges

Google has brought a case against a China-based group called “Lighthouse,” part of a group of similar SMS phishing gangs being referred to as the “Smishing Triad” for their high rate of activity over roughly the past year. The groups are known for targeting individuals in the US by using familiar brand names, Google being one of their favorites to impersonate.

Since the operators are in China, a civil suit would usually be useless. But Google is applying the civil portion of the Racketeer Influenced and Corrupt Organizations (RICO) Act. While that still doesn’t really impact hackers hiding out in a foreign country, it does impact anyone they might do business with if they are found to be racketeering.

This is the first time a RICO case has been used against foreign hackers in this way, and the news of it alone seems to have put the Lighthouse business on ice. The hackers relied on Telegram channels for recruiting and plying their smishing-as-a-service trade to clients, all of which disappeared upon news of the suit breaking. Before they went dark, messages indicated at least one of the cloud service providers the SMS phishing gang relies on had already cut them off.

Much of the SMS phishing activity out of China, including the Lighthouse model, can also be traced back to an individual going by “Wang Duo Yu” on underground forums. While this is likely not their real name, they have been pegged as a Chinese university student majoring in computer science who started selling smishing kits (for as low as $50 for a full package) as a side hustle. The Google case also names 25 “John Does” as active Lighthouse members and co-conspirators. If identified, all of these people could be denied entry to the United States and would be taking a huge risk visiting any other country with an extradition treaty.

Inherent SMS vulnerabilities require awareness of criminal approaches

The Chinese SMS phishing gangs are not using any new tactics, but they have reduced barriers of entry such that they can deal in extremely high volume and they provide templates that are convincing to targets. In addition to Google they have been seen posing as the United States Postal Service (USPS) and E-ZPass.

The Lighthouse group’s Telegram had over 2,500 participants before it was taken down. Google estimates the hackers have stolen between 15 and 100 million credit card numbers from the US alone since mid-late 2024, and found that they were operating at least 100 phishing websites with fake Google branding designed to capture financial details and other sensitive information.

In addition to the RICO case, Google is filing utilizing terms of the Lanham Act (trademark violations) and the Computer Fraud and Abuse Act (CFAA). If it works this package could set a legal precedent for combating foreign cyber gangs, who still rely to a great deal on permission from legitimate international companies to use their services.