Sue The Hackers – Google Sues Over Phishing as a Service
None
<p>When something goes wrong, after exhausting all other possible alternatives, a company may go to its lawyer with the silliest question you can ever ask a lawyer — “Can I sue?”<br><br>The basic answer is, “if it moves, sue it…” “If it doesn’t move… move it… then sue it…” And when asked, “What would I sue for?” the answer is “For a real long time…”<br><br>Of course, this is a bit facetious. Lawyers are required to have a good faith belief, backed by evidence and a reasonable investigation, that they have a proper cause of action before filing a lawsuit. But civil litigation has increasingly complemented criminal investigations in hacking and related cases. Even when getting an award of damages is unlikely, civil litigation can result in injunctive relief, discovery, and help prevent future harm.</p><h3>Google’s “Lighthouse” PhaaS Lawsuit</h3><p>On November 12, 2025, Google filed a lawsuit in the Southern District of New York against the operators of a massive “Phishing-as-a-Service” platform called Lighthouse. It wasn’t just trying to make a point. It was making a move. The complaint reads like a hybrid between a hacking indictment and a racketeering case. Lighthouse, Google alleged, sold ready-made phishing kits that impersonated brands like E-ZPass, USPS, and Google itself — complete with sign-in screens using Google’s trademarks. Those kits, rented out to criminals worldwide, helped steal credentials and credit card data from millions of users. Google’s legal response? Don’t just wait for law enforcement. Sue the hackers.<br><br>The company’s lawsuit, Google LLC v. Does 1–25, No. 1:25-cv-09421 (S.D.N.Y. filed Nov. 12, 2025), uses a three-pronged legal attack: the Computer Fraud and Abuse Act (CFAA), the Lanham Act (trademark law), and the Racketeer Influenced and Corrupt Organizations Act (RICO). Each plays a different role — one targeting unauthorized access, another targeting brand misuse, and a third treating the entire Lighthouse operation as an organized criminal enterprise. Google’s goal isn’t just to win damages — it’s to get injunctions that let it seize or disable the domains, servers, and hosting accounts that make Lighthouse run. In a world where many hackers are overseas and beyond extradition, civil courts are becoming a new battlefield.</p><div class="code-block code-block-13" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-13-1" data-info="WyIxMy0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="U2hvcnQ=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://www.techstrongevents.com/cruisecon-virtual-west-2025/home?ref=in-article-ad-2&utm_source=sb&utm_medium=referral&utm_campaign=in-article-ad-2" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2025/10/Banner-770x330-social-1.png" alt="Cruise Con 2025"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><h3>The Rise of the Civil Cyber Lawsuit</h3><p>When hackers compromise a company’s systems, the instinct is to call the FBI or Secret Service. That’s appropriate, but it’s also limited: most cybercriminals are never prosecuted, especially those operating from countries that refuse extradition. Civil litigation offers another option. The idea is to use existing laws — criminal statutes that also provide private rights of action, intellectual property protections, and even contract law — to strike back through the courts.<br><br>Google’s Lighthouse case is the latest in a line of creative civil suits brought by tech companies that refuse to wait for indictments. Microsoft, Meta, Cisco and others have spent more than a decade using civil law to dismantle infrastructure, seize domains, and expose actors behind major cyber operations.<br><br>The approach is not symbolic — it’s operational. Courts can issue injunctions faster than international law enforcement can coordinate arrests, and once a domain or hosting provider is under a court order, the infrastructure itself can be neutralized. In recent years, many different strategies have been deployed – using various federal or state laws – to help private entities go after hackers or other digital threats. Here are a few:</p><h3>The Computer Fraud and Abuse Act (CFAA)</h3><p>The CFAA, 18 U.S.C. § 1030, is the backbone of anti-hacking law. It criminalizes unauthorized access to “protected computers” and, crucially, allows victims to file their own lawsuits. Section 1030(g) lets companies seek damages and injunctive relief if they can show loss or damage from the intrusion.<br><br>Microsoft used the CFAA to take down multiple botnets, including Rustock, Zeus, and Necurs. In Microsoft Corp. v. John Does 1–11, 2012 WL 5497956 (E.D. Va. Nov. 13, 2012), the court approved an injunction allowing Microsoft to seize servers inside U.S. data centers. Those actions crippled spam and credential-stealing networks by rerouting command-and-control traffic to “sinkhole” servers controlled by Microsoft and its partners. Google’s Lighthouse lawsuit applies the CFAA to a different problem: phishing kits and smishing campaigns. By alleging that Lighthouse’s fake Google login pages constitute “unauthorized access attempts” and cause damage to protected computers, Google uses the same law to attack the infrastructure of fraud rather than malware itself.</p><h3>The Lanham Act (Trademark Law)</h3><p>The Lanham Act, 15 U.S.C. § 1125(a), is typically used to stop counterfeit goods or false advertising — not cybercrime. But in phishing operations, brand impersonation is the point of the crime. Google’s complaint highlights more than a hundred phishing templates bearing Google’s logos and user-interface designs. By using these marks to deceive victims, Lighthouse didn’t just commit fraud — it violated trademark law. That’s a key legal move, because trademark violations give U.S. courts the power to seize domains and issue injunctions without needing to prove computer access or hacking intent.<br><br>Trademark law also has a global reach. Courts routinely transfer infringing domains and order registrars to shut down counterfeit websites. Microsoft, Cisco, and Meta have all used the Lanham Act in tandem with the CFAA to target domains that impersonate their products.<br><br>This tactic reframes phishing and fraud as a form of brand abuse. For companies that own globally recognized marks, it’s a way to make trademark law part of cybersecurity response.</p><h3>RICO: Treating Hackers as Enterprises</h3><p>The Racketeer Influenced and Corrupt Organizations Act (RICO), 18 U.S.C. §§ 1961–68, was designed for organized crime, but it’s found new life in cyber litigation. RICO allows private plaintiffs to sue for treble damages when they’re harmed by a “pattern of racketeering activity,” which can include wire fraud, identity theft, and computer intrusion. Microsoft used RICO successfully in its botnet cases. Google’s Lighthouse lawsuit uses it too, arguing that Lighthouse is an enterprise engaged in ongoing criminal activity — a service that knowingly enables and profits from phishing. Civil RICO cases carry powerful remedies: broad injunctive relief, asset freezes, and discovery tools that can reach intermediaries such as domain registrars and payment processors. In effect, it turns the hacker ecosystem into a racketeering network, allowing companies to target not just the end-user criminals but the infrastructure providers who profit from them.</p><h3>State Laws and Contract Claims</h3><p>Many states, including California, have their own computer-crime statutes that allow private suits. California’s Comprehensive Computer Data Access and Fraud Act, Cal. Penal Code § 502, mirrors the CFAA and often accompanies federal claims. Meanwhile, contract law provides another option. When attackers create fake accounts, scrape data, or misuse APIs, they typically violate the platform’s Terms of Service. That creates a civil breach of contract.<br><br>In Facebook Inc. v. Basafa, No. 5:19-cv-03414 (N.D. Cal. 2020), Meta sued Iranian nationals who ran fake Instagram “engagement” services. Because the defendants agreed to Instagram’s terms when registering, their automated abuse became a breach of contract. The court issued a permanent injunction, giving Meta the authority to seize and disable their domains.</p><h3>From Law to Playbook: What This Means for Security Teams</h3><p>The most important takeaway from the Lighthouse case — and the decade of litigation that led to it — is that civil law is becoming part of the cybersecurity toolkit. Security teams already gather the evidence needed for these cases: IP addresses, phishing domains, code samples, and transaction data. That same evidence can support legal claims that get real-world results.</p><h3>The New Normal: Fighting Hackers in Court</h3><p>The Lighthouse complaint marks an evolution. What began as a fight against spam and botnets has matured into a global legal strategy that treats cybercrime as organized commercial fraud. It leverages civil law to do what law enforcement alone cannot: disrupt, unmask, and dismantle at scale.<br><br>There is no guarantee Google will ever collect damages or identify the individuals behind Lighthouse. But that may not matter. The real power lies in the injunctions — the ability to get a court order that forces domain registrars and hosting providers to shut the network down. In short, the case illustrates a new era of active defense through civil litigation. In cyberspace, where criminal law often stops at the border, companies are discovering that the courthouse may be the most effective weapon left. All while you work with the FBI and other law enforcement agencies as well. </p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/sue-the-hackers-google-sues-over-phishing-as-a-service/" data-a2a-title="Sue The Hackers – Google Sues Over Phishing as a Service"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fsue-the-hackers-google-sues-over-phishing-as-a-service%2F&linkname=Sue%20The%20Hackers%20%E2%80%93%20Google%20Sues%20Over%20Phishing%20as%20a%20Service" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fsue-the-hackers-google-sues-over-phishing-as-a-service%2F&linkname=Sue%20The%20Hackers%20%E2%80%93%20Google%20Sues%20Over%20Phishing%20as%20a%20Service" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fsue-the-hackers-google-sues-over-phishing-as-a-service%2F&linkname=Sue%20The%20Hackers%20%E2%80%93%20Google%20Sues%20Over%20Phishing%20as%20a%20Service" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fsue-the-hackers-google-sues-over-phishing-as-a-service%2F&linkname=Sue%20The%20Hackers%20%E2%80%93%20Google%20Sues%20Over%20Phishing%20as%20a%20Service" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fsue-the-hackers-google-sues-over-phishing-as-a-service%2F&linkname=Sue%20The%20Hackers%20%E2%80%93%20Google%20Sues%20Over%20Phishing%20as%20a%20Service" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>