Lucid and Lighthouse PhaaS phishing campaign at scale
Campaign
Summary
Hide ▲
Show ▼
The Lighthouse and Lucid phishing-as-a-service ecosystem is scaling smishing campaigns across 316 brands in 74 countries, making credential theft and payment-card theft cheaper to industrialize. The services sell subscription access to pre-built impersonation templates and delivery features that help operators reach victims through Apple iMessage, RCS, and email. The same infrastructure has been linked to the XinXin group (changqixinyun) and spans sectors including toll companies, governments, postal companies, and financial institutions. In November 2025, Google filed a lawsuit to dismantle Lighthouse, saying the platform supported USPS and E-ZPass smishing and affected over 1 million victims across 120 countries.
Related Happenings
ATHR productized automated vishing platform for credential theft
Threat Actor Meta
First: 16.04.2026 17:09
Last: 16.04.2026 17:09
Sources 1
About this happening:
ATHR is turning **automated vishing** into a **productized underground service**, lowering the barrier for credential theft across **Google**, **Microsoft**, **Coinbase**, and oth...
ATHR productized automated vishing platform for credential theft
Threat Actor MetaAbout this happening: ATHR is turning **automated vishing** into a **productized underground service**, lowering the barrier for credential theft across **Google**, **Microsoft**, **Coinbase**, and oth...
Russian state-sponsored hackers' ongoing Signal and WhatsApp phishing campaign
Campaign
First: 09.03.2026 23:24
Last: 09.03.2026 23:24
Sources 1
About this happening:
An **ongoing Russian state-sponsored phishing campaign** is targeting **Signal** and **WhatsApp** users, with the **UK NCSC** warning on **March 31** that **Russia-based actors**...
Russian state-sponsored hackers' ongoing Signal and WhatsApp phishing campaign
CampaignAbout this happening: An **ongoing Russian state-sponsored phishing campaign** is targeting **Signal** and **WhatsApp** users, with the **UK NCSC** warning on **March 31** that **Russia-based actors**...
Jinkusu's Starkiller phishing-as-a-service ecosystem commoditizes account takeover
Threat Actor Meta
First: 20.02.2026 22:00
Last: 20.02.2026 22:00
Sources 1
About this happening:
A new phishing-as-a-service operation tied to **Jinkusu** is proxying real login pages through attacker infrastructure, making **MFA bypass** and account takeover easier for low-s...
Jinkusu's Starkiller phishing-as-a-service ecosystem commoditizes account takeover
Threat Actor MetaAbout this happening: A new phishing-as-a-service operation tied to **Jinkusu** is proxying real login pages through attacker infrastructure, making **MFA bypass** and account takeover easier for low-s...
Microsoft Entra device code phishing and vishing campaign
Campaign
First: 19.02.2026 14:30
Last: 19.02.2026 14:30
Sources 1
About this happening:
A **device code phishing campaign** is targeting **Microsoft 365 identities** through the **OAuth 2.0 device authorization flow**, letting attackers steal valid access tokens afte...
Microsoft Entra device code phishing and vishing campaign
CampaignAbout this happening: A **device code phishing campaign** is targeting **Microsoft 365 identities** through the **OAuth 2.0 device authorization flow**, letting attackers steal valid access tokens afte...
Starkiller dark-web phishing platform scales credential theft as a SaaS-style criminal service
Threat Actor Meta
First: 19.02.2026 14:00
Last: 19.02.2026 14:00
Sources 1
About this happening:
The **Starkiller** phishing platform has emerged as a **SaaS-style criminal service**, raising the scale and durability of credential theft operations. It is sold on the **dark we...
Starkiller dark-web phishing platform scales credential theft as a SaaS-style criminal service
Threat Actor MetaAbout this happening: The **Starkiller** phishing platform has emerged as a **SaaS-style criminal service**, raising the scale and durability of credential theft operations. It is sold on the **dark we...
Timeline
-
12.11.2025 22:59 1 articles · 6mo ago
Google files lawsuit to dismantle Lighthouse PhaaS
Legal Policy Action UpdateGoogle filed a lawsuit to dismantle Lighthouse, a phishing-as-a-service platform used for USPS and E-ZPass smishing that steals credit card information. Google says the operation has affected over 1 million victims across 120 countries, and its complaint invokes the Racketeer Influenced and Corrupt Organizations Act, the Lanham Act, and the Computer Fraud and Abuse Act.
Show sources
- Google sues to dismantle Chinese phishing platform behind US toll scams — www.bleepingcomputer.com — 12.11.2025 22:59
-
19.09.2025 17:02 2 articles · 8mo ago
Lighthouse and Lucid phishing infrastructure at global scale
Campaign Scope UpdateLighthouse and Lucid phishing-as-a-service operations are tied to more than 17,500 phishing domains targeting 316 brands across 74 countries, with Lucid linked to the XinXin group (changqixinyun) and used for smishing via Apple iMessage and Rich Communication Services (RCS). The broader ecosystem also includes template customization, real-time victim monitoring, and subscription access priced from $88 for a week to $1,588 for a yearly subscription, with targeting that spans toll companies, governments, postal companies, and financial institutions.
Show sources
- 17,500 Phishing Domains Target 316 Brands Across 74 Countries in Global PhaaS Surge — thehackernews.com — 19.09.2025 17:02
- 17,500 Phishing Domains Target 316 Brands Across 74 Countries in Global PhaaS Surge — thehackernews.com — 19.09.2025 17:02