Traditional domain monitoring assumed attackers registered malicious domains one at a time. At 194,000 domains and counting, that assumption has collapsed.
The infrastructure has a rhythm to it. Domains register through Hong Kong-based services, resolve through Chinese nameservers, and go live on U.S. cloud platforms within hours. Some exploit dynamic DNS services to further obscure attribution. They harvest credentials for a few days, maybe a week, then go dark before abuse reports reach the right desk. In their place, fresh domains spin up on different registrars, pointed at different hosting providers, targeting the same brands with the same templates. The cycle repeats at a pace that makes traditional domain monitoring feel almost ceremonial.
When Google filed a RICO lawsuit in November 2025 against the operators of Lighthouse, a Chinese-language phishing-as-a-service platform, the complaint described more than 600 phishing templates targeting over 400 brands. But Lighthouse was just one storefront in a much larger operation. The broader ecosystem has deployed more than 194,000 malicious domains since January 2024. Roughly 25,000 are active at any moment. More than 80% have lifespans under two weeks.
The numbers matter less than what they represent: domain registration optimized for disposability. The operators treat domains the way a legitimate SaaS company treats cloud instances, as infrastructure to be provisioned, used, and terminated without sentiment. The economics work because registration costs almost nothing and takedowns cost everything.
Why lookalike domain monitoring stopped working
Anyone who has worked a brand protection desk understands the arithmetic. Registering a domain costs a few dollars and takes seconds. Removing it requires evidence gathering, documentation, registrar outreach, and follow-up, often spanning days or weeks and involving security professionals whose time costs considerably more than the attacker’s entire registration fee.
That imbalance existed for years, but it was manageable when attackers registered domains in the dozens or hundreds. It breaks entirely at six figures, especially when the infrastructure is designed to churn faster than defenders can respond.
Traditional lookalike domain monitoring still catches threats. Flagging new registrations that match known typosquatting patterns, prioritizing based on hosting reputation, tracking certificate transparency logs. These approaches work, but they were built for an era when attackers maintained infrastructure long enough to be caught. When domain lifecycles drop below the time required to complete a takedown, the model inverts. Detection becomes a lagging indicator rather than an early warning.
The bottleneck isn’t identification. Modern tools flag suspicious domains quickly enough. The bottleneck is everything after: evidence gathering, registrar outreach, abuse reporting, escalation through hosting providers. Some domains sit parked for days before going live, giving defenders a theoretical window. But the median time from domain registration to first victim contact is still measured in hours. The median time to complete a takedown is measured in days. By the time removal completes, the domain has already been abandoned for its replacement.
How jurisdictional gaps defeat takedowns
The international structure of these operations isn’t incidental. It’s architecture.
Domains registered in Hong Kong. Nameservers in China. Hosting in the United States. Victims in eight or more states. Each layer involves different abuse reporting processes, response times, and legal frameworks. Registrar abuse contacts are designed for individual complaints, not bulk removal requests spanning tens of thousands of domains. Hosting providers are understandably cautious about mass suspensions that might affect legitimate customers sharing the same infrastructure.
A domain registered in one jurisdiction, hosted in another, and targeting victims in a third creates enforcement gaps at every handoff. The operators have said openly in Telegram channels that they don’t fear U.S. law enforcement. They work from China, they note, with “complete freedom of action.” Whether that confidence is warranted, it reflects an accurate read of the jurisdictional gaps that make prosecution difficult and extradition unlikely.
The downstream damage has been substantial. Chinese smishing operations may have compromised somewhere between 12 million and 115 million U.S. payment cards between mid-2023 and late 2024, with financial losses reaching into the billions. The range is wide because the infrastructure is opaque, but even the lower bound represents credential theft at a scale that traditional monitoring was never designed to address.
What Google's lawsuit reveals
Google’s RICO lawsuit represents an attempt to change the equation by targeting infrastructure providers rather than individual domains. Rather than filing abuse reports one at a time, Google pursued the operators under racketeering statutes, treating the phishing operation as an organized criminal enterprise. The complaint cites trademark violations, since Lighthouse templates prominently featured Google’s logos, but the RICO framing opens broader remedies than simple takedown requests ever could.
The immediate result, Lighthouse’s servers going dark, suggests the approach has teeth. Arrests have followed in multiple jurisdictions: individuals apprehended in Singapore and Australia attempting to use stolen payment cards, others in California and Tennessee connected to the “Ghost Tap” cash-out methodology that converts stolen credentials into physical goods through fraudulent NFC transactions.
But these enforcement actions are downstream of the infrastructure problem. The domains that enabled the card theft were registered, used, and abandoned long before any arrest occurred. Lighthouse is one of dozens of phishing-as-a-service platforms in this ecosystem. Related operations, including ones tracked under names like Lucid, Darcula, and Panda Shop, share tools, techniques, and sometimes personnel. Taking down one storefront doesn’t close the mall.
What the lawsuit reveals is less about Lighthouse specifically and more about the limits of domain-by-domain enforcement when the infrastructure operates as fraud-as-a-service at industrial scale. The ecosystem regenerates faster than prosecution can dismantle it. Winning individual cases matters, but it doesn’t change the underlying economics.
What domain protection has to become
Responding to infrastructure at this scale requires rethinking what domain protection actually means. Detection alone, identifying that a malicious domain exists, is necessary but insufficient when the domain will be abandoned before removal completes. The goal has to shift from removing individual threats to degrading the infrastructure’s value before it generates returns.
This starts with treating domain abuse as an ecosystem rather than a collection of independent sites. The various operations share code signatures, CDN paths, and command-and-control patterns across hundreds of thousands of assets. Models that link infrastructure by shared characteristics, rather than evaluating domains independently, can uncover entire campaigns from a single indicator. Identifying the relationship between one domain and the 193,999 others in its network is more valuable than flagging each in isolation.
It also requires degrading the value of the infrastructure itself. Flooding credential harvesting sites with false data. Disrupting the real-time MFA interception that makes the fraud profitable. Raising the operational cost of maintaining infrastructure that might be poisoned at any moment. When attackers can’t trust what they’ve collected, the business model weakens even if the domains stay up longer than expected.
Automated takedown pipelines, backed by established relationships with registrars and hosting providers, can compress the gap between detection and removal. But even fast takedowns aren’t sufficient when domain lifecycles are measured in days. Speed helps. Disruption helps more.
The alternative is a permanent asymmetry: defenders always one step behind, documenting domains that have already served their purpose while replacements spin up faster than takedowns complete. That’s not domain protection. It’s domain accounting. And the economics never get better.
The Bottom Line
The alternative is a permanent asymmetry: defenders always one step behind, documenting domains that have already served their purpose while replacements spin up faster than takedowns complete. That’s not domain protection. It’s domain accounting. And the economics never get better.
Key Takeaways
The infrastructure operates at a scale that makes domain-by-domain monitoring essentially ceremonial.
More than 80% of domains are abandoned before most takedown processes complete. The churn is a feature, not a limitation.
Between 12 million and 115 million U.S. payment cards may have been compromised since mid-2023, with financial damage reaching into the billions.
Google’s RICO lawsuit signals a move toward treating phishing-as-a-service as organized crime, but the infrastructure model survives any single prosecution.
Disrupting the economics of domain abuse requires degrading infrastructure value, not just identifying and reporting malicious domains.
