When cybersecurity researchers talk about sophisticated threat actors, the conversation usually drifts toward nation-state groups—the kind backed by intelligence agencies and motivated by geopolitics. But a newly exposed criminal operation is proving that financially motivated cybercrime syndicates can be just as organized, just as targeted, and just as dangerous. The difference is that this one wasn't after military secrets or intellectual property. It was after something far more mundane, and far more profitable: truck driver login credentials.
In late February 2026, researchers at Have I Been Squatted, working alongside the threat intelligence team at Ctrl-Alt-Intel, pulled back the curtain on a five-month phishing campaign targeting freight and logistics companies across the United States and Europe. The group behind it—designated "Diesel Vortex" by the researchers—had stolen over 1,600 unique login credentials from users of platforms that form the operational backbone of the trillion-dollar freight industry. Their targets included load boards, fleet management portals, fuel card systems, and freight exchanges. And their goal wasn't just credential theft. It was cargo diversion, invoice fraud, check fraud, and the construction of a phishing-as-a-service platform they could sell to other criminals.
This is a case study in what happens when a cybercrime group identifies an industry that moves fast, runs on trust, and has historically invested very little in cybersecurity. And it should serve as a wake-up call for every organization operating in the freight ecosystem.
An Accidental Exposure Unravels a Criminal Enterprise
The investigation began the way many cybersecurity breakthroughs do—through an operational mistake by the attackers themselves. Analysts at Have I Been Squatted noticed a suspicious cluster of typosquatted domains that appeared connected to logistics platforms. Digging deeper, they discovered an exposed .git directory on one of the phishing servers. In cybersecurity terms, this is the equivalent of a bank robber leaving the vault door open with the blueprints taped to the wall.
That exposed repository gave researchers access to the group's full source code, a 36.6-megabyte SQL database dump dated February 4, 2026, internal Telegram webhook logs documenting operator communications, and a mind map outlining the entire operation's organizational structure. The database alone confirmed the scale: 52 phishing domains deployed, 75,840 contact email addresses in the group's targeting database, 9,016 unique visitor IP addresses logged by the phishing infrastructure, 3,474 stolen credential pairs representing 1,649 unique accounts, and 35 confirmed Electronic Funds Source (EFS) check fraud attempts.
"A deliberate, structured criminal enterprise with defined roles, revenue targets, and a long-term growth strategy." — Have I Been Squatted researchers
The mind map was particularly revealing. It described defined functional roles within the operation, including a call center, mail support staff, a programmer, and personnel responsible for identifying and recruiting targets—specifically drivers, carriers, and logistics contacts. This was not a lone hacker in a basement.
Inside the Attack: Dual Domains, Real-Time Hijacking, and Voice Phishing
The technical architecture behind Diesel Vortex's operation was more sophisticated than typical phishing campaigns. The group deployed a dual-domain system specifically designed to evade detection. When a victim clicked a phishing link, they were directed to a clean-looking "advertise domain" that appeared legitimate. Behind the scenes, the page loaded phishing content from a hidden "system domain" inside an invisible browser frame. The victim's address bar always displayed the trusted-looking URL, while the actual credential-harvesting page operated silently in the background.
Browsers typically evaluate security on the top-level page rather than embedded frames. The dual-domain approach allowed Diesel Vortex to bypass standard browser security warnings and URL reputation checks that would otherwise flag malicious content.
But the most alarming element was the real-time control loop. The recovered framework revealed that operators received victim session notifications directly through Telegram. From there, they could issue commands in real time—steering victims between different phishing modules, forcing page refreshes, redirecting sessions, or adding extra verification steps. Operators were observed directing victims to re-enter their login credentials multiple times in order to capture two-factor authentication tokens before they expired. The system polled a backend endpoint continuously, retrieving pending commands and relaying them into the live phishing page as the victim interacted with it.
Voice phishing (vishing) was also a core component. Diesel Vortex operators infiltrated trucking and logistics Telegram groups and used spoofed phone numbers to call dispatchers directly, impersonating platform support staff or freight partners. Phishing emails were delivered through the platform's built-in mailer using Zoho SMTP and Zeptomail services, with Cyrillic homoglyph characters embedded in sender fields and subject lines to evade security filters. Additional named targets beyond DAT and Truckstop included Penske Logistics, EFS, TIMOCOM, Teleroute, and Girteka—one of Europe's largest trucking operators. In the high-pressure world of freight dispatching, where quick decisions can mean the difference between a profitable load and a missed opportunity, these calls were devastatingly effective.
Why Freight and Logistics? Understanding the Perfect Target
To understand why Diesel Vortex chose freight and logistics as their target, you have to understand how the industry actually operates. Trucking alone generated $906 billion in gross freight revenues in 2024, according to the American Trucking Associations—and when rail, intermodal, air freight, and third-party logistics are included, total U.S. freight industry revenues exceed a trillion dollars annually. The industry moves nearly everything consumers and businesses depend on, from food to electronics to industrial materials. Yet the digital platforms that hold this ecosystem together—load boards like DAT and Truckstop, fleet management systems from Penske, fuel card networks like EFS, and European freight exchanges like TIMOCOM and Teleroute—were never built with the assumption that they would become targets for organized cybercrime.
Researchers at Have I Been Squatted identified exactly why these platforms were vulnerable: the people using them every day—dispatchers, independent owner-operators, small fleet managers—are handling enormous financial transactions but have received little cybersecurity training and are protected by minimal security infrastructure.
According to the American Trucking Associations' 2025 Trends report, 91.5 percent of U.S. carriers operate ten or fewer trucks. These small operators typically lack dedicated IT staff, let alone a cybersecurity program. They use the same platforms as large carriers but without the security controls, employee training, or incident response capabilities that larger organizations deploy.
This is precisely the blind spot Diesel Vortex exploited. And their timing could not have been more significant.
A Convergence of Threats: Diesel Vortex in the Context of 2025–2026 Cybercrime
Diesel Vortex did not emerge in a vacuum. The group's exposure coincided with CrowdStrike's release of its 2026 Global Threat Report, which painted a stark picture of how the logistics sector has become a prime target for threat actors of all kinds. CrowdStrike's data showed an 85 percent increase in China-nexus intrusions targeting the logistics vertical in 2025—the highest increase of any sector tracked. While China-linked groups are pursuing strategic intelligence objectives in supply chain systems, financially motivated groups like Diesel Vortex are attacking the same infrastructure for direct monetary gain.
The broader eCrime landscape has accelerated dramatically. CrowdStrike reported that the average eCrime breakout time—the period between initial access and lateral movement—fell to just 29 minutes in 2025, with the fastest observed breakout occurring in only 27 seconds. AI-enabled adversary operations increased 89 percent year-over-year, and 82 percent of intrusion detections were malware-free, meaning attackers are increasingly using valid credentials and trusted pathways rather than traditional malicious software.
This convergence matters for the freight industry because it means the sector is facing threats from multiple directions simultaneously—nation-state espionage operations targeting supply chain intelligence and organized criminal groups targeting operational credentials for financial fraud—while still operating with security postures that were designed for a far less hostile environment.
From Stolen Credentials to Stolen Cargo: The Double-Brokering Pipeline
The downstream impact of credential theft in the freight industry goes well beyond unauthorized account access. The Ctrl-Alt-Intel investigation revealed Telegram conversations between Diesel Vortex operators discussing specific carrier identities and their cargo insurance limits, seeking carriers with high-value freight authorization to maximize the return on each compromised account.
With stolen carrier credentials, the group engaged in what the industry calls double brokering—using a legitimate carrier's identity to accept a freight load, then reassigning that load to an unauthorized third party. The original shipper and broker believe the load is being handled by a vetted carrier. In reality, the cargo may be diverted to a fraudulent pickup point or simply disappear. The carrier whose identity was stolen never agreed to haul the load, the broker pays the criminals instead of the real carrier, and the legitimate carrier who actually transported the goods may never receive payment.
Diesel Vortex's operation was designed to feed directly into this fraud pipeline. The group was not simply collecting credentials and selling them on dark web marketplaces. They were operating an integrated criminal workflow that moved from phishing to account takeover to freight impersonation to financial extraction.
Phishing-as-a-Service: The Industrialization of Freight Fraud
Perhaps the most concerning aspect of the Diesel Vortex operation was what the researchers found under development. The phishing platform was internally branded "GlobalProfit" and was being packaged as a phishing-as-a-service product marketed to other Russian-speaking criminals under the name "MC Profit Always"—with "MC" likely referencing U.S. Motor Carrier identifiers issued by the Federal Motor Carrier Safety Administration.
The Git repository's commit history showed two active contributors: one handling core platform development and another adding Russian-language deployment documentation as recently as February 2026. Researchers observed daily development activity, including test subscriber accounts, payment processing infrastructure using cryptocurrency, and deployment documentation—all added in the weeks before the operation was discovered.
The service-model approach lowers the barrier to entry for freight fraud dramatically. Instead of requiring each criminal group to build its own phishing infrastructure, recruit targets, and develop credential-harvesting tools, Diesel Vortex was building a turnkey solution. Subscribe, choose your target platform, and let the system handle the rest—from phishing page deployment to real-time session hijacking to credential extraction. This model means that even if Diesel Vortex's own infrastructure is shut down, the playbook has been proven and will be replicated.
The Coordinated Takedown and What It Reveals
The exposure of Diesel Vortex triggered a coordinated response involving a significant roster of cybersecurity organizations. Have I Been Squatted and Ctrl-Alt-Intel worked with Google Threat Intelligence Group, Cloudflare, GitLab, IPInfo, and Ping Identity to dismantle the group's infrastructure. The Microsoft Threat Intelligence Center and CrowdStrike provided additional assistance, and affected organizations participated in victim notification efforts.
Ctrl-Alt-Intel's OSINT investigation traced the operation further, identifying that an email address used to register phishing infrastructure also appeared in Russian corporate filings for logistics companies operating in the same freight vertical that Diesel Vortex was targeting. The investigation uncovered connections to individuals and companies in Russia involved in wholesale trade, transportation, and warehousing. Telegram logs revealed Armenian-language coordination among operators, with one operator explicitly stating in those logs that he was located in Yerevan, Armenia—the first direct self-identification of operator location in the recovered evidence.
The takedown was successful in disrupting the immediate infrastructure, but researchers have emphasized that the broader threat persists. Additional coordination data suggests related operator activity predates the confirmed September 2025 campaign period, and the phishing-as-a-service model means the tools and techniques are likely to resurface under different branding. Ctrl-Alt-Intel explicitly noted in their report that all corporate linkages are based on correlational OSINT indicators and should not be interpreted as findings of guilt or legal liability—the connections establish that phishing infrastructure registrants overlap with individuals operating in the targeted freight vertical, but stop short of definitive attribution.
What the Freight Industry Must Do Now
The Diesel Vortex case exposes a fundamental mismatch between the freight industry's digital dependency and its cybersecurity maturity. Addressing this gap requires action at every level of the supply chain. Based on the researchers' recommendations and broader industry security best practices, organizations operating in freight and logistics should prioritize the following.
Harden email ingress and enforce DMARC. Phishing emails in this campaign exploited gaps in inbound email authentication. Organizations should ensure DMARC, DKIM, and SPF records are correctly configured and enforced—not just published—for every domain they operate. Disabling legacy authentication protocols removes another foothold attackers rely on when modern security controls are applied unevenly.
Deploy phishing-resistant authentication. The single most important defensive measure is adopting FIDO2 hardware security keys or device-bound passkeys wherever possible. Diesel Vortex's real-time session interception and Telegram-based operator control can defeat SMS-based codes and time-based one-time passwords. Hardware-backed authentication that requires physical device possession does not share this vulnerability. Every logistics platform that supports FIDO2 or passkeys should be configured to use them immediately.
Implement domain monitoring and DNS filtering. Organizations should actively monitor for typosquatted domains that mimic their brands or the platforms they use. DNS filtering using internal threat intelligence feeds can block known malicious domains before employees ever reach them. Character substitutions, transpositions, and prefix or suffix additions are the recurring techniques identified in this campaign.
Establish anomalous login detection. The researchers highlighted a specific behavioral pattern worth monitoring: sign-ins that occur immediately after an inbound email or phone-based support interaction. This pattern strongly correlates with social engineering attacks and should trigger automated alerts and additional verification requirements.
Train the workforce that actually uses these systems. Cybersecurity awareness training in the freight industry cannot be a one-time onboarding checkbox. Dispatchers, owner-operators, and fleet managers need ongoing, scenario-based training that addresses the specific attack vectors used against them—phishing emails mimicking load board notifications, vishing calls from fake platform support, and fraudulent Telegram group messages. Training should be frequent, practical, and focused on the real threats these workers face daily.
Strengthen carrier verification processes. Brokers and shippers must move beyond surface-level verification of MC numbers and insurance certificates. Multi-layered carrier vetting should include direct confirmation with insurance providers, cross-referencing FMCSA data for recent contact changes or ownership transfers, and flagging carriers who accept loads unusually quickly or request payment through non-standard channels.
Diesel Vortex represents something more significant than a single phishing campaign. It is evidence that organized cybercrime has identified the freight and logistics sector as a high-value, low-resistance target—and has built the tools to exploit it at scale. The group's phishing-as-a-service model means that the techniques developed here will not disappear with the takedown of a few dozen domains. They will be repackaged, resold, and redeployed.
The freight industry has reached an inflection point. The same digital transformation that made freight operations faster and more efficient has created an attack surface that sophisticated criminal groups are now actively and systematically exploiting. The organizations that survive this shift will be those that recognize cybersecurity not as an IT expense but as a core operational requirement—as fundamental to moving freight safely as insurance, licensing, and compliance. For an industry built on trust and speed, that shift cannot come fast enough.
- Have I Been Squatted and Ctrl-Alt-Intel. "Diesel Vortex: Inside the Russian Cybercrime Group Targeting US & EU Freight." February 2026.
- Bleeping Computer. Bill Toulas. "Phishing Campaign Targets Freight and Logistics Orgs in the US, Europe." February 24, 2026.
- CrowdStrike. "2026 Global Threat Report: AI Accelerates Adversaries and Reshapes the Attack Surface." February 24, 2026.
- FreightWaves. Noi Mahoney. "Russian Cybercrime Ring Targeted Freight Firms in US, Europe, Report Says." February 27, 2026.
- Cybernews. "Researchers Reveal Russian Hackers Hijacked Digital Highways to Steal Funds from Logistics Giants." February 2026.
- Cyber Magazine / Supply Chain Magazine. "How Did Russian Threat Actors Target US/EU Freight Hubs?" February 2026.
- The Record (Recorded Future News). "Phishing Operation with Links to Russia, Armenia Compromised Western Cargo Companies." February 2026.
- SC Media. "Diesel Vortex Phishing Campaign Targets Freight and Logistics Operators." February 25, 2026.
- NMFTA. "The Fight Against Freight Fraud Begins with One Change That Can Transform the Industry." January 2026.
- Ctrl-Alt-Intel. "Diesel Vortex: Exploring Connections to Russian LLCs." February 2026.
- CarrierSource. "686 Carriers Flagged for Double Brokering." February 1, 2026.
- American Trucking Associations. "ATA American Trucking Trends 2025." 2025.
- National Insurance Crime Bureau. "Cargo Theft Statistics." 2025.
- Travelers Insurance. "Strategic Cargo Theft." 2024.