A Russian phishing crew hijacked the digital highways of US and EU logistics giants, exploiting trucking logins to steal funds. The investigation uncovered a well-organized crime infrastructure.
The Russia-linked group Diesel Vortex spent at least five months harvesting credentials from freight and trucking professionals, compromising more than 1,600 unique accounts across major industry platforms, a recent report has shown.
The attackers built phishing campaigns targeting frequent users of logistics platforms – load boards, fleet management portals, fuel card systems, and freight exchanges. Major players in the logistics sector, such as DAT Truckstop, Teleroute, Girteka, Penske Logistics, Electronic Funds Source, and Timocom, were targeted.
The new high-profile cybercriminal operation targeting the US and European logistics sector was uncovered by researchers at Have I Been Squatted, working alongside the Ctrl-Alt-Intel threat research initiative.
Researchers say the operators heavily relied on spearphishing and voice phishing. By impersonating well-known services, specifically targeting trucking and logistics Telegram groups, the gang intercepted login credentials and multi-factor authentication codes.
After taking over access to platforms, they used it to redirect invoices, conduct double brokering, extract shipment and personal data, and even steal funds.
Researchers assess with high confidence that the confirmed September 2025 to February 2026 campaign is only the latest chapter.
“Additional coordination data suggests related operator activity predates this time period, but that earlier activity is assessed with lower confidence than the confirmed campaign period,” researchers claimed.
A phishing engine built for freight
Between September 2025 and February 2026, Diesel Vortex deployed 52 phishing domains and targeted over 57,000 unique email addresses.
Researchers identified 3,474 stolen credential pairs, representing 1,649 unique accounts. The infrastructure logged 9,016 unique visitor IP addresses and even included 35 attempted check fraud incidents targeting fuel card systems.
The investigation began when Have I Been Squatted detected a cluster of typosquatted domains targeting a customer. One of those domains exposed a misconfigured .git directory at its root. Using the open source tool git-dumper, researchers reconstructed the full code repository.
What they found went beyond a single campaign. Buried in the code was an actively developed phishing-as-a-service platform branded internally as “GlobalProfit” and marketed to other operators under the name “MC Profit Always.” The reference to “MC” likely points to US Motor Carrier identifiers issued by the Federal Motor Carrier Safety Administration.
The Git configuration is linked to a private repository hosted on GitLab. Its commit history showed two contributors: one handling core platform development, the other adding Russian-language deployment documentation as recently as February 2026.
“We monitored the exposed repository for new commits over the course of our analysis, observing daily development activity. Test subscriber accounts, payment processing infrastructure, and deployment documentation, all added in the weeks before discovery,” researchers said
Later commits showed attempts to scrub secrets and harden the codebase, suggesting the group was preparing for broader commercialization.
Blueprint of phishing operation discovered
Among the most revealing artifacts was a 3.5MB file, apidata-full.txt, embedded in the Google phishing module. It contained raw Telegram callback data, effectively logging the operators’ own interactions with their infrastructure.
Inside that dataset was a link to an Xmind mind map. Ten months after its last modification, it was still publicly accessible.
“The map revealed a highly organised operation. It outlined distinct functional roles, including a call-centre, mail support, programmer, and staff responsible for finding drivers, carriers, and logistics contacts,” researchers said.
It also showed how the group found victims, using tools like DAT Truck searches, mass emails, and rate confirmation scams. They organized their revenue goals by different operational levels and kept track of income and expenses across calls, emails, and rate confirmations.
A dedicated section cataloged dozens of trucking and logistics Telegram groups marked as active or intended targets.
The criminal infrastructure was taken down
There is at least some good news. The exposure of the infrastructure triggered a coordinated response from many involved parties.
Have I Been Squatted and Ctrl-Alt-Intel worked with Google Threat Intelligence, Cloudflare, GitLab, IPInfo, and Ping Identity to dismantle the infrastructure.
Additional assistance came from the Microsoft Threat Intelligence Center and CrowdStrike, as well as affected organizations that helped notify victims.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked