Diesel Vortex Targets Global Freight Industry, 1,649 Credentials Stolen in Coordinated Phishing Campaign

Listen to this Post

Featured Image

A Silent War Against Logistics Infrastructure

The global freight and logistics sector has become the latest battlefield in a sophisticated cybercrime operation. A financially motivated threat group known as Diesel Vortex has been quietly harvesting credentials from freight brokers, trucking companies, and supply chain operators across the United States and Europe.

Operating through a network of 52 phishing domains, the group has stolen at least 1,649 unique credentials from critical freight platforms since September 2025. What makes this campaign particularly alarming is not only its scale, but its structure. This was not a chaotic hacking spree. It was an organized, multi-layered operation designed to exploit a workforce rarely prioritized in enterprise cybersecurity strategies.

The campaign was uncovered by researchers at Have I Been Squatted, who discovered an exposed repository containing an SQL database linked to a phishing project called “Global Profit.” The project was reportedly marketed to other cybercriminals under the name “MC Profit Always.”

With collaboration from Ctrl-Alt-Intel, investigators pieced together a network of infrastructure, Telegram communications, phishing panels, and Russian-linked business entities, exposing a cybercrime operation that blurred the line between digital fraud and real-world cargo theft.

The Campaign Uncovered

The investigation began when researchers identified an exposed Git repository containing sensitive backend infrastructure for the phishing operation. Inside was an SQL database containing thousands of stolen credential pairs.

In total, nearly 3,500 credential pairs were found, of which 1,649 were confirmed unique. These credentials belonged to users of freight and logistics platforms such as DAT Truckstop, TIMOCOM, Teleroute, Penske Logistics, Girteka, and Electronic Funds Source.

Telegram webhook logs inside the repository revealed conversations between operators. Linguistic analysis suggested Armenian-speaking individuals, with infrastructure ties linked to Russian networks.

Further OSINT investigation revealed that an email address used to register phishing infrastructure appeared in Russian corporate filings tied to transportation and warehousing companies operating in the same vertical targeted by Diesel Vortex.

This overlap strongly suggests coordination beyond opportunistic phishing. The actors appeared embedded in the logistics ecosystem they were attacking.

Highly Organized Operations

One of the most striking discoveries was a mind map created by a member of the group. It described a structured operation with defined roles:

Call center operators

Mail support staff

Programmers

Personnel responsible for sourcing drivers, carriers, and logistics contacts

The mind map outlined acquisition channels including DAT One marketplace access, email phishing campaigns, rate confirmation fraud schemes, and revenue distribution models across operational tiers.

This was not a loose hacking collective. It resembled a small criminal enterprise with operational planning and workflow management.

How the Phishing Worked

Diesel Vortex built dedicated phishing infrastructure targeting platforms used daily by freight brokers and trucking operators. These included:

Load boards

Fleet management portals

Fuel card systems

Freight exchanges

Phishing emails were sent using a kit that leveraged Zoho SMTP and Zeptomail services. The attackers employed Cyrillic homoglyph techniques in sender names and subject lines to bypass email security filters.

The campaign extended beyond email. The group used voice phishing and infiltrated Telegram channels frequented by logistics professionals.

When victims clicked malicious links, they were redirected to a minimal HTML page hosted on a .com domain. A full-screen iframe loaded the phishing content, which was then routed through a nine-stage cloaking process using .top and .icu domains to evade detection.

The phishing pages were pixel-perfect clones of legitimate freight platforms. Depending on the target, attackers harvested:

Login credentials

MC/DOT numbers

RMIS access details

PIN codes

Two-factor authentication tokens

Security tokens

Payment details

Payee names

Check numbers

Operators controlled each phishing session in real time via Telegram bots. They could approve steps, request additional authentication details, redirect victims, or terminate sessions mid-process.

This level of control demonstrates manual oversight rather than fully automated exploitation.

Beyond Credential Theft

Researchers concluded that Diesel Vortex was not solely focused on credential harvesting. Evidence suggests coordination of freight impersonation, mailbox compromise, and double brokering schemes.

Double brokering involves stealing carrier identities to book freight loads and then reassigning or diverting cargo to fraudulent pickup points. The end result is physical cargo theft disguised as legitimate transport.

This transforms digital phishing into real-world economic crime.

Disruption and Takedown

Following coordinated action involving GitLab, Cloudflare, Google Threat Intelligence, CrowdStrike, and Microsoft Threat Intelligence Center, key components of the Diesel Vortex infrastructure were disrupted.

Git repositories were taken down, phishing domains were neutralized, and infrastructure links were severed.

While the takedown limited ongoing damage, the campaign highlights how vulnerable logistics ecosystems remain to targeted phishing operations.

Full indicators of compromise were published by Have I Been Squatted for industry defenders.

What Undercode Say:

Logistics Is the New Soft Target

The freight and trucking industry sits at a dangerous intersection of high transaction value and low cybersecurity maturity. Unlike financial institutions or tech companies, logistics operators are often operationally focused, decentralized, and less protected by enterprise-grade security monitoring.

Attackers understand this.

Diesel Vortex targeted platforms that facilitate real-time load booking and payment processing. These systems move money and cargo simultaneously. A compromised account is not just a data breach. It is a direct gateway to financial fraud and cargo diversion.

Human Infrastructure Was Exploited

The campaign’s success relied on understanding the human side of logistics. Drivers, brokers, and dispatchers often work under time pressure. They rely heavily on email confirmations and messaging apps.

By infiltrating Telegram channels and using voice phishing, the attackers inserted themselves directly into trusted communication spaces.

This was social engineering optimized for industry workflow.

Manual Control Shows Strategic Intent

The use of Telegram bots to control phishing sessions in real time is particularly telling. This indicates that operators were actively monitoring victims and adapting strategies mid-session.

This approach increases credential yield and reduces detection risk.

It also demonstrates investment in training and operational discipline.

Ties to Corporate Infrastructure Raise Questions

The discovery that phishing infrastructure registration emails appeared in Russian corporate filings is significant. It suggests potential blending of criminal and legitimate business ecosystems.

Whether those companies were knowingly involved remains unclear. However, the overlap underscores how cybercrime can leverage commercial registration systems for operational cover.

Freight Cybercrime Is Physical Crime

Double brokering transforms stolen credentials into stolen goods. Once cargo is diverted, recovery becomes complex and cross-jurisdictional.

The real cost is not just digital remediation. It includes insurance claims, operational delays, contractual disputes, and damaged business trust.

This hybrid crime model is likely to grow.

Industry Security Gaps Are Structural

Freight operators are often small to medium enterprises. They lack dedicated security teams. Multi-factor authentication may exist, but phishing kits are now capable of capturing one-time codes and security tokens in real time.

Security awareness training alone is insufficient.

What is required is systemic platform hardening, phishing-resistant authentication such as FIDO2, and stronger anomaly detection within load booking systems.

The Criminal Business Model Is Mature

The existence of a branded phishing kit marketed to other criminals shows commoditization. Cybercrime is now service-based.

Diesel Vortex did not just attack. It productized fraud infrastructure.

This industrialization lowers barriers to entry for future attackers.

Takedowns Are Temporary Solutions

While collaboration between GitLab, Cloudflare, Google Threat Intelligence, CrowdStrike, and Microsoft Threat Intelligence Center disrupted the campaign, infrastructure can be rebuilt.

Unless industry-wide authentication reforms occur, similar groups will emerge.

Freight remains attractive because it converts credentials into immediate financial returns.

Fact Checker Results

✅ Researchers confirmed 1,649 unique stolen credentials linked to the Diesel Vortex campaign.
✅ The phishing infrastructure used 52 domains and employed multi-stage cloaking techniques.
❌ No public evidence currently confirms formal involvement of any registered Russian logistics companies beyond shared email registration details.

Prediction

📦 Freight cybercrime will increasingly merge digital phishing with physical cargo theft schemes.
🔐 Logistics platforms will accelerate adoption of phishing-resistant authentication methods within the next two years.
⚠️ Criminal groups will continue building structured, enterprise-like operations targeting industries outside traditional cybersecurity focus areas.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon