Beyond the Radar: Join GigaOm and Cynet May 6th
Beyond the Radar: Join GigaOm and Cynet May 6th
Subscribe to get the latest updates and resources
Most phishing campaigns steal credentials and move on. Over a 5 month period, Diesel Vortex succeeded with a more innovative approach.
This Russian-linked cybercrime group ran an undetected Phishing-as-a-Service operation targeting the freight and logistics sector from September 2025 through February 2026, according to research published by Have I Been Squatted and Ctrl-Alt-Intel. Across targets in the United States and Europe, they group harvested more than 1,600 unique login credentials. But the credential theft was just the beginning. What followed was a coordinated fraud operation that redirected shipments, laundered money through check fraud, and exploited the logistics industry’s dependence on broker platforms to run double-brokering scams at scale.
Diesel Vortex is a case study in what happens when technically sophisticated phishing infrastructure is paired with operationally mature financial fraud.
Diesel Vortex is a Russian-nexus cybercrime group assessed to operate with financial motivation. The group demonstrated familiarity with the freight and trucking industry’s operational workflows, platform ecosystem, and the specific trust relationships that brokers and carriers depend on to move cargo.
Their targeting was deliberate and sector-specific. Rather than running broad, opportunistic credential harvesting campaigns, Diesel Vortex focused sustained effort on logistics professionals — freight brokers, carriers, and dispatchers — who routinely authenticate to high-value platforms like Penske and DAT Truckstop. Compromising those accounts doesn’t just yield credentials. It yields operational access to active shipments, load boards, payment systems, and carrier relationships.
The group operated their phishing infrastructure under an internal platform name: “GlobalProfit.”
Diesel Vortex built convincing spoofed login pages impersonating well-known logistics platforms. Victims (typically freight professionals) received phishing emails or encountered redirected links that delivered them to pages visually identical to the platforms they used daily.
What made this infrastructure particularly effective was the use of Dual-Domain Deception: a seemingly legitimate advertising domain served as the outward-facing layer, with a malicious phishing iframe covertly embedded within its content. Browser-based security tools that evaluate primary domain reputation failed to flag the pages, because the primary domain had a clean reputation. The malicious payload was buried one layer deeper.
Once a victim entered their credentials, Diesel Vortex didn’t just log them for later use — they intercepted them in real time through Telegram-based operator panels. This is a critical distinction. Real-time interception means the group could immediately authenticate to the victim’s account before any session timeout, password reset, or anomaly detection could intervene.
Standard two-factor authentication, including TOTP codes and SMS-based verification, did not protect victims. Diesel Vortex operated an adversary-in-the-middle (AiTM, MITRE T1557) approach: when a victim completed MFA on the spoofed login page, the group relayed that code in real time to authenticate against the legitimate platform. By the time the victim realized something was wrong, the session was already compromised.
This is a direct challenge to organizations that consider MFA sufficient protection against phishing. Against AiTM-capable threat actors, it is not.
What separates Diesel Vortex from a typical credential-harvesting campaign is the opportunities the group had one they had access to it.
Shipment redirection: Compromised broker and carrier accounts carry inherent access to active load assignments and shipment data. With that level of operational access, manipulation of freight mid-transit is a plausible downstream risk, and one consistent with the group’s demonstrated pattern of converting credential access into direct financial gain.
Check fraud: Authenticated access to logistics accounts exposed payment information and billing workflows that the group exploited to conduct fraudulent financial transactions.
Double-brokering: In this scheme, a compromised broker re-sells a load to a secondary carrier, pocketing the payment, leaving the original contracted carrier unpaid. The cargo still moves, which masks the fraud until settlement. By the time legitimate parties identify the discrepancy, the funds are gone.
The financial impact extended well beyond any single organization’s IT department. Diesel Vortex’s operations created downstream losses across carriers, shippers, and freight brokers who had no direct interaction with the phishing campaign itself, bringing a meta component to a typical supply chain attack.
Freight and logistics is an industry built on trust, speed, and thin margins. Brokers depend on rapid authentication to load boards and carrier platforms to move cargo. Verification steps that might slow legitimate business down are often minimized in the interest of operational efficiency.
Diesel Vortex understood this. The group’s choice to impersonate specifically Penske and DAT Truckstop — two platforms with broad adoption across the US freight ecosystem — reflects operational research into where credentials would yield the highest-value access.
The sector also presents a structural challenge for defenders: logistics companies range from large enterprises with mature security programs to small independent operators with minimal IT infrastructure. Diesel Vortex’s credential harvesting likely spanned both ends of that spectrum.
What Diesel Vortex achieved through manual research and operational patience, future threat actors could replicate and scale with significantly less effort. AI is already lowering the barrier to entry for several components of this attack type in ways that are directly relevant to logistics and transportation.
Highly convincing phishing lures previously required native language fluency and sector-specific knowledge. AI-generated content eliminates both requirements, enabling threat actors to produce grammatically flawless, contextually accurate emails impersonating freight brokers, load board platforms, or dispatch coordinators — tailored to specific targets based on publicly available data from LinkedIn, company websites, and industry directories. The reconnaissance that informed Diesel Vortex’s platform choices could be automated and executed at scale in a fraction of the time.
More concerning is the potential application of AI to fraud execution itself. Logistics operations generate high volumes of routine communications — load confirmations, rate negotiations, delivery updates — that follow predictable patterns. A threat actor with authenticated access to a compromised broker account and access to a language model could conduct convincing follow-on fraud conversations with carriers and shippers, sustaining the deception long enough to complete payment fraud or double-brokering schemes before detection. Voice-based AI adds another layer: vishing attacks that impersonate known contacts within a carrier network are already emerging in adjacent industries, and logistics is a natural next target given its reliance on phone-based load coordination.
The Diesel Vortex operation demonstrated that the logistics sector is both a viable and profitable attack surface. AI doesn’t change that calculus, but it does create a lower barrier to entry for a much wider range of threat actors, with less skill required and more accessible victims.
For security and IT teams in logistics and adjacent sectors:
For the broader security community:
Even if your organization is outside logistics, the Diesel Vortex playbook is directly transferable. Any sector that relies on broker platforms, load boards, or marketplace-style authentication, including real estate, supply chain management, and wholesale distribution, presents an analogous attack surface.
Diesel Vortex ran a five-month operation against a specific industry vertical, used technically mature infrastructure to bypass MFA, and converted credential access into real-world financial fraud that caused losses far beyond the organizations directly phished. None of this required zero-day exploits or nation-state resources. It required patience, sector-specific knowledge, and phishing infrastructure that most organizations weren’t looking for.
The threat is active. The techniques are documented. The defenses exist. The question is whether your organization implements them before a freight broker’s compromised DAT account becomes your problem too.
The Diesel Vortex analysis above is drawn from Cynet’s February 2026 Cyber Threat Intelligence Report — which also covers the SANDWORMMODE NPM worm, Green Blood Group ransomware, the RAMP forum seizure, five critical CVEs including a CVSS 10.0 Dell RecoverPoint vulnerability, and much more.
Download the February 2026 Cyber Threat Intelligence Report to get the complete analysis, IOCs, and defensive guidance your team needs.
Search results for:
