In today’s interconnected supply chain, cybersecurity in logistics is more critical than ever. Between September 2025 and February 2026, a Russian-linked cybercrime group named Diesel Vortex conducted a highly organized phishing operation targeting freight and trucking companies across the United States and Europe.
The campaign resulted in 1,649 stolen login credentials, affecting major logistics platforms like DAT Truckstop, Penske Logistics, Electronic Funds Source (EFS), and Timocom. Beyond credential theft, attackers exploited this access to redirect shipments, steal funds, and commit invoice fraud.
This article will break down the Diesel Vortex tactics, reveal their dual-domain phishing technique, and provide actionable steps for protecting logistics operations.
Who Are Diesel Vortex?
Diesel Vortex is a Russian-speaking cybercrime group that operates a Phishing-as-a-Service (PhaaS) platform branded internally as GlobalProfit.
- Targets: Freight and trucking companies, logistics professionals
- Operation span: September 2025 – February 2026
- Methods: Spearphishing emails, voice phishing, and Telegram-based real-time credential interception
- Criminal network: Likely sells access to other bad actors under the brand “MC Profit Always”
By impersonating legitimate logistics platforms, the group captured both user logins and MFA codes, bypassing standard authentication defenses.
Attack Overview
Credential Theft and Financial Exploitation
- Stolen credentials: 1,649 unique logins from major logistics platforms
- Phishing domains: 52 deployed domains targeting 75,840 emails
- EFS check fraud attempts: 35 confirmed cases
Using stolen credentials, operators could:
- Redirect shipments for personal gain
- Commit invoice fraud and double-brokering
- Steal sensitive financial information from carriers
Dual-Domain Phishing Technique
Diesel Vortex used an innovative dual-domain strategy to evade detection:
- Victims received a link to a clean-looking “advertise domain.”
- A hidden “system domain” loaded inside an invisible iframe, delivering the actual phishing content.
Benefits for attackers:
- Browser address bar showed a trusted domain
- Phishing content remained invisible to victims and many security tools
- Real-time credential capture through Telegram dashboards
Real-Time Victim Interaction
Operators could monitor victims live and push them through fake login screens for Google, Microsoft, or Yahoo accounts, capturing email credentials alongside logistics platform logins.
Technical note: Standard OTPs and SMS-based MFA could be intercepted. Stronger protections like FIDO2 hardware keys or device-bound passkeys are necessary to prevent real-time credential theft.
Investigation Findings
Researchers from Have I Been Squatted uncovered:
- Exposed Git directory containing source code, victim databases, internal messages, and future plans
- SQL dump (36.6MB) confirming:
- 52 phishing domains
- 75,840 targeted emails
- 35 EFS check fraud attempts
Metrics Overview:
| Metric | Value |
|---|---|
| Stolen credentials | 3,474 pairs (1,649 unique) |
| Unique visitor IPs | 9,016 |
| Phishing domains | 52 |
| Targeted emails | 75,840 |
| EFS check fraud | 35 |
Why Diesel Vortex Is Dangerous
- Highly Targeted Attacks: Focused on logistics professionals, exploiting their daily workflow.
- Real-Time Credential Interception: Telegram dashboards allowed live manipulation and MFA bypass.
- Dual-Domain Concealment: Evades most browser security warnings and automated phishing detection.
- Financial Impact: Compromised invoices and shipment details enabled fraud and cargo theft.
- Phishing-as-a-Service (PhaaS): Diesel Vortex provided access to other criminals, scaling impact across multiple operators.
Mitigation Strategies
Strong Authentication
- Use FIDO2 hardware keys or device-bound passkeys
- Avoid SMS-based MFA for high-risk accounts
Network and DNS Defenses
- Implement DNS filtering to block typosquatted domains
- Monitor for domains mimicking logistics platforms
- Employ active threat intelligence feeds for rapid detection
Endpoint and User Awareness
- Train employees to verify URLs before entering credentials
- Warn users about real-time phishing via messaging apps like Telegram
- Audit critical accounts for unusual login activity
Supply Chain Risk Management
- Review access permissions on logistics platforms
- Monitor for unusual shipment routing or invoice discrepancies
- Conduct regular audits of financial transactions and digital logs
Expert Insights
- Risk Impact: Diesel Vortex illustrates how logistics systems are high-value targets for credential theft and financial fraud.
- Compliance Relevance: Companies handling freight and payments must comply with ISO 27001, SOC 2, and GDPR, ensuring proper endpoint monitoring and identity management.
- Security Recommendation: Combine technical controls, employee awareness, and threat intelligence to mitigate high-risk phishing campaigns.
FAQs
1. What is Diesel Vortex?
A Russian-linked cybercrime group running phishing campaigns against the logistics sector, selling access via a PhaaS platform called GlobalProfit.
2. How does the dual-domain phishing technique work?
A trusted-looking domain loads an invisible iframe pointing to the actual phishing content, bypassing browser security warnings.
3. How can MFA be bypassed?
Real-time interception via messaging platforms like Telegram allows attackers to capture OTPs and SMS codes.
4. What should logistics companies do to prevent this attack?
Implement FIDO2 hardware keys, monitor for typosquatted domains, audit critical account access, and educate staff on phishing tactics.
5. Why is this operation particularly dangerous?
It targets high-value logistics workflows, intercepts MFA in real-time, and enables invoice fraud, cargo theft, and credential resale.
Conclusion
The Diesel Vortex campaign demonstrates the growing sophistication of logistics-targeted phishing attacks. By combining dual-domain concealment, real-time credential interception, and Phishing-as-a-Service, the group maximized both scale and financial impact.
Organizations must strengthen authentication, monitor typosquatted domains, and implement proactive threat intelligence to safeguard their systems and operations.
Next Step: Evaluate your logistics platform access, implement hardware MFA, and monitor for suspicious domain activity to stay ahead of advanced phishing threats.
