A sophisticated wave of cyber attacks targeting trucking carriers and freight brokers has emerged, with criminals now aiming to steal physical cargo shipments worth millions of dollars in the real world. This new threat marks a significant evolution from traditional cargo theft, leveraging digital vulnerabilities to orchestrate physical appropriations without direct confrontation. The National Insurance Crime Bureau (NICB) reports that cargo theft losses have been escalating, reaching $6.6 billion in North America in 2025, a substantial portion of which is attributed to these increasingly digital attacks.
Previously, cargo theft relied on brute force methods. However, today’s cybercriminals utilize laptops, phishing emails, and remote access software to hijack shipments remotely. Stolen goods, ranging from consumer electronics to food products, are rapidly resold online or shipped internationally, often before the affected companies even detect the breach. This shift reflects the deep integration of organized crime into the digital landscape, preying on the expanded vulnerabilities in modern, digitized supply chains.
How Hackers Turn Remote Access Into Physical Cargo Theft
Organized crime groups are exploiting the digitization of domestic and international supply chains to facilitate cargo theft. By compromising trucking carriers and freight brokers, threat actors gain the ability to fraudulently bid on cargo shipments. They then arrange transport through legitimate channels, ultimately diverting the valuable goods to their own networks. Proofpoint analysts have identified this threat cluster, noting with high confidence that it is actively employed by organized crime syndicates.
The campaign has been active since at least June 2025, with some evidence pointing to earlier origins in January 2025. Proofpoint observed nearly two dozen campaigns since August 2025, with attack volumes varying significantly. Importantly, these threat actors do not appear to target specific companies, instead focusing on a broad range of organizations from small, family-owned businesses to large transportation firms. This widespread approach highlights the pervasive nature of the vulnerability.
Attackers employ three primary methods to gain initial network access. First, they post fraudulent freight listings on compromised load board accounts, enticing carriers to respond. Second, they hijack existing email conversations by using compromised accounts to inject malicious URLs into ongoing communications. Third, they conduct direct email campaigns targeting larger entities, including asset-based carriers, freight brokerages, and integrated supply chain providers. In each instance, malicious links embedded in emails lead to executable files (.exe or .msi). Upon execution, these files silently install remote monitoring and management (RMM) tools, granting attackers full control over the victim’s machine.
The Methodical Process of Cargo Diversion
Once an RMM tool is installed, attackers initiate a systematic process that bridges the digital breach with physical cargo theft. They commonly deploy legitimate IT tools such as ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve. The effectiveness of these tools lies in their legitimate use for remote support. Because their installers are often signed and appear trustworthy, they are less likely to trigger alerts from antivirus software or network detection systems.
Following the acquisition of remote access, attackers conduct thorough system reconnaissance. They meticulously search for credentials, active load bookings, and dispatcher information. Credential harvesting tools, like WebBrowserPassView, are then utilized to extract saved passwords from the victim’s web browsers. Public discussions on social media platforms have corroborated these phishing and account takeover tactics, indicating a sharing of methods among threat actors.
The crucial step where cyber intrusion transforms into a physical crime involves the attackers manipulating freight management systems. They actively delete existing freight bookings, disable dispatcher notifications, and add their own device to the dispatcher’s phone extension. Subsequently, they rebook the targeted load under the compromised carrier’s name. This allows them to coordinate the actual transport of the stolen goods, all while the legitimate company remains unaware of the ongoing deception.
Defensive Measures and Recommendations
Organizations within the surface transportation industry are advised to implement several key defensive measures to counter these evolving threats. It is critical to restrict the download and installation of any RMM tooling that has not been explicitly approved or confirmed by an organization’s IT administrator. Implementing robust network detection rules, including the use of threat intelligence feeds like Emerging Threats, can help alert on suspicious network activity communicating with RMM servers. Furthermore, users should be trained to refrain from downloading and installing executable files from external senders via email.
Comprehensive user training programs should be integrated to educate employees on identifying and reporting suspicious emails or links to their security teams. Such training can significantly reduce the risk of successful phishing and social engineering attacks. For organizations particularly vulnerable to cargo theft, reviewing resources like the National Motor Freight Traffic Association’s Cargo Crime Reduction Framework can provide additional guidance on mitigating these significant risks.
The ongoing evolution of cyber-physical attacks targeting the logistics sector necessitates continuous vigilance and adaptation of security protocols. The coming months will likely see further refinement of these tactics by threat actors, making proactive defense and rapid response capabilities essential for trucking carriers and freight brokers seeking to protect their assets and operations in an increasingly interconnected world.