A sophisticated Russian-linked cybercrime group, known as Diesel Vortex, has been identified as the perpetrator behind a widespread phishing campaign targeting the global logistics sector. The operation, active from September 2025 to February 2026, successfully pilfered over 1,600 login credentials from professionals in the freight and trucking industries across the United States and Europe. This cyber threat specifically targeted users of prominent logistics platforms, exploiting vulnerabilities to gain access to sensitive information.
The illicit operation functioned as a structured criminal service, believed to be marketing its phishing infrastructure as a service under the brand “MC Profit Always.” Diesel Vortex employed a dual approach of spearphishing emails and voice phishing (vishing) calls to ensnare victims, often reaching them through freight-focused Telegram groups. By impersonating legitimate logistics platforms like DAT Truckstop, Penske Logistics, Electronic Funds Source (EFS), and Timocom, the group managed to capture real-time login details and multi-factor authentication (MFA) codes. This access was then leveraged for nefarious activities, including shipment redirection, financial theft, and check fraud.
Diesel Vortex: A Phishing-as-a-Service Operation Targeting Logistics
The extent of Diesel Vortex’s phishing campaign was uncovered by analysts at Have I Been Squatted, who detected a suspicious pattern of typosquatted domains connected to one of their clients. A subsequent investigation into a phishing server revealed an exposed Git directory. This repository contained the group’s complete source code, a database of their victims, internal communications, and strategic plans for future operations. The sheer scale of the operation was further confirmed by a 36.6MB SQL dump from February 4, 2026, detailing the deployment of 52 distinct phishing domains, targeting 75,840 email addresses, and documenting 35 confirmed instances of EFS check fraud.
The repercussions of this cyberattack extend far beyond stolen passwords. The compromised data also included sensitive shipment invoices and financial details, paving the way for invoice fraud and the detrimental practice of double-brokering. In double-brokering, cargo is secretly resold to other carriers without the original carrier’s knowledge, often resulting in the original carrier not being paid for their services. The group’s platform, internally referred to as “GlobalProfit,” was evidently being developed into a Phishing-as-a-Service (PhaaS) product tailored for Russian-speaking criminal buyers, complete with cryptocurrency payment processing already integrated.
The Dual-Domain Deception: Evading Detection
A particularly ingenious and technically advanced aspect of Diesel Vortex’s operation was its method of evading detection by both victims and security systems. The attackers employed a two-domain system. Victims would receive a link directing them to a seemingly legitimate “advertise domain.” Upon clicking this link, the page would surreptitiously embed a second, hidden “system domain” within an invisible browser frame. This clever technique ensured that the victim’s address bar consistently displayed the trusted domain name, while the actual phishing content loaded undetected within the frame.
According to the analysis, this method effectively circumvented most standard browser security warnings. Browsers typically assess the security of the top-level page and do not scrutinize frames embedded within it as thoroughly. Operators could monitor victim activity in real time through their Telegram interface, pushing commands that guided users through fake login screens for platforms like Google, Microsoft, and Yahoo, thereby capturing email credentials as well.
Security teams are advised to implement advanced authentication methods, such as FIDO2 hardware keys or device-bound passkeys. These measures are crucial for mitigating real-time interception techniques that can defeat conventional one-time passwords and SMS codes, particularly when exploited via platforms like Telegram. Furthermore, robust DNS filtering and vigilant monitoring for typosquatted domains that mimic legitimate logistics platform names are identified as critical defensive strategies against sophisticated phishing operations like that of Diesel Vortex.
The investigation into Diesel Vortex’s operations is ongoing, with cybersecurity firms continuing to analyze the leaked data to identify further vulnerabilities and potential future targets. The development of the “GlobalProfit” PhaaS platform suggests that similar sophisticated phishing campaigns targeting the logistics sector could emerge from other malicious actors in the near future, necessitating proactive and layered security defenses.