How a Russian Cyber Group Could Threaten US/EU Freight Hubs

A sophisticated criminal phishing operation reportedly targeting logistics sectors across the US and EU has been exposed by cybersecurity intelligence firm Have I Been Squatted, working alongside Ctrl Alt Intel.

The alleged threat actor group, designated "Diesel Vortex", was uncovered in February 2026 and is said to operate as a Russian-speaking cybercrime syndicate running a phishing-as-a-service (PhaaS) model under the internal brand "GlobalProfit".

Rather than relying on opportunistic tactics, Diesel Vortex seems to have been built with precision to exploit the digital infrastructure underpinning freight operations.

The syndicate has reportedly established 52 custom-built phishing domains that impersonate critical platforms such as DAT, Truckstop, Penske and Timocom.

Through Telegram-linked consoles, operators are said to intercept credentials in real time, allegedly circumventing multi-factor authentication (MFA) to gain access to load boards and fleet management portals. This access reportedly enables invoice redirection, double-brokering and fuel card fraud at significant scale.

Internal documentation from the group reveals a reportedly highly organised structure featuring dedicated roles spanning driver recruitment, mail support and call-centre operations where voice phishing is allegedly deployed to deceive dispatchers.

The scope of the operation is claimed to be substantial: 3,474 allegedly stolen credential pairs (including 1,649 unique sets) reportedly harvested from logistics professionals, 75,840 target contact emails purportedly identified within the freight sector, 35 documented check fraud attempts through Electronic Funds Source (EFS) and 52 active phishing domains allegedly deployed throughout the industry.

Deliberate targeting of logistics infrastructure

According to a researcher from Have I Been Squatted: "These platforms sit at the intersection of high transaction volumes and the targeted workforce isn't typically the primary focus of enterprise security programs."

The operation represented, in their assessment, "a deliberate, structured criminal enterprise with defined roles, revenue targets and a long-term growth strategy."

Operators have allegedly been observed directing victims to re-enter credentials multiple times – "to capture 2FA tokens before they expired" – purportedly demonstrating the hands-on, real-time approach to credential theft.

These findings emerge alongside CrowdStrike's 2026 Global Threat Report, which presents concerning developments across the wider threat landscape.

AI is said to be accelerating adversary operations: the average eCrime breakout time dropped to just 29 minutes in 2025, representing a 65% increase in speed from the previous year, with the fastest observed breakout recorded at 27 seconds. In one documented intrusion, data exfiltration is claimed to have commenced within four minutes of initial access.

AI-enabled adversaries increased operations by 89% year-over-year, with Russia-nexus FANCY BEAR allegedly deploying large language model (LLM)-enabled malware to automate reconnaissance, and eCrime actor PUNK SPIDER using AI-generated scripts to accelerate credential dumping. China-nexus activity reportedly also rose 38%, with the logistics vertical experiencing an 85% increase in targeting.

"This is an AI arms race," says Adam Meyers, Head of Counter Adversary Operations at CrowdStrike.

"Adversaries are moving from initial access to lateral movement in minutes. AI is compressing the time between intent and execution while turning enterprise AI systems into targets."

Five critical supply chain risks

Against this backdrop, the findings about Diesel Vortex are particularly concerning. 

Modern freight operates on low-trust, high-speed interactions. When criminals can bypass MFA to impersonate reputable carriers on DAT or Truckstop, they could undermine the digital co-operation that allows the US$1tn freight industry to function without physical oversight.

Double-brokering already drains brokerage margins significantly. By automating credential theft from platforms including RMIS and Highway, Diesel Vortex provides mid-level criminals with infrastructure to potentially execute thousands of scams simultaneously, resulting in cargo theft and liability that is said to become difficult to trace.

The fragmented nature of logistics labour also presents vulnerabilities. The long tail of logistics, the 90% of fleets operating fewer than 10 trucks, lacks robust defences. Dispatchers working in high-pressure environments could be particularly susceptible to Diesel Vortex's voice phishing and Telegram-based attacks, potentially making smaller operators a backdoor into systems serving major shippers.

Cascading operational consequences

The ripple effects extend beyond individual carriers. When a compromised fleet fails to deliver, manufacturers could face production delays, retailers may experience stock-outs and consumers might encounter shortages. In industries operating on razor-thin margins and tight schedules, a single disrupted load could cascade into thousands of pounds in losses across multiple organisations.

The sophistication of Diesel Vortex's operation suggests a capability for coordinated, large-scale disruption. With 52 alleged active phishing domains and infrastructure designed for real-time credential harvesting, the syndicate could theoretically compromise multiple carriers simultaneously, creating systemic shocks to freight networks that may extend far beyond individual financial losses.