Most phishing campaigns steal credentials and move on. Over a 5 month period, Diesel Vortex succeeded with a more innovative approach.
This Russian-linked cybercrime group ran an undetected Phishing-as-a-Service operation targeting the freight and logistics sector from September 2025 through February 2026, according to research published by Have I Been Squatted and Ctrl-Alt-Intel. Across targets in the United States and Europe, they group harvested more than 1,600 unique login credentials. But the credential theft was just the beginning. What followed was a coordinated fraud operation that redirected shipments, laundered money through check fraud, and exploited the logistics industry’s dependence on broker platforms to run double-brokering scams at scale.
Diesel Vortex is a case study in what happens when technically sophisticated phishing infrastructure is paired with operationally mature financial fraud.
Who Is Diesel Vortex?
Diesel Vortex is a Russian-nexus cybercrime group assessed to operate with financial motivation. The group demonstrated familiarity with the freight and trucking industry’s operational workflows, platform ecosystem, and the specific trust relationships that brokers and carriers depend on to move cargo.
Their targeting was deliberate and sector-specific. Rather than running broad, opportunistic credential harvesting campaigns, Diesel Vortex focused sustained effort on logistics professionals — freight brokers, carriers, and dispatchers — who routinely authenticate to high-value platforms like Penske and DAT Truckstop. Compromising those accounts doesn’t just yield credentials. It yields operational access to active shipments, load boards, payment systems, and carrier relationships.
The group operated their phishing infrastructure under an internal platform name: “GlobalProfit.”
The Technical Attack Chain
Stage 1: Lure and Domain Spoofing
Diesel Vortex built convincing spoofed login pages impersonating well-known logistics platforms. Victims (typically freight professionals) received phishing emails or encountered redirected links that delivered them to pages visually identical to the platforms they used daily.
What made this infrastructure particularly effective was the use of Dual-Domain Deception: a seemingly legitimate advertising domain served as the outward-facing layer, with a malicious phishing iframe covertly embedded within its content. Browser-based security tools that evaluate primary domain reputation failed to flag the pages, because the primary domain had a clean reputation. The malicious payload was buried one layer deeper.
Stage 2: Real-Time Credential Interception
Once a victim entered their credentials, Diesel Vortex didn’t just log them for later use — they intercepted them in real time through Telegram-based operator panels. This is a critical distinction. Real-time interception means the group could immediately authenticate to the victim’s account before any session timeout, password reset, or anomaly detection could intervene.
Stage 3: MFA Bypass
Standard two-factor authentication, including TOTP codes and SMS-based verification, did not protect victims. Diesel Vortex operated an adversary-in-the-middle (AiTM, MITRE T1557) approach: when a victim completed MFA on the spoofed login page, the group relayed that code in real time to authenticate against the legitimate platform. By the time the victim realized something was wrong, the session was already compromised.
This is a direct challenge to organizations that consider MFA sufficient protection against phishing. Against AiTM-capable threat actors, it is not.
Beyond the Breach: Executing Fraud at Scale
What separates Diesel Vortex from a typical credential-harvesting campaign is the opportunities the group had one they had access to it.
Shipment redirection: Compromised broker and carrier accounts carry inherent access to active load assignments and shipment data. With that level of operational access, manipulation of freight mid-transit is a plausible downstream risk, and one consistent with the group’s demonstrated pattern of converting credential access into direct financial gain.
Check fraud: Authenticated access to logistics accounts exposed payment information and billing workflows that the group exploited to conduct fraudulent financial transactions.
Double-brokering: In this scheme, a compromised broker re-sells a load to a secondary carrier, pocketing the payment, leaving the original contracted carrier unpaid. The cargo still moves, which masks the fraud until settlement. By the time legitimate parties identify the discrepancy, the funds are gone.
The financial impact extended well beyond any single organization’s IT department. Diesel Vortex’s operations created downstream losses across carriers, shippers, and freight brokers who had no direct interaction with the phishing campaign itself, bringing a meta component to a typical supply chain attack.
Why the Logistics Sector Is a High-Value Target
Freight and logistics is an industry built on trust, speed, and thin margins. Brokers depend on rapid authentication to load boards and carrier platforms to move cargo. Verification steps that might slow legitimate business down are often minimized in the interest of operational efficiency.
Diesel Vortex understood this. The group’s choice to impersonate specifically Penske and DAT Truckstop — two platforms with broad adoption across the US freight ecosystem — reflects operational research into where credentials would yield the highest-value access.
The sector also presents a structural challenge for defenders: logistics companies range from large enterprises with mature security programs to small independent operators with minimal IT infrastructure. Diesel Vortex’s credential harvesting likely spanned both ends of that spectrum.
The AI Accelerant: What the Next Version of This Attack Looks Like
What Diesel Vortex achieved through manual research and operational patience, future threat actors could replicate and scale with significantly less effort. AI is already lowering the barrier to entry for several components of this attack type in ways that are directly relevant to logistics and transportation.
Highly convincing phishing lures previously required native language fluency and sector-specific knowledge. AI-generated content eliminates both requirements, enabling threat actors to produce grammatically flawless, contextually accurate emails impersonating freight brokers, load board platforms, or dispatch coordinators — tailored to specific targets based on publicly available data from LinkedIn, company websites, and industry directories. The reconnaissance that informed Diesel Vortex’s platform choices could be automated and executed at scale in a fraction of the time.
More concerning is the potential application of AI to fraud execution itself. Logistics operations generate high volumes of routine communications — load confirmations, rate negotiations, delivery updates — that follow predictable patterns. A threat actor with authenticated access to a compromised broker account and access to a language model could conduct convincing follow-on fraud conversations with carriers and shippers, sustaining the deception long enough to complete payment fraud or double-brokering schemes before detection. Voice-based AI adds another layer: vishing attacks that impersonate known contacts within a carrier network are already emerging in adjacent industries, and logistics is a natural next target given its reliance on phone-based load coordination.
The Diesel Vortex operation demonstrated that the logistics sector is both a viable and profitable attack surface. AI doesn’t change that calculus, but it does create a lower barrier to entry for a much wider range of threat actors, with less skill required and more accessible victims.
What Defenders Need to Do
For security and IT teams in logistics and adjacent sectors:
- Move beyond TOTP and SMS-based MFA. Against AiTM phishing infrastructure, these controls are bypassable. Evaluate FIDO2 hardware security keys or passkeys for high-value accounts — particularly those with access to financial systems or active shipment data. These authentication methods are phishing-resistant by design and cannot be relayed by an adversary in the middle.
- Deploy DNS-layer filtering. The Dual-Domain Deception technique relies on embedding malicious iframes within clean-reputation domains. DNS-layer controls that evaluate the full request chain — not just the top-level domain — are better positioned to catch this pattern.
- Monitor for concurrent or geographically anomalous sessions. AiTM attacks create a parallel session alongside the victim’s. Detecting simultaneous authentication events from different IP addresses or geographies for the same account is one of the most reliable post-compromise signals.
- Alert on SPF failures and email authentication mismatches. Diesel Vortex’s phishing emails contained detectable SPF anomalies. Ensure your email security stack is configured to alert — not silently accept — SoftFail results.
- Implement transaction verification controls for payment workflows. Compromised accounts used for check fraud and double-brokering exploited a lack of secondary verification on financial actions. Out-of-band confirmation for payment changes and load reassignments can break the fraud chain even after credential compromise.
For the broader security community:
Even if your organization is outside logistics, the Diesel Vortex playbook is directly transferable. Any sector that relies on broker platforms, load boards, or marketplace-style authentication, including real estate, supply chain management, and wholesale distribution, presents an analogous attack surface.
The Takeaway
Diesel Vortex ran a five-month operation against a specific industry vertical, used technically mature infrastructure to bypass MFA, and converted credential access into real-world financial fraud that caused losses far beyond the organizations directly phished. None of this required zero-day exploits or nation-state resources. It required patience, sector-specific knowledge, and phishing infrastructure that most organizations weren’t looking for.
The threat is active. The techniques are documented. The defenses exist. The question is whether your organization implements them before a freight broker’s compromised DAT account becomes your problem too.
Get the Full Intelligence Picture
The Diesel Vortex analysis above is drawn from Cynet’s February 2026 Cyber Threat Intelligence Report — which also covers the SANDWORMMODE NPM worm, Green Blood Group ransomware, the RAMP forum seizure, five critical CVEs including a CVSS 10.0 Dell RecoverPoint vulnerability, and much more.
Download the February 2026 Cyber Threat Intelligence Report to get the complete analysis, IOCs, and defensive guidance your team needs.
