Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector

A Russian-linked cybercrime group dubbed Diesel Vortex has been systematically targeting the global freight and logistics industry, stealing over 1,600 unique login credentials from users of major logistics platforms in a sophisticated phishing campaign that ran from September 2025 through February 2026.

Campaign Overview

Security researchers at Have I Been Squatted, in collaboration with Ctrl-Alt-Intel, uncovered the operation after discovering an exposed .git directory that revealed the group’s entire infrastructure, codebase, and victim database. The investigation exposed a structured, financially-driven criminal enterprise with Armenian-language coordination among operators.

Key findings from the investigation:

3,474 credential pairs stolen (1,649 unique)
52 phishing domains deployed
75,840 target contact emails (57,092 unique)
35 check fraud attempts targeting EFS
9,016 unique visitor IPs tracked

Targeted Platforms

The group built dedicated phishing infrastructure impersonating platforms used daily by freight brokers, trucking companies, and supply chain operators:

DAT Truckstop – America’s largest freight marketplace
Penske Logistics – Fleet management systems
Electronic Funds Source (EFS) – Fuel card and payment networks
Timocom – European freight exchange
Teleroute – European load board
Central Dispatch – Auto transport marketplace
Girteka – Cross-border transport logistics

Phishing-as-a-Service Operation

Analysis of the recovered codebase revealed Diesel Vortex operates a Phishing-as-a-Service (PhaaS) platform internally branded as “GlobalProfit” and marketed to other operators as “MC Profit Always” – with “MC” likely referring to Motor Carrier operating authority identifiers.

A recovered mind map outlined the group’s entire operational structure, including:

Distinct functional roles: call center, mail support, programmer, and acquisition staff
Infiltration of logistics and trucking Telegram communities
Reseller and outsourcing arrangements
Financial tracking across revenue categories
Voice phishing (vishing) techniques targeting drivers

Sophisticated Nine-Stage Cloaking System

The phishing infrastructure employed a sophisticated nine-stage funnel before rendering any phishing page, designed to evade security researchers and automated detection:

Global kill switch – Database-controlled master toggle
Scheduling gates – Time-based access restrictions
IP blocklist – 254 entries covering security vendors and cloud providers
ISP filtering – ipinfo.io lookups blocking 49 ASN patterns
User-agent filtering – Blocking crawlers and automation tools
URL parameter gates – Requiring specific GET parameters
Custom path validation – Exact URL path matching
Ban list checks – Additional blocklist verification
Final render decision – Configurable error codes for blocked requests

Criminal Motivations

With intercepted credentials, the group was able to:

Invoice redirection – Diverting payments to attacker-controlled accounts
Double-brokering – Intercepting and re-brokering legitimate loads
Check fraud – Direct financial theft via EFS
PII theft – Harvesting personal information for further attacks
Account takeover – Full control of victim logistics accounts

Coordinated Takedown

A coordinated takedown effort involved Google Threat Intelligence Group, Cloudflare, GitLab, IPInfo, and Ping Identity. Microsoft Threat Intelligence Center and CrowdStrike provided additional assistance with victim notification efforts.

Implications for the Logistics Sector

This campaign highlights the logistics sector’s vulnerability to targeted phishing attacks. Unlike traditional enterprise targets, trucking companies and independent operators often lack sophisticated security programs, making them attractive targets for credential theft operations.

Organizations in the freight and logistics industry should: