A financially motivated threat group dubbed “Diesel Vortex” is stealing credentials from freight and logistics operators in the U.S. and Europe in phishing attacks using 52 domains.
In a campaign that has been running since September 2025, the threat actor has stolen 1,649 unique credentials from platforms and service providers critical in the freight industry.
Some of the Diesel Vortex victims include DAT Truckstop, TIMOCOM, Teleroute, Penske Logistics, Girteka, and Electronic Funds Source (EFS).
Researchers at the typosquatting monitoring platform Have I Been Squatted uncovered the campaign after finding an exposed repository containing an SQL database from a phishing project that the threat actor called Global Profit and marketed it to other cybercriminals under the name MC Profit Always.
The repository also included a file with Telegram webhook logs that revealed communications between the phishing service operators. Based on the language used, the researchers believe that Diesel Vortex is an Armenian-speaking actor connected to Russian infrastructure.
Have I Been Squatted’s analysis efforts were joined by tokenization infrastructure provider Ctrl-Alt-Intel, which connected the dots between operators, infrastructure, and connections to various companies using open-source intelligence.
In a lengthy technical report, the typosquatting protection provider states that it uncovered nearly 3,500 stolen credential pairs, with 1,649 of them being unique.
Source: Have I Been Squatted
The researchers say that they also found a link to a mind map created by a member of the group, which describes a “highly organised operation” complete with a call-centre, mail support, programmer rols, and staff responsible for finding drivers, carriers, and logistics contacts.
Furthermore, the map provided details about acquisition channels that included the DAT One marketplace, email campaigns, rate confirmation fraud, and revenue for various operational tiers.
“The [Diesel Vortex] group built dedicated phishing infrastructure for platforms used daily by freight brokers, trucking companies, and supply chain operators. Load boards, fleet management portals, fuel card systems, and freight exchanges were all in scope,” Have I Been Squatted researchers say.
“These platforms sit at the intersection of high transaction volumes and the targeted workforce isn’t typically the primary focus of enterprise security programs, and the operators clearly knew it.”
The attacks involve sending phishing emails to targets via a phishing kit’s mailer, using Zoho SMTP and Zeptomail, and combining Cyrilic homoglyph tricks in the sender and subject fields to evade security filters.
Voice phishing and infiltration into Telegram channels frequented by trucking and logistics personnel were also used in the attacks.
When a victim clicks a phishing link, they land on a minimal HTML page on a ‘.com’ domain with a full-screen iframe that loads the phishing content, followed by a 9-stage cloaking process on the system domain (.top/.icu).
The phishing pages are pixel-level clones of the targeted logistics platforms. Depending on the target, they may capture credentials, permit data, MC/DOT numbers, RMIS login details, PINs, two-factor authentication codes, security tokens, payment amounts, payee names, and check numbers.
Source: Have I Been Squatted
The phishing process is under the operator’s direct control, who decides when to approve steps and activate the next phases via Telegram bots.
Possible actions include requesting a password for Google, Microsoft Office 365, and Yahoo, 2FA methods, redirecting the victim, or even blocking them mid-session.
Source: Have I Been Squatted
The researchers state that the Diesel Vortex operation, including panel and phishing domains and GitLab repositories, was disrupted following a coordinated action involving GitLab, Cloudflare, Google Threat Intelligence, CrowdStrike, and Microsoft Threat Intelligence Center.
For its part, Ctrl-Alt-Intel conducted an OSINT investigation starting from operators’ Telegram chats in Armenian about stealing cargo or funds, and an email address.
Along with a domain name found in the phishing panel’s source code, the researchers revealed connections to individuals and companies in Russia involved in wholesale trade, transportation, and warehousing.
The researchers noted that “the same email identified used to register phishing infrastructure appears in [Russian] corporate filings for logistics companies operating in the same vertical targeted by Diesel Vortex.”
Based on the uncovered evidence, the researchers determined that Diesel Vortex stole credentials and also coordinated activities related to freight impersonation, mailbox compromise, and double-brokering or cargo diversion.
Double brokering refers to the use of stolen carrier identities to book loads and then reassigning or diverting freight cargo, which allows sending the goods to fraudulent pickup points so they can be stolen.
The full indicators of compromise (IoCs), including network, Telegram, infrastructure, email, and cryptocurrency addresses, are available at the bottom of the Have I Been Squatted report.
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
