A Russian-linked cybercrime group named Diesel Vortex has been quietly running a large phishing operation against freight and trucking companies across the United States and Europe.
The campaign ran from September 2025 through February 2026 and resulted in more than 1,649 stolen login credentials from users of major logistics platforms, including DAT Truckstop, Penske Logistics, Electronic Funds Source (EFS), and Timocom.
The group did not operate alone. It ran as a structured criminal service, likely selling phishing access to other bad actors under the brand name “MC Profit Always.”
Operators used spearphishing emails and voice phishing calls to reach trucking professionals, often targeting freight-focused Telegram groups.
By impersonating the very platforms their victims used daily, the group intercepted logins and multi-factor authentication (MFA) codes in real time, then used that access to redirect shipments, steal funds, and commit check fraud.
Have I Been Squatted analysts identified the operation after spotting a suspicious cluster of typosquatted domains linked to one of their customers.
During the investigation, researchers found an exposed Git directory on a phishing server, which revealed the group’s full source code, victim database, internal messages, and future plans.
Domain architecture (Source – Have I Been Squatted)
A 36.6MB SQL dump from February 4, 2026, confirmed the full scope — 52 phishing domains deployed, 75,840 targeted contact emails, and 35 confirmed EFS check fraud attempts.
The damage extended well beyond stolen passwords. Compromised data included shipment invoices and financial details, enabling invoice fraud and double-brokering — where cargo is secretly resold to other carriers, leaving the original carrier unpaid.
The platform, internally branded “GlobalProfit,” was being shaped into a Phishing-as-a-Service (PhaaS) product for Russian-speaking criminal buyers, with cryptocurrency payment processing already in place.
The Dual-Domain Deception
Perhaps the most technically striking part of this operation was how the group kept its phishing pages hidden from both victims and security tools.
The platform used two domains working together. Victims received a link pointing to a clean-looking “advertise domain.” Once clicked, the page secretly embedded a second, hidden “system domain” inside an invisible browser frame.
Penske iframe elements inspector (Source – Have I Been Squatted)
The victim’s address bar always showed the trusted-looking domain, while the real phishing content loaded quietly inside it.
MetricValueStolen credentials3,474 pairs, 1,649 uniqueUnique visitor IPs9,016Phishing domains52Target emails75,840EFS check fraud35
This technique bypassed most browser security warnings because browsers evaluate the top-level page, not frames embedded within it.
Operator Console – Session showing a Highway carrier with MC – DOT details before credential capture (Source – Have I Been Squatted)
From Telegram, operators could see each victim in real time and push commands — steering them through fake Google, Microsoft, or Yahoo login screens to capture email credentials too.
Security teams defending against this type of attack should adopt FIDO2 hardware keys or device-bound passkeys, since Telegram-based real-time interception defeats standard one-time passwords and SMS codes.
DNS filtering and active monitoring for typosquatted domains mimicking logistics platform names are also critical defensive steps.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Diesel Vortex Russian Cybercrime Group Targets Global Logistics Sector and Steals 1,600+ Credentials appeared first on Cyber Security News.
