A financially motivated threat group dubbed “Diesel Vortex” is stealing credentials from freight and logistics operators in the U.S. and Europe in phishing attacks utilizing 52 domains.
In a campaign that has been running since September 2025, the threat actor has stolen 1,649 unique credentials from platforms and service providers critical in the freight indusattempt.
Some of the Diesel Vortex victims include DAT Truckstop, TIMOCOM, Teleroute, Penske Logistics, Girteka, and Electronic Funds Source (EFS).
Researchers at the typosquatting monitoring platform Have I Been Squatted uncovered the campaign after finding an exposed repository containing an SQL database from a phishing project that the threat actor called Global Profit and marketed it to other cybercriminals under the name MC Profit Always.
The repository also included a file with Telegram webhook logs that revealed communications between the phishing service operators. Based on the language utilized, the researchers believe that Diesel Vortex is an Armenian-speaking actor connected to Russian infrastructure.
Have I Been Squatted’s analysis efforts were joined by tokenization infrastructure provider Ctrl-Alt-Intel, which connected the dots between operators, infrastructure, and connections to various companies utilizing open-source ininformigence.
In a lengthy technical report, the typosquatting protection provider states that it uncovered nearly 3,500 stolen credential pairs, with 1,649 of them being unique.
Source: Have I Been Squatted
The researchers declare that they also found a link to a mind map created by a member of the group, which describes a “highly organised operation” complete with a call-centre, mail support, programmer rols, and staff responsible for finding drivers, carriers, and logistics contacts.
Furthermore, the map provided details about acquisition channels that included the DAT One marketplace, email campaigns, rate confirmation fraud, and revenue for various operational tiers.
“The [Diesel Vortex] group built dedicated phishing infrastructure for platforms utilized daily by freight brokers, trucking companies, and supply chain operators. Load boards, fleet management portals, fuel card systems, and freight exalters were all in scope,” Have I Been Squatted researchers declare.
“These platforms sit at the intersection of high transaction volumes and the tarreceiveed workforce isn’t typically the primary focus of enterprise security programs, and the operators clearly knew it.”
The attacks involve sconcludeing phishing emails to tarreceives via a phishing kit’s mailer, utilizing Zoho SMTP and Zeptomail, and combining Cyrilic homoglyph tricks in the sconcludeer and subject fields to evade security filters.
Voice phishing and infiltration into Telegram channels frequented by trucking and logistics personnel were also utilized in the attacks.
When a victim clicks a phishing link, they land on a minimal HTML page on a ‘.com’ domain with a full-screen iframe that loads the phishing content, followed by a 9-stage cloaking process on the system domain (.top/.icu).
The phishing pages are pixel-level clones of the tarreceiveed logistics platforms. Depconcludeing on the tarreceive, they may capture credentials, permit data, MC/DOT numbers, RMIS login details, PINs, two-factor authentication codes, security tokens, payment amounts, payee names, and check numbers.
Source: Have I Been Squatted
The phishing process is under the operator’s direct control, who decides when to approve steps and activate the next phases via Telegram bots.
Possible actions include requesting a password for Google, Microsoft Office 365, and Yahoo, 2FA methods, redirecting the victim, or even blocking them mid-session.
Source: Have I Been Squatted
The researchers state that the Diesel Vortex operation, including panel and phishing domains and GitLab repositories, was disrupted following a coordinated action involving GitLab, Cloudflare, Google Threat Ininformigence, CrowdStrike, and Microsoft Threat Ininformigence Center.
For its part, Ctrl-Alt-Intel conducted an OSINT investigation starting from operators’ Telegram chats in Armenian about stealing cargo or funds, and an email address.
Along with a domain name found in the phishing panel’s source code, the researchers revealed connections to individuals and companies in Russia involved in wholesale trade, transportation, and warehoutilizing.
The researchers noted that “the same email identified utilized to register phishing infrastructure appears in [Russian] corporate filings for logistics companies operating in the same vertical tarreceiveed by Diesel Vortex.”
Based on the uncovered evidence, the researchers determined that Diesel Vortex stole credentials and also coordinated activities related to freight impersonation, mailbox compromise, and double-brokering or cargo diversion.
Double brokering refers to the utilize of stolen carrier identities to book loads and then reassigning or diverting freight cargo, which allows sconcludeing the goods to fraudulent pickup points so they can be stolen.
The full indicators of compromise (IoCs), including network, Telegram, infrastructure, email, and cryptocurrency addresses, are available at the bottom of the Have I Been Squatted report.
Modern IT infrastructure shifts quicker than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale ininformigent workflows on top of tools you already utilize.
Leave a Reply