How did Russian Threat Actors Target US/EU Freight Hubs?

A structured phishing campaign reportedly targeting logistics organisations across the US and EU has been exposed by cybersecurity intelligence firm Have I Been Squatted, working alongside Ctrl Alt Intel.

Identified in February 2026, the group – designated “Diesel Vortex” – is described as a Russian-speaking cybercrime syndicate operating a phishing-as-a-service (PhaaS) model under the internal brand “GlobalProfit.”

Investigators say the operation was engineered specifically to exploit freight-sector digital platforms rather than relying on broad, opportunistic phishing tactics.

At the centre of the campaign are 52 custom-built phishing domains impersonating freight and fleet management platforms including DAT, Truckstop, Penske and Timocom.

Through Telegram-linked consoles, operators allegedly harvest credentials in real time. Researchers claim authentication flows are intercepted and multi-factor authentication (MFA) protections reportedly bypassed to gain access to load boards and fleet portals.

That access allegedly enables invoice redirection, double-brokering schemes and fuel card fraud at scale.

Structured operations and credential theft 

Investigators describe Diesel Vortex as more than a loose cybercriminal network.

Internal documentation reportedly reveals defined operational roles spanning driver recruitment, mail support and call-centre activity, where voice phishing is allegedly used to manipulate dispatchers.

One researcher characterised the group as: "a deliberate, structured criminal enterprise with defined roles, revenue targets and a long-term growth strategy."

Operators have reportedly been observed directing victims to re-enter login details multiple times – "to capture 2FA tokens before they expired" demonstrating what researchers describe as a hands-on, session-based approach to credential theft.

The alleged scale of compromise is significant:

• 3,474 stolen credential pairs, including 1,649 unique sets

• 75,840 target contact emails identified within the freight sector

• 35 documented check fraud attempts through Electronic Funds Source (EFS)

• 52 active phishing domains deployed across logistics platforms

According to a researcher from Have I Been Squatted: "These platforms sit at the intersection of high transaction volumes and the targeted workforce isn't typically the primary focus of enterprise security programs."

Freight platforms as high-velocity cyber targets

Modern freight operations rely on rapid, low-trust digital interactions between brokers, carriers and dispatch teams.

When attackers can impersonate legitimate carriers on platforms such as DAT or Truckstop, they risk undermining the trust framework that allows the US$1tn freight industry to function without physical oversight.

Double-brokering already impacts brokerage margins. By automating credential theft across platforms including RMIS and Highway, Diesel Vortex allegedly lowers the barrier to entry for mid-level criminals, enabling potentially thousands of simultaneous fraud attempts involving cargo theft and financial diversion.

The sector’s labour structure compounds exposure.

The long tail of logistics – 90% of fleets operating fewer than 10 trucks – often lacks mature cybersecurity controls.

Dispatchers working in high-pressure environments may be particularly susceptible to voice phishing and Telegram-based social engineering, potentially giving attackers indirect access into systems serving major shippers.

AI acceleration across the threat landscape

The exposure of Diesel Vortex aligns with wider findings from CrowdStrike's 2026 Global Threat Report, which highlights accelerating adversary timelines.

According to the report, the average eCrime breakout time dropped to 29 minutes in 2025 – a 65% increase in speed from the previous year – with the fastest observed breakout occurring in 27 seconds.

In one documented case, data exfiltration reportedly began within four minutes of initial access.

AI-enabled adversary operations rose 89% year-over-year. Russia-nexus FANCY BEAR allegedly deployed large language model (LLM)-enabled malware to automate reconnaissance, while eCrime actor PUNK SPIDER used AI-generated scripts to accelerate credential dumping.

China-nexus activity increased 38%, with the logistics vertical experiencing an 85% rise in targeting.

Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, says: "This is an AI arms race,"

"Adversaries are moving from initial access to lateral movement in minutes. AI is compressing the time between intent and execution while turning enterprise AI systems into targets."

Beyond fraud: systemic cyber risk

Researchers warn that the consequences extend beyond individual account compromise.

When a fleet is breached and fails to deliver contracted loads, manufacturers may face production delays, retailers could encounter stock shortages and financial penalties can ripple across multiple organisations.

In sectors operating on tight margins and compressed schedules, a single compromised credential can cascade into widespread operational disruption.

With 52 alleged active phishing domains and infrastructure designed for simultaneous, real-time credential harvesting, Diesel Vortex demonstrates how sector-specific phishing campaigns can evolve into coordinated, scalable cyber operations.

The concern is no longer limited to fraud at the transaction level, but the potential for systemic shock to digitally connected freight ecosystems.