Russia-linked phishing ring targeted Western cargo firms

Researchers say a structured criminal operation used phishing to infiltrate freight platforms and divert shipments across the U.S. and Europe.

What happened

Researchers uncovered and disrupted a phishing campaign known as Diesel Vortex that targeted freight and logistics companies across the United States and Europe. According to reporting by The Record, the group stole more than 1,600 login credentials over five months, which were then used for shipment diversion, double brokering scams where loads are reassigned fraudulently, and check fraud. The operation was exposed after researchers discovered an exposed .git directory, a misconfigured code repository folder that accidentally revealed internal files and development history. The leaked data showed a phishing-as-a-service platform called “MC Profit Always,” likely referring to motor carriers, and detailed infrastructure built to impersonate carriers and brokers on load boards, fleet systems, and fuel card platforms to intercept shipments and manipulate payments.

Going deeper

An exposed online repository revealed that Diesel Vortex operated as a structured criminal organization rather than a loose group of scammers. Researchers found evidence of defined roles, including a call center, support staff, and team members assigned to communicate directly with truck drivers and logistics contacts. Internal messages referenced Armenian-language conversations and coordination from Yerevan, while domain registration records showed infrastructure linked to Russian providers and a Russian-registered email address tied to transportation businesses. The group used a tactic known as double brokering, where freight loads are booked using stolen carrier credentials and then reassigned to another carrier, enabling cargo theft or diversion. Their phishing setup specifically targeted freight management platforms used for shipment scheduling, carrier verification, and payment processing, exploiting the digital systems that logistics companies rely on daily.

What was said

Researchers wrote in their analysis, “This blueprint only reinforced what the codebase had already made clear: this was not an opportunistic campaign. It was a deliberate, structured criminal enterprise with defined roles, revenue targets, and a long-term growth strategy.” The comment appeared in findings that detailed an exposed online repository, meaning a publicly accessible storage space for code, along with internal communications uncovered during the investigation. Recorded Future News reported that outreach to the email address connected to the Russian-registered domain had not received a response as of press time.

In the know

Cargo theft is increasing as freight and logistics operations become more digitized, with global losses estimated at roughly $35 billion a year and organized groups increasingly using cyber tactics to infiltrate systems. In June 2025, the National Insurance Crime Bureau documented a campaign targeting trucking and logistics companies through remote monitoring tools to maintain persistent access, warning that “the theft of goods in transit in the U.S. rose 27% in 2024 and is expected to spike another 22% this year.” Lawmakers have begun responding; in January 2026, the U.S. House Judiciary Committee advanced the Combatting Organized Retail Crime Act of 2025 to coordinate a federal response and introduce tougher penalties for laundering and reselling stolen cargo.

The big picture

The highly structured infrastructure behind the Diesel Vortex campaign shows a growing crisis of “foundational configuration gaps” that leave enterprises exposed to professionalized criminal rings. According to the Paubox 2026 Healthcare Email Security Report, 41% of breached organizations now fall into a “High Risk” category due to weak authentication controls, up from 31% the previous year. Weak authentication controls refer to poor email security settings that fail to properly verify senders and block spoofed messages. The report also found that 0% of recently breached organizations enforced MTA-STS, a security standard that forces encrypted email connections. Instead, they relied on “opportunistic” encryption, which attempts to encrypt messages however does not require it, allowing attackers to intercept or tamper with emails while they are in transit.

FAQs

What is double brokering in freight logistics?

Double brokering occurs when a shipment is booked using stolen or misrepresented carrier credentials and then reassigned to another carrier, often resulting in theft or loss of freight.

Why are logistics platforms attractive targets for phishing campaigns?

Freight systems manage shipment details, payment processing, carrier identity verification, and insurance information, making compromised credentials valuable for financial fraud and shipment diversion.

How did the exposed .git directory contribute to the investigation?

An exposed .git directory can reveal development files, configuration data, and internal communications, offering insight into infrastructure, operator roles, and operational planning.

What part did infrastructure providers play in the takedown?

Researchers reported collaboration with technology and security companies to dismantle phishing infrastructure, illustrating the reliance on coordinated disruption efforts across multiple service providers.

How does cargo theft intersect with cybersecurity risk?

Digital freight platforms have replaced manual booking systems, meaning credential compromise and phishing attacks can now directly impact physical goods, blending cybercrime with traditional supply chain theft.