A cybercrime organization linked to Russia, known as Diesel Vortex, has conducted an extensive phishing scheme targeting freight and trucking companies across the United States and Europe. This operation took place from September 2025 to February 2026 and led to the theft of over 1,649 login credentials from users of major logistics platforms such as DAT Truckstop, Penske Logistics, Electronic Funds Source (EFS), and Timocom.
Phishing Operation Details
The group operated as a structured criminal service, potentially selling access to other malicious actors under the name “MC Profit Always.” They employed spearphishing emails and voice phishing calls to reach trucking professionals, frequently targeting freight-centered Telegram groups. By impersonating trusted platforms, they intercepted logins and multi-factor authentication codes, redirecting shipments, stealing funds, and engaging in check fraud.
Analysts from Have I Been Squatted identified the operation after detecting a suspicious cluster of typosquatted domains linked to a customer. The investigation revealed an exposed Git directory on a phishing server, uncovering the group’s source code, victim database, internal communications, and future plans.
Extent of the Breach
On February 4, 2026, a 36.6MB SQL dump confirmed the full extent of the campaign, revealing 52 phishing domains, 75,840 targeted contact emails, and 35 verified EFS check fraud attempts. The compromised data extended beyond stolen passwords, including shipment invoices and financial details, enabling invoice fraud and double-brokering, where cargo is secretly resold, leaving the original carrier unpaid.
The platform, known internally as “GlobalProfit,” was evolving into a Phishing-as-a-Service (PhaaS) product for Russian-speaking criminal buyers, with cryptocurrency payment processing integrated.
Technical Sophistication
A notable aspect of the operation was the use of dual domains to mask phishing pages from victims and security tools. Victims received links to a legitimate-looking “advertise domain,” which secretly embedded a hidden “system domain” within an invisible browser frame. This technique allowed the address bar to display a trusted domain while phishing content loaded within it, bypassing browser security warnings, which typically assess only the top-level page.
From Telegram, operators could monitor each victim in real time, issuing commands that directed them through fake login screens to capture additional email credentials. Security teams are advised to adopt FIDO2 hardware keys or device-bound passkeys, as Telegram-based real-time interception can defeat standard one-time passwords and SMS codes. DNS filtering and active monitoring for typosquatted domains mimicking logistics platform names are also essential defensive measures.
Stay updated on cybersecurity threats by following us on Google News, LinkedIn, and X. Set CSN as your preferred source for instant updates.
