Fast Facts
- A Russian-linked group, Diesel Vortex, operated a large-scale phishing campaign targeting freight and logistics companies across the US and Europe from September 2025 to February 2026, stealing over 1,649 login credentials.
- They used sophisticated methods like dual-domain phishing pages, embedding hidden malicious content to evade detection, and intercepted MFA codes in real-time via spearphishing and voice calls.
- The operation sold access as a Phishing-as-a-Service (PhaaS) under the brand “MC Profit Always,” with plans for cryptocurrency-based transactions, and compromised data enabled shipment redirection, fraud, and cargo reselling.
- Investigations uncovered exposed source code, victim databases, and operational details on compromised servers, emphasizing the need for enhanced defenses like hardware security keys and DNS monitoring to counter such advanced attacks.
What’s the Problem?
Between September 2025 and February 2026, a Russian-linked cybercrime group known as Diesel Vortex orchestrated a sophisticated phishing campaign targeting freight and trucking companies across the United States and Europe. They managed to steal over 1,600 login credentials from major logistics platforms like DAT Truckstop and Penske Logistics. The group didn’t operate in isolation; instead, it functioned as a structured service, likely selling access to other malicious actors under the brand “MC Profit Always.” Using spearphishing emails and voice calls, they targeted trucking professionals—often within Telegram groups—impersonating familiar platforms. Their tactic involved embedding malicious pages inside seemingly trusted websites, which allowed them to intercept multi-factor authentication codes and login details effortlessly, leading to shipment redirection, financial theft, and check fraud.
The operation was uncovered by security analysts at Have I Been Squatted after noticing suspicious typosquatted domains linked to one of their customers. Further investigation revealed an exposed server containing source code, victim data, and internal communications, confirming the scope of their attack. This included 52 phishing domains and nearly 76,000 targeted contacts, with at least 35 fraudulent check attempts against electronic funds sources. The stolen information extended beyond credentials, encompassing invoices and financial data, facilitating invoice fraud and cargo reselling—known as double-brokering. Notably, the group developed a hidden two-domain system that concealed the phishing pages, thereby bypassing many browser security warnings. They also appeared to be building a “Phishing-as-a-Service” platform, accepting cryptocurrency payments and preparing for broader criminal sales, which underscores the evolving sophistication of such cyber threats targeting critical logistics infrastructure.
Risk Summary
The Diesel Vortex cybercrime group’s attack highlights how any business, regardless of size or industry, can fall victim to sophisticated hacking schemes that target your digital assets. When hackers steal over 1,600 credentials, they gain access to sensitive information, disrupt operations, and threaten your reputation. Such breaches can lead to financial losses, legal consequences, and loss of customer trust. Furthermore, cybercriminals often exploit vulnerabilities in logistics and supply chains, which can halt your entire workflow. Consequently, without proper cybersecurity measures, your business remains vulnerable, risking long-term damage and operational setbacks. In today’s interconnected world, this threat underscores the urgent need for proactive security strategies to defend your business’s critical information.
Possible Remediation Steps
In the rapidly evolving landscape of cybersecurity threats, swift remediation is crucial to minimize damage, restore operations, and protect sensitive information, especially when dealing with sophisticated cybercriminal groups such as the Diesel Vortex Russian entity targeting the global logistics sector and stealing over 1,600 credentials.
Detection & Analysis
- Conduct immediate incident analysis to identify breach scope and affected systems.
- Utilize intrusion detection systems (IDS) and security information and event management (SIEM) tools.
Containment & Eradication
- Isolate compromised systems from the network to prevent further malicious activity.
- Remove malicious files, unauthorized accounts, and backdoors.
Recovery
- Reset compromised credentials and enforce strong, multifactor authentication.
- Restore systems from secure backups ensuring they are free from malware.
Notification & Coordination
- Notify relevant stakeholders, including law enforcement agencies and affected partners.
- Coordinate with cybersecurity authorities for threat intelligence sharing.
Prevention & Hardening
- Implement continuous monitoring for suspicious activity.
- Update, patch, and configure systems according to security best practices.
- Conduct user awareness training focusing on credential security and phishing.
Continue Your Cyber Journey
Stay informed on the latest Threat Intelligence and Cyberattacks.
Explore engineering-led approaches to digital security at IEEE Cybersecurity.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1cyberattack-v1-multisource
