Researchers have uncovered and taken down the infrastructure of a phishing operation run by Russian cybercriminals targeting freight companies in the U.S. and Europe. 

Over a five-month period, the group, dubbed Diesel Vortex, stole more than 1,600 login credentials from accounts at logistics platforms, which allowed thieves to intercept and divert freight shipments and commit check fraud. 

The researchers with the domain protection platform Have I Been Squatted discovered an exposed .git directory, which revealed the ins and outs of the operation, including messages sent between the cybercriminals. 

The leaked repository exposed a phishing-as-a-service platform that was in the works to be marketed to customers as “MC Profit Always,” a likely reference to “motor carriers.” 

The Diesel Vortex cybercriminals built phishing infrastructure targeting users of the platforms that power the freight and logistics industries, like load boards — marketplaces where shippers, brokers and carriers connect — fleet management portals and fuel card systems. 

They impersonated carriers and brokers and were able to access freight systems. Messages seem to show them engaged in “double-brokering,” when loads are booked with a stolen carrier identity before the freight is reassigned to a different carrier. 

The researchers were able to find the outfit’s organizational map, revealing a sophisticated operation including a call center, mail support and employees responsible for connecting with drivers and other logistics contacts.

“This blueprint only reinforced what the codebase had already made clear: this was not an opportunistic campaign. It was a deliberate, structured criminal enterprise with defined roles, revenue targets, and a long-term growth strategy,” Have I Been Squatted researchers wrote. 

The company worked in collaboration with the cyber threat research outfit Ctrl-Alt-Int3l, which discovered in the phishing panel source code mention of a domain registered through a Russian provider and linked to a Russian-registered email address.

That email was then linked through corporate records to several Russian companies working in warehousing, transportation and wholesale trade. Recorded Future News reached out to the email address for comment and as of press time had not received a reply.  

Along with clear links to Russia, Armenian-speaking operators were also involved in the operation, with one of the criminals telling another he was located in Yerevan. In one chat, a member of the group asks in Armenian if they have the credentials of a carrier with “250k cargo” — in other words, one insured to carry high-value freight. 

According to the researchers, Google Threat Intelligence Group, Cloudflare, GitLab, IPInfo and Ping Identity were involved in taking down the infrastructure. 

Cargo theft has exploded in recent years, driven by the increasingly digital nature of the business, with annual losses estimated to be around $35 billion. In November, researchers at Proofpoint documented a hacking campaign with links to organized crime targeting trucking and logistics companies with remote monitoring tools.  

Last month, the House Judiciary Committee advanced the “Combatting Organized Retail Crime Act of 2025,” a bill to establish a coordinated federal response to cargo theft. It would also create new criminal penalties for the laundering of illicit proceeds or the sale of stolen goods.