Diesel Vortex the phishing that steals credentials and paralyzes global logistics

A criminal group aimed at achieving economic benefits, identified by researchers as Diesel Vortex has set up a sophisticated phishing campaign for transport and logistics operators in the United States and Europe. According to the analysis published by the typosquating monitoring platform Have I Been Squated the operation started in September 2025 and employed at least 52 domains for its fraudulent infrastructure, with a total of almost 3,500 pairs of credentials captured and 1,649 single credentials engaged.

The targets were not technology companies known for their safety, but platforms and services that the transport sector uses daily: freight exchanges, fleet forums, fuel card systems and transport management portals. Among the victims identified are names of the sector as DAT Truckstop, TIMOCOM, Teleroute, Penske Logistics, Girteka and Electronic Funds Source (EFS). These platforms are at the intersection between high volume of transactions and a group of users - drivers, agents and corralones - who are often not at the core of traditional business security programmes.

The investigation began when the experts of Have I Been Squatted encountered an exposed repository containing a SQL database belonging to a phishing project named by its authors as "Global Profit" and marketed among criminals as "MC Profit Always." In that repository there were also records of Telegram webhooks that left internal communications of the service in sight, which allowed analysts to rebuild important parts of the operation.

The technical details described by the researchers show a carefully designed chain of deception. The malicious emails were sent from a mailer integrated into the phishing kit using legitimate SMTP services such as Zoho and Zeptomail, and they used Cyrillic homograph tricks within the sender and the matter to scatter filters. By clicking on the link, the victim was directed to a minimum HTML page in a ".com" domain that loaded a complete iphrame with the true phishing content on screen, and then applied a clapping process in up to nine stages over system domains (.top / .icu) to hide the real origin.

The fraudulent pages were not esthetic neglected: they were replicas at the pixel level of the platforms attacked. Depending on the target, these pages could capture not only user and password, but also sensitive data from permissions, MC / DOT numbers, RMIS credentials, PINS, two-factor authentication codes, security tokens, amounts and payout beneficiaries, or check numbers. In short, access and sufficient materials to hijack logistics operations or divert shipments.

The group's operation appears to be highly organized. The researchers found a mental map linked from the project that detailed a structure with call center, mail support, programmers and personnel dedicated to locating drivers, carriers and logistics contacts. This scheme described procurement channels as cargo markets, mail campaigns, and tax confirmation fraud tactics, in addition to a level income model. The evidence points out that the captured credentials were not only sold, but were used for subsequent operations: freight supplanting, mailbox engagement and double-brokerage or load diversion schemes.

The double brokerage consists of using the identities of stolen carriers to hire transport services and, once the cargo is in transit, redirect it to fraudulent collection points where it disappears. The real impact is not just digital: we talk about stolen goods, payments that never come to the right and a chain of frustrations and losses for cargo owners and carriers.

Another worrying aspect of the campaign was the use of voice channels to deceive people (vishing) and the infiltration of popular Telegram channels among transport professionals, which facilitated both the recruitment of victims and operational coordination. The phishing operators controlled the attack flow in real time by means of Telegram bots that allowed to approve phases, request additional passwords or even block the victim in mid-session as the deception developed.

The research, in addition to the central piece of Have I Been Squatted, was supported by the company of tokenization and OSINT Ctrl-Alt-Intel, which drew connections between operators, infrastructure and commercial entities using open source intelligence. Part of the nexus included the emergence of the same e-mail in Russian corporate records linked to companies engaged in wholesale, transport and storage, suggesting links between the phishing infrastructure and actors in the real economy related to the same target sector.

The coordinated response when discovering the operation allowed for the intervention and dismantling of much of the infrastructure: panels, domains and repositories hosted on platforms such as GitLab were neutralized after collaboration between GitLab, Cloudflare, Google Threat Intelligence, CrowdStrike and the Microsoft Threat Intelligence Center. However, the distributed nature of fraud and the use of temporary domains and legitimate mail services make it clear that the risk does not disappear with a single containment action.

For companies and transport professionals the lesson is double: on the one hand, the main vulnerability is human and is in processes and users that handle the daily operation; on the other, the technical sophistication of the attacks requires robust technical measures. In practical terms, it is appropriate to strengthen mail controls with advanced anti-phishing policies, to require strong authentication methods (such as hardware keys or FIDO solutions) rather than SMS, to segment and limit access privileges, to monitor unusual access to accounts and endpoints, and to have clear procedures to verify changes in payment instructions or delivery points. Microsoft offers practical guidelines on phishing protection and good corporate mail security practices that can serve as a reference: Microsoft -phishing protection documentation.

If your company operates in the transport sector or uses cargo exchange platforms, it is recommended to review the commitment indicators (IoC) and technical details published by the researchers. Have I Been Squated in your report includes the list of IoC - networks, domains, Telegram, emails and cryptomoneda addresses - that allow security teams to search, block known artifacts and adjust rules in mail gateways and firewalls: report and IoC of Have I Been Squatted. The Ctrl-Alt-Intel research also provides OSINT context on the links between operators and companies in the sector: OSINT analysis of Ctrl-Alt-Intel.

In short, Diesel Vortex is a reminder that cybercrime is evolving towards increasingly integrated operations with criminal activities outside the digital world. It is not just about stealing a password, but about starting a chain that can be translated into missing goods, millions of fraud and loss of confidence in a sector critical to the global economy. The best defence will be to combine technical controls, continuous training of people in the logistics chain and close cooperation between suppliers, platforms and incident response teams.