Diesel Vortex Russian Cybercrime Group Targets Global Logistics Sector and Steals 1,600+ Credentials

Diesel Vortex, a cybercrime organization with ties to Russia, has been covertly conducting a massive phishing campaign against freight and trucking companies in the US and Europe This article explores diesel vortex cybercrime. . Over 1,649 login credentials from users of significant logistics platforms, such as DAT Truckstop, Penske Logistics, Electronic Funds Source (EFS), and Timocom, were stolen during the September 2025–February 2026 campaign.

The team didn't work alone. Under the alias "MC Profit Always," it operated as a structured criminal service, most likely offering phishing access to other criminals. To contact trucking professionals, operators used voice phishing calls and spearphishing emails, frequently focusing on Telegram groups with a freight focus.

The group intercepted logins and multi-factor authentication (MFA) codes in real time by posing as the very platforms that their victims used on a daily basis. They then used this access to steal money, reroute shipments, and commit check fraud. After noticing a suspicious cluster of typosquatted domains connected to one of their clients, Have I Been Squatted analysts discovered the operation.

The group's complete source code, victim database, internal communications, and future plans were all made public when researchers discovered an exposed Git directory on a phishing server during the investigation. Domain architecture (Source: Have I Been Squatted) The entire scope—52 phishing domains deployed, 75,840 targeted contact emails, and 35 verified EFS check fraud attempts—was confirmed by a 36.6MB SQL dump from February 4, 2026.

The harm went far beyond password theft. Invoice fraud and double-brokering, in which cargo is covertly resold to other carriers while the original carrier is not paid, were made possible by compromised data, which included financial information and shipment invoices. With cryptocurrency payment processing already in place, the platform, which was internally branded "GlobalProfit," was being developed into a Phishing-as-a-Service (PhaaS) product for criminal buyers who speak Russian.

The Dual-Domain Trick The fact that the group concealed its phishing pages from both victims and security tools was possibly the most technically impressive aspect of this operation. The platform made use of two cooperating domains. A link to a tidy-looking "advertise domain" was sent to the victims. A second, hidden "system domain" was covertly embedded by the page inside an invisible browser frame after it was clicked.

Penske iframe elements inspector (Source: Have I Been Squatted) The legitimate phishing content loaded silently inside the victim's address bar, which consistently displayed the domain that appeared trustworthy. Metric Value 3,474 pairs of stolen credentials, 1,649 unique 9,016 distinct visitor IPs 52 phishing domains 35 EFS check frauds and 75,840 target emails Because browsers assess the top-level page rather than frames embedded within it, this method got around the majority of browser security warnings. Before credentials are captured, the Operator Console session displays a highway carrier with MC and DOT information (Source: Have I Been Squatted).

Operators could see each victim in real time from Telegram and give commands, guiding them through fictitious login screens for Google, Microsoft, or Yahoo in order to obtain email credentials.

Since Telegram-based real-time interception beats conventional one-time passwords and SMS codes, security teams guarding against this kind of attack should implement FIDO2 hardware keys or device-bound passkeys. Important defensive measures also include DNS filtering and proactive monitoring for typosquatted domains that mimic logistics platform names. Set ZeroOwl as a Preferred Source in Google to Receive More Instant Updates from LinkedIn and X.