A financially motivated threat group, tracked as ‘Diesel Vortex,’ has stolen more than 1,600 unique login credentials from freight and logistics operators across the United States and Europe in a phishing campaign that leveraged 52 malicious domains.
According to researchers at Have I Been Squatted, the campaign has been active since September 2025 and targeted platforms critical to the freight industry. The attackers harvested 1,649 unique credential pairs out of nearly 3,500 stolen records discovered in an exposed SQL database linked to a phishing project dubbed “Global Profit,” which was marketed to other cybercriminals under the name “MC Profit Always.”
Victims include major industry platforms and providers such as DAT Truckstop, TIMOCOM, Teleroute, Penske Logistics, Girteka, and Electronic Funds Source.
The investigation began after Have I Been Squatted uncovered an exposed repository containing phishing infrastructure, including Telegram webhook logs that revealed communications between operators. Based on linguistic analysis, researchers believe the group is Armenian-speaking and connected to Russian infrastructure. The probe was conducted in collaboration with independent researchers Ctrl-Alt-Intel, who used open-source intelligence to map links between the operators, infrastructure, and companies in Russia’s transportation and warehousing sectors.
Researchers described a “highly organized operation” structured like a legitimate business with call-center staff, mail support, programmers, and personnel dedicated to sourcing drivers, carriers, and logistics contacts. Acquisition channels reportedly included the DAT One marketplace, email campaigns, rate confirmation fraud, and tiered revenue models.
The group built dedicated phishing infrastructure mimicking load boards, fleet management portals, fuel card systems, and freight exchanges. Emails were distributed via phishing kit mailers using Zoho SMTP and Zeptomail services, with Cyrillic homoglyphs embedded in sender names and subject lines to bypass security filters. Attackers also employed voice phishing and infiltrated Telegram channels popular with trucking and logistics professionals.
Victims who clicked malicious links were directed to minimal HTML landing pages on “.com” domains that loaded pixel-perfect clones of legitimate logistics platforms via full-screen iframes. Depending on the target, attackers collected credentials, motor carrier and DOT numbers, RMIS logins, PINs, two-factor authentication codes, payment details, and security tokens.
Researchers said the phishing process was controlled in real time by operators through Telegram bots, allowing them to request additional authentication details, redirect victims, or terminate sessions mid-attack.
The campaign was dismantled through coordinated action involving GitLab, Cloudflare, Google Threat Intelligence, CrowdStrike, and Microsoft’s Threat Intelligence Center, leading to the takedown of phishing domains, panels, and associated repositories.