Estimated reading time: 3 minutes
A cybercriminal operation that stole more than 1,600 login credentials from freight platforms operated as a structured service provider with call center agents, programmers, and plans to franchise its fraud model, according to an investigation published this week.
The group, which researchers track as Diesel Vortex, targeted dispatchers and brokers at major logistics platforms including DAT Truckstop, Timocom, Teleroute, Penske Logistics, Girteka, and Electronic Funds Source between September 2025 and February 2026. The campaign used convincing fake websites to capture usernames, passwords, and one time codes in real time, allowing attackers to access legitimate accounts, accept loads, redirect cargo, and execute double brokering schemes.
Security researchers discovered an exposed code repository and database containing source code, victim lists, and operator chat logs. The database held more than 75,000 targeted contact emails and evidence of 52 malicious domains designed to mimic legitimate logistics portals.
Organized Operation Resembled Legitimate Business
The group operated under the internal brand GlobalProfit and appeared to be developing its methods as a sellable product for other criminals, with references to MC Profit Always in its planning documents. Investigators found that Diesel Vortex employed distinct roles including call center agents, email operators, programmers, and staff dedicated to recruiting carriers and drivers. All followed a standardized playbook for credential theft and fraud execution.
A Telegram based operator console allowed the group to control victim sessions in real time. The backend database showed 35 confirmed check fraud attempts targeting the Electronic Funds Source fuel card and payment system.
No reliable total loss figures for the campaign have been published. The financial impact is likely material given the scale of credential theft and the types of fraud enabled by access to carrier and broker identities.
The investigation led to a coordinated takedown involving GitLab, Cloudflare, Google Threat Intelligence, and Microsoft, which disrupted Diesel Vortex’s infrastructure. The confirmed campaign window is now described as closed, but investigators said they cannot rule out future or related activity.
Industry Faces Growing Cyber Enabled Cargo Crime
Freight fraud from double brokering and identity theft has been rising across North America and Europe even as brokers and platforms invest in monitoring and rule based controls. The Diesel Vortex campaign targeted core logistics infrastructure including load boards, fleet portals, and fuel card systems, not fringe tools, according to researchers.
In Europe, key transport and logistics segments now fall under the revised NIS2 Directive, the European Union’s updated cybersecurity law for essential sectors. The directive, which took effect across member states in recent months, explicitly requires companies to manage cybersecurity risks within their supply chains. Implementation of supply chain cyber risk management remains uneven across the sector.
Major industry bodies including the International Union of Marine Insurance and the Transported Asset Protection Association have reported an alarming rise in cargo theft and fraud across global supply chains, with criminals shifting from physical theft to sophisticated digital methods including shell companies and identity cloning.
The same tools that targeted United States and European truckload platforms could with adjustments be applied to less than truckload operations, warehousing, hinterland logistics, or regional marketplaces elsewhere, researchers noted. Compromised inland identities can redirect containers, misroute cargo, and weaken trust in port operations and liner schedules.
Ports and vessels may present harder targets for such attacks, but the inland logistics network remains vulnerable, investigators said. The stolen credentials and fraud methods demonstrated by Diesel Vortex show how carrier and broker identities, once routine back office details, have become an attack surface for cargo theft.




