Diesel Vortex: Russian Cybercrime Ring Steals 1,649

Russian PhaaS Operation Targets Critical Freight Infrastructure

A sophisticated Russian-linked cybercrime group tracked as Diesel Vortex has been actively stealing credentials from freight and logistics companies across the United States and Europe since September 2025, researchers from Have I Been Squatted and Ctrl-Alt-Intel revealed on February 25, 2026. The operation — now disrupted — compromised over 1,649 unique credentials from platforms and service providers critical to global freight operations.

The campaign is notable for operating as a Phishing-as-a-Service (PhaaS) platform, marketed internally as "MC Profit Always" and branded as "GlobalProfit", with an organized structure that included a call centre, mail support, programmers, and dedicated staff responsible for identifying logistics targets.

Attribute	Value
Threat Group	Diesel Vortex
Origin	Russia (with Armenian infrastructure links)
Active Since	September 2025
Credentials Stolen	1,649 unique credentials
Phishing Domains	52 typosquatting domains
Targeted Emails	57,000+ unique addresses
Attack Type	Phishing-as-a-Service (PhaaS)
Status	Disrupted (February 2026)

How the Campaign Worked

Diesel Vortex deployed 52 typosquatting phishing domains mimicking legitimate freight platforms, targeting employees at major companies including DAT Truckstop, TIMOCOM, Teleroute, Penske Logistics, Girteka, and Electronic Funds Source (EFS). Over the five-month campaign, the group sent phishing emails to over 57,000 unique addresses harvested from logistics industry sources.

The operation went well beyond simple credential theft. Evidence uncovered by researchers revealed coordinated activities related to:

Credential Harvesting

Victims were directed to convincing clones of freight platform login pages. Once credentials were captured, they were processed through the "GlobalProfit" backend panel, which organized stolen credentials by platform and account value.

Freight Fraud Operations

With access to freight operator accounts, the group engaged in double-brokering (listing loads already booked by legitimate brokers), cargo diversion, mailbox compromise, and freight impersonation to redirect physical shipments.

Scaling Through PhaaS

The "MC Profit Always" platform was being actively marketed to other criminal operators, suggesting the group was moving toward franchising its operation across the cybercrime ecosystem.

Impact Area	Description
Credential Exposure	1,649 accounts across major freight platforms
Financial Fraud	Double-brokering and cargo diversion schemes
Infrastructure	52 phishing domains, GitLab repositories
Industry Risk	Critical supply chain disruption potential

Recommendations

For Freight and Logistics Operators

Enforce multi-factor authentication (MFA) on all freight platform accounts immediately
Conduct domain monitoring for typosquatting variants of your company and partner names
Train staff to verify login URLs before entering credentials — bookmark official portals
Review all recent logins on platforms such as DAT Truckstop, TIMOCOM, and Teleroute for anomalies

For Security Teams

Block the 52 known Diesel Vortex phishing domains (check Have I Been Squatted and Ctrl-Alt-Intel for IoCs)
Search SIEM logs for outbound connections to GlobalProfit infrastructure
Alert on any authentication from logistics accounts outside normal business hours or geolocations

Key Takeaways

Diesel Vortex operated as PhaaS, meaning its tools and infrastructure were available for sale to other criminals — disruption of the primary group doesn't eliminate the threat.
1,649 credentials stolen over five months with 57,000 targeted emails shows the scale of organized freight-sector cybercrime.
The operation was disrupted through coordinated action by GitLab, Cloudflare, Google Threat Intelligence, CrowdStrike, and Microsoft Threat Intelligence Center.
No software vulnerabilities were exploited — this campaign succeeded entirely through social engineering and credential reuse.
Double-brokering and cargo diversion represent a direct physical-world consequence of digital credential theft in the logistics sector.
Logistics operators are increasingly high-value targets because compromised accounts enable real-world financial fraud beyond typical data theft.

Sources

Russian PhaaS Operation Targets Critical Freight Infrastructure

Attribute	Value
Threat Group	Diesel Vortex
Origin	Russia (with Armenian infrastructure links)
Active Since	September 2025
Credentials Stolen	1,649 unique credentials
Phishing Domains	52 typosquatting domains
Targeted Emails	57,000+ unique addresses
Attack Type	Phishing-as-a-Service (PhaaS)
Status	Disrupted (February 2026)

How the Campaign Worked

The operation went well beyond simple credential theft. Evidence uncovered by researchers revealed coordinated activities related to:

Credential Harvesting

Freight Fraud Operations

Scaling Through PhaaS

The "MC Profit Always" platform was being actively marketed to other criminal operators, suggesting the group was moving toward franchising its operation across the cybercrime ecosystem.

Impact Area	Description
Credential Exposure	1,649 accounts across major freight platforms
Financial Fraud	Double-brokering and cargo diversion schemes
Infrastructure	52 phishing domains, GitLab repositories
Industry Risk	Critical supply chain disruption potential

Recommendations

For Freight and Logistics Operators

Enforce multi-factor authentication (MFA) on all freight platform accounts immediately
Conduct domain monitoring for typosquatting variants of your company and partner names
Train staff to verify login URLs before entering credentials — bookmark official portals
Review all recent logins on platforms such as DAT Truckstop, TIMOCOM, and Teleroute for anomalies

For Security Teams

Block the 52 known Diesel Vortex phishing domains (check Have I Been Squatted and Ctrl-Alt-Intel for IoCs)
Search SIEM logs for outbound connections to GlobalProfit infrastructure
Alert on any authentication from logistics accounts outside normal business hours or geolocations

Key Takeaways

Diesel Vortex operated as PhaaS, meaning its tools and infrastructure were available for sale to other criminals — disruption of the primary group doesn't eliminate the threat.
1,649 credentials stolen over five months with 57,000 targeted emails shows the scale of organized freight-sector cybercrime.
The operation was disrupted through coordinated action by GitLab, Cloudflare, Google Threat Intelligence, CrowdStrike, and Microsoft Threat Intelligence Center.
No software vulnerabilities were exploited — this campaign succeeded entirely through social engineering and credential reuse.
Double-brokering and cargo diversion represent a direct physical-world consequence of digital credential theft in the logistics sector.
Logistics operators are increasingly high-value targets because compromised accounts enable real-world financial fraud beyond typical data theft.

Diesel Vortex: Russian Cybercrime Ring Steals 1,649

Russian PhaaS Operation Targets Critical Freight Infrastructure

How the Campaign Worked

Credential Harvesting

Freight Fraud Operations

Scaling Through PhaaS

Recommendations

For Freight and Logistics Operators

For Security Teams

Key Takeaways

Sources

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

GlassWorm Escalates: 72 Malicious Open VSX Extensions Use

LeakBase Admin Arrested in Russia Over Massive Stolen Credential Marketplace

Diesel Vortex: Russian Cybercrime Ring Steals 1,649

Russian PhaaS Operation Targets Critical Freight Infrastructure

How the Campaign Worked

Credential Harvesting

Freight Fraud Operations

Scaling Through PhaaS

Recommendations

For Freight and Logistics Operators

For Security Teams

Key Takeaways

Sources

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

GlassWorm Escalates: 72 Malicious Open VSX Extensions Use

LeakBase Admin Arrested in Russia Over Massive Stolen Credential Marketplace