Diesel Vortex: The Armenian-Linked Cybercrime Syndicate Stealing Freight Industry Secrets

In a chilling exposé of modern cybercrime, cybersecurity researchers have uncovered a sophisticated phishing campaign targeting the backbone of global commerce—the freight and logistics industry. Dubbed “Diesel Vortex,” this financially motivated threat group has been systematically stealing credentials from major logistics operators across the United States and Europe since September 2025.

The Scale of the Heist

What began as a routine investigation into typosquatting domains quickly unraveled into a sprawling criminal operation. Researchers at Have I Been Squatted discovered an exposed repository containing an SQL database from a phishing project ominously named “Global Profit.” The threat actors were even marketing their stolen data under the moniker “MC Profit Always” to other cybercriminals.

The numbers are staggering:

• 52 malicious domains deployed in the campaign
• 1,649 unique credentials stolen from critical freight platforms
• Nearly 3,500 total credential pairs compromised

High-Profile Victims Exposed

The Diesel Vortex syndicate didn’t discriminate in its targets. Among the compromised were industry giants and essential service providers:

• DAT Truckstop – America’s largest load board
• TIMOCOM – Europe’s leading freight exchange
• Teleroute – A major European logistics platform
• Penske Logistics – A Fortune 500 transportation company
• Girteka – Europe’s largest asset-based transport company
• Electronic Funds Source (EFS) – A critical payment processor for the trucking industry

The Criminal Mind at Work

What sets Diesel Vortex apart isn’t just its technical sophistication—it’s the organizational structure that rivals legitimate businesses. Researchers uncovered a detailed mind map created by a group member that revealed:

• A dedicated call center operation
• Mail support teams
• Programmer roles developing custom tools
• Staff specifically tasked with finding drivers, carriers, and logistics contacts

The operation was meticulously planned, with acquisition channels including:

• DAT One marketplace infiltration
• Email campaigns targeting industry professionals
• Rate confirmation fraud
• Multi-tiered revenue structures

Technical Mastery: The 9-Stage Phishing Assault

Diesel Vortex employs a multi-layered attack strategy that demonstrates both technical prowess and intimate knowledge of their targets:

1. Initial contact via phishing emails using Zoho SMTP and Zeptomail
2. Cyrillic homoglyph tricks in sender fields to bypass security filters
3. Voice phishing campaigns targeting trucking professionals
4. Telegram infiltration of industry-specific channels

Once victims click malicious links, they encounter:

• Minimal HTML landing pages on .com domains
• Full-screen iframes loading phishing content
• A 9-stage cloaking process on .top/.icu domains

The phishing pages are pixel-perfect replicas of legitimate platforms, capturing everything from basic credentials to:

• Multi-factor authentication codes
• Security tokens
• Payment information
• Check numbers
• MC/DOT numbers
• RMIS login details

The Puppet Masters Behind the Curtain

Through painstaking open-source intelligence work, researchers connected Diesel Vortex to Armenian-speaking operators with ties to Russian infrastructure. The investigation revealed:

• Communications in Armenian about cargo theft operations
• Email addresses linked to Russian corporate filings
• Connections to companies involved in wholesale trade, transportation, and warehousing

The same email used to register phishing infrastructure appears in corporate documents for logistics companies operating in the exact verticals targeted by Diesel Vortex.

Beyond Simple Theft: The Double-Brokering Threat

Diesel Vortex isn’t just stealing credentials—they’re orchestrating full-scale supply chain attacks. The group is involved in:

• Freight impersonation using stolen carrier identities
• Mailbox compromise of logistics professionals
• Double-brokering schemes where legitimate freight is diverted to fraudulent pickup points

This sophisticated fraud allows criminals to physically steal cargo shipments, creating losses that ripple through the entire supply chain.

The Takedown

Following the investigation, a coordinated response involving GitLab, Cloudflare, Google Threat Intelligence, CrowdStrike, and Microsoft Threat Intelligence Center successfully disrupted the Diesel Vortex operation. The takedown included:

• Panel and phishing domains
• GitLab repositories
• Associated infrastructure

Critical Warning for the Industry

“This group built dedicated phishing infrastructure for platforms used daily by freight brokers, trucking companies, and supply chain operators,” researchers warned. “These platforms sit at the intersection of high transaction volumes and workforces not typically the focus of enterprise security programs.”

The Diesel Vortex campaign serves as a stark reminder that critical infrastructure is increasingly becoming a target for sophisticated cybercrime syndicates operating with corporate-like efficiency.

Tags: Diesel Vortex, freight phishing, logistics cybercrime, supply chain security, Armenian hackers, Russian cybercrime, double-brokering fraud, credential theft, DAT Truckstop hack, TIMOCOM breach, Teleroute attack, Penske Logistics compromised, Girteka hacked, EFS phishing, Global Profit syndicate, MC Profit Always, 9-stage phishing, Cyrillic homoglyphs, freight industry under attack, cargo theft ring, supply chain disruption, cybercrime organization, threat intelligence, OSINT investigation, GitLab takedown, Cloudflare security, Google Threat Intelligence, CrowdStrike response, Microsoft TI Center, freight broker fraud, trucking industry hack, logistics platform breach, Armenian-speaking threat actors, Russian infrastructure, corporate-style cybercrime, call center phishing, voice phishing trucking, Telegram channel infiltration, rate confirmation fraud, multi-factor authentication bypass, pixel-perfect phishing, freight impersonation, mailbox compromise, fraudulent pickup points, supply chain security warning, critical infrastructure targets, enterprise security gaps, high-volume transaction targets, coordinated cybercrime response, infrastructure disruption, cryptocurrency addresses, network indicators, email indicators, Telegram indicators, IoCs Diesel Vortex, freight industry wake-up call, sophisticated cybercrime syndicate, organized criminal infrastructure, cybercrime mind map, programmer roles phishing, mail support operations, acquisition channels fraud, revenue tier structures, cloaking process phishing, iframe attacks, .top .icu domains, minimal HTML landing pages, Zoho SMTP phishing, Zeptomail attacks, security token theft, PIN harvesting, check number fraud, RMIS details theft, MC DOT number compromise, 2FA code harvesting, security token theft, payment information capture, supply chain ripple effects, freight broker vulnerabilities, trucking company security, logistics platform weaknesses, Armenian Russian connections, corporate filings investigation, wholesale trade links, warehousing connections, transportation company ties, physical cargo theft, freight diversion schemes, legitimate freight hijacking, supply chain compromise, critical warning freight, enterprise security focus, high transaction targets, corporate efficiency cybercrime, takedown coordination, infrastructure disruption success, threat actor disruption, phishing infrastructure dismantling, cybercrime syndicate exposure, freight industry alert, supply chain protection, logistics security measures, critical infrastructure protection, cybercrime investigation breakthrough, organized crime logistics, freight sector under siege, trucking industry warning, logistics professionals targeted, supply chain professionals at risk, freight exchange platforms compromised, load board security, fleet management portal attacks, fuel card system breaches, freight exchange targeting, industry-specific phishing, trucking personnel targeting, logistics contact targeting, driver targeting phishing, carrier targeting attacks, freight broker targeting, supply chain operator targeting, critical service provider attacks, payment processor targeting, industry giants compromised, major logistics operators breached, high-profile victims exposed, staggering credential theft, unique credentials stolen, total credential pairs compromised, malicious domains deployed, phishing campaign scale, cybercrime operation exposed, sophisticated attack strategy, multi-layered attack, technical prowess demonstrated, intimate knowledge targets, 9-stage assault revealed, initial contact phishing, Cyrillic homoglyph tricks, voice phishing campaigns, Telegram infiltration tactics, minimal HTML landing pages, full-screen iframes, cloaking process stages, pixel-perfect replicas, legitimate platform mimicry, multi-factor authentication bypass, security token capture, payment information theft, check number harvesting, MC DOT number theft, RMIS login details, PIN harvesting operations, 2FA code theft, security token theft operations, freight impersonation schemes, mailbox compromise tactics, double-brokering operations, full-scale supply chain attacks, stolen carrier identities, legitimate freight diversion, fraudulent pickup points creation, physical cargo theft execution, supply chain loss ripple, coordinated response success, GitLab involvement, Cloudflare security response, Google Threat Intelligence contribution, CrowdStrike intervention, Microsoft TI Center action, panel domain takedown, phishing domain disruption, GitLab repository shutdown, infrastructure takedown success, cybercrime syndicate disruption, threat actor exposure, critical infrastructure targeting, high-volume transaction focus, enterprise security gaps highlighted, corporate-like efficiency demonstrated, call center phishing operations, mail support teams, programmer role development, staff acquisition channels, mind map organization, detailed criminal planning, acquisition channel variety, DAT One marketplace infiltration, email campaign sophistication, rate confirmation fraud execution, revenue tier structures revealed, cloaking process complexity, iframe loading tactics, .top .icu domain usage, minimal HTML page creation, Zoho SMTP utilization, Zeptomail deployment, Cyrillic homoglyph bypass, security filter evasion, Telegram channel infiltration tactics, industry-specific targeting, trucking professional targeting, logistics professional targeting, supply chain professional targeting, critical workforce targeting, enterprise security program gaps, transaction volume intersection, workforce targeting strategy, technical sophistication demonstration, organizational structure revelation, legitimate business comparison, criminal mind mapping, operational detail exposure, programmer tool development, call center operation scale, mail support operation size, staff role specialization, driver carrier contact targeting, acquisition channel diversity, marketplace infiltration tactics, email campaign targeting, rate confirmation fraud methods, revenue structure complexity, multi-layered strategy execution, 9-stage assault implementation, contact establishment methods, homoglyph trick deployment, voice phishing execution, Telegram infiltration success, landing page creation, iframe loading implementation, cloaking process execution, pixel-perfect page creation, platform replica accuracy, credential capture methods, authentication code theft, security token harvesting, payment information capture methods, check number theft, MC DOT number compromise methods, RMIS detail theft, PIN harvesting techniques, 2FA code capture, security token theft methods, freight impersonation execution, mailbox compromise tactics, double-brokering scheme implementation, stolen identity usage, legitimate freight hijacking, fraudulent point creation, physical theft execution, supply chain compromise methods, coordinated takedown success, domain disruption achievement, repository shutdown success, infrastructure takedown completion, syndicate disruption accomplishment, actor exposure success, infrastructure targeting achievement, transaction volume targeting success, security gap highlighting achievement, efficiency demonstration success, operation scale revelation, sophistication demonstration success, structure revelation achievement, planning detail exposure success, role specialization revelation, channel diversity exposure, infiltration tactic revelation, page creation exposure, loading tactic exposure, process execution exposure, replica accuracy exposure, capture method exposure, authentication theft exposure, token harvesting exposure, payment capture exposure, number theft exposure, detail theft exposure, code capture exposure, impersonation execution exposure, compromise tactic exposure, scheme implementation exposure, identity usage exposure, hijacking execution exposure, point creation exposure, theft execution exposure, compromise method exposure, takedown success exposure, disruption achievement exposure, shutdown success exposure, takedown completion exposure, disruption accomplishment exposure, exposure success achievement.

,