Researchers from Have I Been Squatted, working with Ctrl-Alt-Intel, uncovered a highly organised criminal phishing operation in early 2026 that systematically targeted freight and logistics companies across the United States and Europe. The group behind it is being called Diesel Vortex.

Over at least five months — from September 2025 through February 2026 — the operation harvested thousands of login credentials from users of major freight platforms such as DAT Truckstop, Penske Logistics, Electronic Funds Source (EFS), and Timocom.

A Sophisticated, Targeted Phishing Campaign

Rather than random phishing blasts, Diesel Vortex was a focused and professional criminal enterprise. The group built 52 fake domains that mimicked the login pages of legitimate freight and trucking platforms, then sent targeted spear-phishing messages to professionals working in the logistics sector.

Using these cloned sites, operators captured usernames, passwords, and multi-factor authentication (MFA) codes in real time. They didn’t just cast a wide net — they intercepted active logins, even circumventing MFA protections to gain access to systems used to move and manage freight.

Once inside these accounts, attackers could:

• Redirect invoices to fraud-controlled accounts
• Reassign shipments in “double-brokering” schemes
• Access personal and business data
• Steal funds and commit financial fraud through fuel card systems, including check fraud attempts tied to Electronic Funds Source.

According to the researchers’ metrics, the operation involved 3,474 stolen credential pairs (including 1,649 unique sets), over 75,000 target contact emails, and 35 documented fraud attempts against fuel systems.

Not an Amateur Operation

The group wasn’t just a loose collective of hackers — internal documentation, source code, and infrastructure artifacts suggest Diesel Vortex was a structured criminal enterprise with defined roles and revenue objectives.

Recovered Telegram webhook logs showed operators coordinating in Armenian and Russian, indicating both Armenian-speaking personnel and links to Russian infrastructure. The source code itself referenced an internal phishing-as-a-service (PhaaS) brand named “GlobalProfit”, which analysts believe may have been marketed to other criminals under the name “MC Profit Always.”

Beyond email phishing, the group deployed voice phishing (vishing) and used Telegram channels to interact in real time with victims and co-ordinate phishing flows, adding a hands-on element to the credential-theft process.

How Investigators Uncovered the Operation

The investigation began when analysts noticed a cluster of typosquatted domains spoofing legitimate logistics platforms. During follow-up, they found a misconfigured .git directory on one of these domains that exposed the entire phishing platform’s source code, victim database, internal chats, and future plans — a rare glimpse into the inner workings of a modern phishing engine.

Industry Collaboration and Takedown

The takedown of Diesel Vortex’s infrastructure wasn’t a solo effort. Teams from Google Threat Intelligence Group, Cloudflare, GitLab, IPInfo, and Ping Identity assisted in dismantling the operation, with additional support from Microsoft Threat Intelligence Center and CrowdStrike. Victim notification efforts were also coordinated with impacted organisations.