Diesel Vortex: Inside the Sophisticated Phishing Campaign Targeting Freight and Logistics
A freight broker receives a convincing rate confirmation email, complete with industry jargon and a familiar logo. Minutes later, a call from a supposed logistics partner urges them to log in to a portal—one that looks just like the real thing. Within hours, their credentials are in the hands of Diesel Vortex, a threat group whose operations rival those of legitimate businesses.
Diesel Vortex has emerged as a formidable adversary for freight and logistics organizations across the US and Europe, orchestrating a phishing campaign that blends technical sophistication with old-school social engineering. Their playbook includes a division of labor reminiscent of a corporate structure, custom-built phishing infrastructure, and a relentless focus on high-value targets within the logistics ecosystem.
With over 1,600 unique credentials stolen since September 2025, Diesel Vortex’s campaign highlights the evolving threat landscape facing supply chain operators. This analysis unpacks the group’s tactics, the breadth of their attack surface, and the real-world impact on an industry already under pressure from digital transformation and rising cyber risk.
Inside the Diesel Vortex Playbook: Tactics, Tools, and Targets
Organizational Structure and Operational Model
Recent investigations into the Diesel Vortex threat group have uncovered a highly organized structure that mirrors legitimate business operations. The group operates with a clear division of labor, including roles such as call-center agents, mail support staff, programmers, and personnel dedicated to identifying and targeting drivers, carriers, and logistics contacts. This approach enables Diesel Vortex to efficiently manage and scale its phishing operations, ensuring that each stage of the attack lifecycle is handled by specialized actors.
A mind map attributed to a group member details the internal workflow, highlighting the following key operational tiers:
| Role/Function | Description |
|---|---|
| Call-Center Agents | Engage with victims, impersonate logistics personnel, and facilitate social engineering. |
| Mail Support | Manage phishing email campaigns, monitor responses, and coordinate follow-ups. |
| Programmers | Develop and maintain phishing infrastructure, including fake portals and credential harvesting tools. |
| Acquisition Staff | Identify and collect information on potential victims, focusing on drivers, carriers, and brokers. |
| Revenue Management | Track and distribute proceeds from successful attacks across operational tiers. |
This level of organization is atypical for financially motivated threat groups targeting the logistics sector, suggesting a maturation of cybercrime tactics in this vertical.
Phishing Infrastructure and Attack Surface
Diesel Vortex has invested in building a robust and scalable phishing infrastructure tailored to the freight and logistics industry. The group leverages at least 52 unique domains to host phishing pages, each designed to mimic legitimate platforms used daily by freight brokers, trucking companies, and supply chain operators. The infrastructure encompasses a wide range of targets, including:
- Load boards
- Fleet management portals
- Fuel card systems
- Freight exchanges
The use of dedicated infrastructure allows Diesel Vortex to quickly adapt to takedowns and detection, rotating domains and updating phishing templates as needed. The group’s infrastructure is also used to automate the collection and aggregation of stolen credentials, streamlining the monetization process.
Attack Surface Overview
| Platform Type | Example Targets | Purpose in Logistics Ecosystem |
|---|---|---|
| Load Boards | DAT Truckstop, TIMOCOM | Match freight with available carriers |
| Fleet Management Portals | Penske Logistics | Manage vehicle fleets and logistics data |
| Fuel Card Systems | Electronic Funds Source (EFS) | Facilitate fuel purchases and payments |
| Freight Exchanges | Teleroute, Girteka | Connect shippers with transport providers |
The diversity of targeted platforms illustrates the group’s comprehensive understanding of the freight and logistics industry’s digital landscape.
Social Engineering and Credential Harvesting Techniques
Diesel Vortex employs advanced social engineering tactics to increase the success rate of their phishing campaigns. The group’s playbook includes:
- Impersonation of Trusted Entities: Attackers often pose as representatives from well-known logistics companies or platforms, leveraging industry jargon and contextually relevant scenarios to build trust with targets.
- Rate Confirmation Fraud: A notable tactic involves sending fraudulent rate confirmation documents—an essential part of logistics transactions—to entice victims into clicking malicious links or providing sensitive information.
- Call-Back Phishing: The group’s call-center agents follow up on phishing emails with phone calls, further convincing victims of the legitimacy of the communication and guiding them through credential submission processes.
These techniques are supported by custom phishing pages that closely replicate the look and feel of legitimate portals, reducing the likelihood of detection by end users.
Credential Harvesting Workflow
- Target Identification: Acquisition staff compile lists of drivers, carriers, and brokers using open-source intelligence and compromised databases.
- Initial Contact: Victims receive phishing emails or rate confirmation documents, often followed by a phone call.
- Credential Submission: Victims are directed to fake login pages hosted on Diesel Vortex-controlled domains.
- Data Aggregation: Stolen credentials are collected and organized for further exploitation or sale.
This multi-step approach, combining digital and voice-based social engineering, increases the probability of successful credential theft.
Acquisition Channels and Victim Profiling
Diesel Vortex demonstrates a sophisticated approach to acquiring new victims, utilizing multiple channels to maximize reach and efficiency. The group’s acquisition strategy includes:
- Marketplace Infiltration: Diesel Vortex actively monitors and infiltrates freight marketplaces such as DAT One, using both automated tools and human operatives to identify high-value targets.
- Email Campaigns: Mass phishing campaigns are launched using tailored messaging for different segments of the logistics industry, ensuring relevance and increasing open rates.
- Direct Targeting of Carriers and Brokers: Staff are assigned to specifically seek out contact information for drivers, carriers, and brokers, enabling highly personalized phishing attempts.
The group also categorizes potential victims by operational tier, focusing efforts on those with access to sensitive platforms or financial resources.
Victim Profiling Table
| Victim Type | Acquisition Method | Rationale for Targeting |
|---|---|---|
| Freight Brokers | Marketplace infiltration, email | Brokers have access to multiple carriers and sensitive deal data. |
| Trucking Companies | Direct targeting, email | Companies manage large fleets and payment systems. |
| Individual Drivers | Email, phone calls | Drivers are often less security-aware and may have access to fuel cards. |
| Logistics Operators | Email, marketplace | Operators control logistics flows and platform credentials. |
This targeted approach ensures that Diesel Vortex’s campaigns are both broad in scope and precise in execution.
Monetization and Revenue Distribution
The Diesel Vortex group has established clear mechanisms for monetizing stolen credentials and distributing illicit gains among its members. The mind map uncovered by researchers highlights the following revenue streams and operational tiers:
- Credential Sales: Stolen credentials for logistics platforms, fuel card systems, and freight exchanges are sold on underground forums and to other cybercriminal groups.
- Direct Financial Fraud: Access to compromised accounts allows the group to initiate fraudulent transactions, such as unauthorized fuel purchases or diversion of freight payments.
- Tiered Revenue Sharing: Proceeds from successful attacks are distributed according to the operational role, incentivizing participation and maintaining group cohesion.
Revenue Distribution Model
| Operational Tier | Revenue Share (%) | Role Description |
|---|---|---|
| Programmers | 25 | Develop and maintain phishing infrastructure |
| Acquisition Staff | 20 | Identify and profile new victims |
| Call-Center Agents | 15 | Conduct social engineering and follow-ups |
| Mail Support | 10 | Manage email campaigns and responses |
| Leadership/Core Members | 30 | Oversee operations and manage finances |
This structured approach to revenue distribution mirrors legitimate business practices, further illustrating the professionalization of cybercrime in the logistics sector.
Impact and Scope of Credential Theft
Since the campaign’s inception in September 2025, Diesel Vortex has stolen at least 1,649 unique credentials from critical platforms and service providers in the freight industry. The scale of the operation is significant, with victims including major names such as DAT Truckstop, TIMOCOM, Teleroute, Penske Logistics, Girteka, and Electronic Funds Source (EFS).
Credential Theft Metrics
| Metric | Value (as of Feb 2026) |
|---|---|
| Unique Credentials Stolen | 1,649 |
| Active Phishing Domains | 52 |
| Notable Victims | 6+ major organizations |
The breadth of the campaign underscores the vulnerability of the logistics sector to targeted phishing operations and highlights the need for industry-wide improvements in cybersecurity awareness and defense.
All information presented in this report is based on the latest available data as of February 25, 2026, and is sourced from BleepingComputer and Have I Been Squatted.
Final Thoughts
Diesel Vortex’s campaign is a wake-up call for the freight and logistics sector. Their business-like structure, tailored phishing infrastructure, and multi-channel victim acquisition strategies demonstrate just how far cybercriminals have come in targeting industry-specific vulnerabilities.
The group’s success underscores the urgent need for organizations to invest in security awareness, robust authentication, and rapid incident response. As logistics platforms become more interconnected and reliant on digital tools, the risks posed by sophisticated phishing campaigns like Diesel Vortex will only grow. Staying ahead requires not just technology, but a culture of vigilance and continuous education across every tier of the supply chain.
References
- BleepingComputer. (2026, February 25). Phishing campaign targets freight and logistics orgs in the US, Europe. https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-freight-and-logistics-orgs-in-the-us-europe/
- Have I Been Squatted. (2026). Inside the Diesel Vortex Playbook: Tactics, Tools, and Targets. https://haveibeensquatted.com/