Russian and Armenian Operators Tied to Logistics-Focused ‘Diesel Vortex’ Group
Investigators have identified, unmasked and disrupted a months-long organized criminal effort that sold a phishing-as-a-service tool to target Western users of popular logistics platforms.
See Also: Why HSMs Are Critical to Digital Asset Security
Researchers at cybersecurity startup Have I Been Squatted, which discovered the campaign earlier this month, said the phishing-as-a-service platform code appears to have largely been designed by a Russian-speaking developer, and the service was sold to users of Russian-language cybercrime forums. Subscribers used an external payment processor to pay cryptocurrency – in either bitcoin or tether, aka USDT.
The phishing platform has been tied to the deployment of 52 different phishing domains, which the group used to target 57,000 email address holders for stealing credentials, accompanied by 35 attempted cases of Electronic Funds Source – or EFS – check fraud. Researchers codenamed the group that built the PhaaS platform “Diesel Vortex.”
“The group spent at least five months systematically targeting freight and logistics companies across the United States and Europe, stealing over 1,600 unique login credentials from users of major logistics platforms including DAT Truckstop, Penske Logistics, Electronic Funds Source (EFS) and Timocom,” HIBS said.
The firm monitors for risky or lookalike domains being spun up in a customer’s name. Together with threat intelligence firm Ctrl-Alt-Int3l, which helped conduct a rapid, deep dive on gathered evidence, the researchers concluded that this “sophisticated criminal phishing operation” began last September and persisted until earlier this month, when the company helped get it shut down.
The PhaaS platform featured dedicated phishing infrastructure targeting platforms used daily by “freight brokers, trucking companies and supply chain operators,” with “load boards, fleet management portals, fuel card systems and freight exchanges” all being among the targets, HIBS said.
“These platforms sit at the intersection of high transaction volumes and the targeted workforce isn’t typically the primary focus of enterprise security programs, and the operators clearly knew it,” it said.
Operators’ OPSEC Mistake
An operational security mistake by the phishing operation led to HIBS discovering their infrastructure. The group left exposed a .git directory, which exposed its use of the open-source Git version control system, allowing researchers to use an open-source tool called git-dumper to obtain a full copy of the repository.
This revealed phishing templates, details about how the operation was organized and plans for improving and expanding the PhaaS platform, internally named “GlobalProfit” and marketed externally as “MC Profit Always.”
“MC likely refers to ‘US Motor Carrier,’ a unique operating authority identifier issued by the Federal Motor Carrier Safety Administration,” which is also known as FMCSA in the United States, HIBS said.
The OPSEC misstep exposed the group’s “full codebase, victim database, internal communications and future plans,” giving the researchers “rare insight into the inner workings of the group, their criminal network and the financial infrastructure sustaining it,” researchers said. It also revealed how the group had infiltrated various Telegram communities used by logistics and trucking firms.
The group’s internal communications relied on Telegram chats, which the researchers recovered. “While the initial access vector is phishing, the conversations show a fraud workflow: impersonating carriers and brokers, bypassing verification calls using spoofed/virtual numbers and coordinating access to freight systems,” Ctrl-Alt-Int3l said in its own report.
The messages also reveal likely attempts at double-brokering – “a fraud scheme where a threat actor operates a malicious carrier, books a load from a broker then either re-brokers it to an actual carrier at a lower rate – pocketing the difference – or diverting the cargo entirely,” the report said.
At least some operators of the PhaaS platform appeared to be Armenian speakers. “Telegram webhook logs recovered from the platform show Armenian-language coordination among operators, indicating an Armenian-speaking component alongside the Russian infrastructure ties,” HIBS said. Such webhooks allow an operator to receive stolen credentials and remotely control a live phishing campaign, using the Telegram messaging app.
All of the victims are being notified, with the help of law enforcement agencies. The two research teams thanked Google Threat Intelligence Group, Cloudflare, GitLab, IPInfo and Ping Identity for helping to scuttle attackers’ infrastructure, as well as Microsoft Threat Intelligence Center and CrowdStrike for additional help, and the targeted logistics platforms and others for helping to directly notify victims.
Big-Picture Phishing Questions
One big-picture question this discovery poses: How many other PhaaS platforms exist, supported by operators who have deep knowledge of a different, targeted sector?
“Most operations don’t expose their infrastructure through an OPSEC mistake like this one did. What’s more concerning than this specific group is the PhaaS model they were building: Sector-specific knowledge gets baked into a kit once and sold to operators who need none of their own expertise. The problem likely multiplies from there,” Charlie Kelly, head of growth at HIBS, told Information Security Media Group.
Sectors most at risk from these types of phishing kits are any with “high transaction volumes and distributed, remote workforces,” he said.
As demonstrated by the MC Profit Always platform, freight and logistics fit that profile. “So do construction supply chains, commodity trading and parts of legal services like conveyancing,” whereas “financial services and big tech are better defended, largely because they’ve invested more in controls and awareness over a longer period,” Kelly said.
Effective Defense: Phishing-Resistant MFA
One major takeaway from this campaign is that these phishing campaigns can be blocked if platform users adopt phishing-resistant multifactor authentication, such as FIDO2-compatible security keys, or passkeys for which access is restricted to a fingerprint, facial scan or a PIN check.
The researchers said Telegram-based credential interception techniques do work against users who rely on one-time codes sent through SMS. They also work against users of authenticator apps such as Google Authenticator and Authy, which issue a time-based, one-time password, or TOTP, typically refreshing every 30 to 60 seconds. That’s enough time for an attacker to intercept the TOTP and use it to gain unauthorized access to a victim’s logistics account.
The identity of whoever created the phishing-as-a-service platform isn’t clear, although one potential clue comes from an email address that was used to register a domain that’s embedded in the phishing panel. Ctrl-Alt-Int3l said “that same identifier appears in the corporate filings of multiple Russian LLCs operating in wholesale trade, warehousing and transportation,” which reported a combined revenue of $180 million in 2024, and which have domains registered using the same email address.
“It is possible that the domain registration reflects negligence, unrelated administrative overlap, or another explanation not visible through open-source analysis. At present, the evidence supports correlation, not attribution,” the researchers said.
Researchers also offered their findings to law enforcement agencies who want to probe further.
Another takeaway from this campaign is that “cybercriminals, even elite ones, make mistakes,” said Ian Thornton-Trump, CISO at cybersecurity risk management firm Inversion6.
He lauded how the campaign was spotted and the disruption coordinated. “Cyberthreat intelligence was once dominated by really large global organizations, but this research shows that ‘scrappy start-ups’ can make a huge impact,” he said.