Diesel Vortex is an Armenian-speaking threat group targeting the global logistics industry by utilizing dozens of typosquatted domains to harvest sensitive login credentials. Since late 2025, the group has successfully compromised over 1,600 unique accounts from major freight platforms and logistics providers across the United States and Europe.
A financially motivated cybercriminal group known as Diesel Vortex has launched an extensive phishing campaign targeting the freight and logistics sectors in North America and Europe. Since September 2025, the group has utilized 52 fraudulent domains to deceive employees at major industry players like Penske Logistics, Girteka, and TIMOCOM. By mimicking legitimate login portals, the actors have successfully intercepted thousands of credentials, posing a significant risk to the supply chain and financial security of these organizations.
The operation was uncovered by researchers at Have I Been Squatted after they discovered an exposed repository belonging to the group. This repository contained an SQL database from a phishing toolkit dubbed Global Profit, which was being marketed to other criminals under the name MC Profit Always. The leaked data provided a rare glimpse into the scale of the theft, revealing that nearly 3,500 credential pairs had been collected, approximately half of which were unique logins for critical industry service providers.
Analysis of the repository also yielded Telegram webhook logs that documented communications between the individuals managing the phishing infrastructure. These logs provided enough linguistic evidence for researchers to conclude that the operators are Armenian speakers. Furthermore, the technical setup behind the campaign showed strong ties to Russian infrastructure, indicating a sophisticated level of coordination and resource management within the Eastern European cybercriminal ecosystem.
The investigation into Diesel Vortex was a collaborative effort involving the tokenization infrastructure provider Ctrl-Alt-Intel. By combining technical data with open-source intelligence, the researchers were able to map out the connections between the phishing operators and the specific companies targeted. This comprehensive tracking allowed the team to identify the full scope of the infrastructure used to facilitate these attacks and monitor how the stolen data was being organized.
Despite the exposure of their database, the Diesel Vortex campaign highlights a persistent vulnerability in the logistics sector where specialized platforms like Teleroute and EFS are high-value targets. The group’s ability to operate dozens of domains simultaneously demonstrates the ongoing effectiveness of typosquatting as a primary attack vector. As the industry continues to digitize its operations, these findings serve as a reminder of the critical need for proactive domain monitoring and enhanced credential security.
Source: Phishing Campaign Targets US And European Freight And Logistics Firms