CarrierBrief
    Fraud Prevention

    Supply Chain Cyber Fraud Has Merged With Freight Fraud. Most Brokerages Haven't Noticed.

    In 2026, the criminals phishing your dispatchers and the criminals stealing your cargo are the same people. Here's how the attack chain works.

    March 9, 202616 min readBy CarrierBrief Team

    Between September 2025 and February 2026, a cybercrime group that researchers named Diesel Vortex ran a single operation that hit the freight industry from five directions at once. They deployed 52 phishing domains targeting freight platforms including DAT, Truckstop, TIMOCOM, Penske Logistics, and Girteka. They sent fraudulent login pages to over 57,000 email addresses. They harvested 3,474 stolen credential pairs. They attempted 35 check fraud incidents against fuel card systems. And cybersecurity researchers at Proofpoint, CrowdStrike, and Google Threat Intelligence assessed with high confidence that the same group was coordinating with organized crime networks to physically steal cargo using the access those stolen credentials provided.

    That is not five separate threats. That is one operation. A mind map recovered from a group member showed the organizational structure: a call center, mail support, designated programmers, and specialized staff for locating drivers, carriers, and logistics contacts. The phishing email and the stolen truckload were different departments in the same company.

    Supply chain cyber fraud in freight has converged into a single, professionalized threat. The phishing email that steals a dispatcher's load board password and the truck that arrives at the dock under a stolen carrier identity are stages in the same operation, run by the same money, directed by the same people. The freight industry's organizational habit of assigning cybersecurity to IT and freight fraud to operations creates the exact gap these groups exploit. The dispatchers who spot suspicious carriers and the IT staff who manage login security are solving different halves of the same problem without talking to each other. Until those two disciplines merge, the attackers will keep winning, because they already operate as one team.

    The 5 Digital Attack Vectors in Supply Chain Freight Fraud

    Attack VectorWhat It TargetsConnection to Cargo/Payment TheftAvg. Loss Per IncidentTime to Detection
    Credential phishingDispatcher email, load board loginsProvides system access for every other attack typeEnables all downstream vectorsHours to never
    Load board/TMS takeoverLoad visibility, dispatch controlAttacker monitors loads, books under stolen carrier IDs, redirects pickups$200K to $500K+3 to 7 days
    Payment redirect (BEC)AP department email, bank detailsRedirects carrier payments to attacker-controlled accounts$50K to $150K+ (compounds)15 to 45 days
    RansomwareEntire IT infrastructureHalts dispatch, billing, communications; extorts payment to restore$7M to $65M total impactImmediate (operational shutdown)
    AI social engineeringDispatch, finance, executive staffDeepfake calls authorize load releases, payment changes, reroutes$50K to $600K+Hours to days

    The Scale of Supply Chain Cyber Fraud in Freight

    Cyberattacks tied to logistics companies rose 61% in 2025 according to Everstream Analytics, increasing from 132 to 213 tracked incidents, and are projected to double again in 2026. The dollar figures across attack categories tell the fuller story.

    The Federal Bureau of Investigation's Internet Crime Complaint Center (FBI IC3) reported $2.77 billion in business email compromise losses across 21,442 incidents in 2024. Since 2015, cumulative BEC losses total $17.1 billion across all industries. Transportation and logistics is one of the most targeted sectors because of its reliance on email-based payment coordination, time-pressured dispatch decisions, and fragmented technology infrastructure.

    CargoNet recorded 3,594 supply chain crime events across the U.S. and Canada in 2025, with cargo theft losses surging 60% to nearly $725 million. The average theft value rose 36% to $273,990. Highway, a freight identity verification company, blocked 1,986,995 fraudulent email attempts targeting freight companies in 2025, up 117% from 914,719 in 2024. They flagged 8,525,962 fraudulent phone numbers and issued 9,129 identity alerts.

    These numbers are not parallel trends. They are connected. The same digital infrastructure that steals credentials feeds the operations that steal cargo and redirect payments. The phishing campaign is the supply chain for the cargo theft.

    How One Criminal Group Runs the Entire Attack Chain

    The Diesel Vortex operation is the clearest documented example of how supply chain cyber fraud works as a single, integrated business. The group, identified as Armenian-speaking with connections to Russian infrastructure, was tracked by a coalition including GitLab, Cloudflare, Google Threat Intelligence, CrowdStrike, and the Microsoft Threat Intelligence Center before being disrupted in early 2026.

    Their operation worked in stages that mirror a legitimate business:

    1. Acquire credentials. The group deployed 52 phishing domains mimicking login pages for DAT, Truckstop, TIMOCOM, Teleroute, Penske Logistics, Girteka, and Electronic Funds Source (EFS). Over 57,000 email addresses were targeted. The campaign yielded 1,649 unique credentials from freight platforms, with 3,474 total stolen credential pairs across all targets.
    1. Exploit access. Stolen credentials gave the group visibility into posted loads, carrier contacts, and payment systems. They could see high-value shipments before legitimate carriers could, identify which loads were time-sensitive, and map broker-carrier relationships.
    1. Monetize through multiple channels. The group ran 35 attempted check fraud incidents targeting fuel card systems. They coordinated with organized crime for physical cargo theft using the intelligence gathered from compromised accounts. And the credential database itself has resale value on dark web marketplaces.
    1. Scale with specialization. The recovered mind map showed dedicated roles for each function: phishing infrastructure management, credential harvesting, target identification, driver recruitment, carrier impersonation, and financial extraction. This is not a lone hacker. It is a staffed operation with a division of labor.

    Proofpoint tracked a related threat cluster active since at least June 2025 that takes the attack chain even further. After compromising load board accounts, this group posts fake loads. When legitimate carriers respond, the attackers deploy remote monitoring and management (RMM) tools like SimpleHelp, ScreenConnect, and LogMeIn Resolve onto the carriers' systems. This gives them persistent access to both sides of the transaction: the broker's load board account and the carrier's dispatch system.

    The Five Digital Attack Vectors Targeting Freight

    Each vector operates independently, but in professionalized operations like Diesel Vortex, they run simultaneously as stages of a single campaign. Understanding each one matters because defending against any one vector without the others leaves the attack chain intact.

    Credential Phishing: The Gateway to Everything Else

    Credential phishing is the entry point for nearly every digital attack on freight companies. A phishing attack sends a fraudulent email that mimics a trusted platform (load board, TMS, email provider) to trick the recipient into entering their username and password on a fake login page. In freight, phishing emails typically impersonate password reset requests from DAT, Truckstop, or major TMS providers.

    The Diesel Vortex campaign's 52 phishing domains captured 3,474 credential pairs. The average "breakout time" from initial access to lateral movement within compromised systems fell to just 18 minutes in 2025. That means a dispatcher who enters credentials on a fake page at 9:00 AM may have an attacker inside the brokerage's load board by 9:18 AM.

    For a detailed breakdown of how phishing emails targeting freight platforms work and how to train dispatch teams to recognize them, read our analysis of how cyber-enabled cargo theft operates.

    Load Board and TMS Account Takeover

    Load board account takeover occurs when an attacker uses stolen credentials to access a broker's or carrier's account on platforms like DAT or Truckstop, gaining visibility into posted loads and the ability to book freight under the compromised identity.

    DAT closed more than 12,000 accounts due to fraud from 2022 into 2023. Truckstop blocked 9,928 accounts in a single year. But account takeover is harder to detect than new-account fraud because the compromised account has an established history, verified carrier relationships, and platform trust signals. A load booked through a 5-year-old DAT account doesn't trigger the same scrutiny as one booked through a 30-day-old account.

    Our deep dive on load board fraud in 2026 covers the three phases of platform fraud evolution and why account takeover has become the dominant vector.

    Payment Redirect Fraud (Business Email Compromise)

    Business email compromise (BEC) in freight works by intercepting or spoofing email communications between brokers and carriers to redirect payments to attacker-controlled bank accounts. BEC is the highest-dollar cyber fraud category in transportation because losses compound silently across multiple payment cycles before anyone notices.

    The attack pattern: compromise or spoof a carrier's email, send the broker an ACH detail change request, and wait for the broker's normal payment cycle to redirect real payments to the fraudulent account. Detection typically takes 15 to 45 days because the invoices are real, the amounts are correct, and the transactions process cleanly. Recovery rates are under 10%.

    For the full mechanics of payment redirect fraud, including the five-stage attack pattern, NOA interception, and the payment verification protocol that stops all three variants, read our payment fraud protection guide.

    Ransomware: When the Entire Operation Stops

    Ransomware attacks on freight companies encrypt systems and demand payment to restore access, halting dispatch, billing, EDI connections, and driver communication simultaneously.

    The operational impact is total and immediate. When ransomware hits, a brokerage cannot post or accept loads, cannot communicate with carriers or shippers through normal channels, cannot process invoices or payments, and cannot access customer records. The business effectively stops until systems are restored or manual workarounds are improvised.

    The freight industry has recent, documented proof of how bad it gets:

    KNP Logistics Group (June 2025): A 158-year-old UK logistics company operating 500 trucks. The Akira ransomware group gained access by brute-forcing a single employee password. The account had no multi-factor authentication. Attackers destroyed backups and disaster recovery systems. The company could not recover. It collapsed entirely, and approximately 700 people lost their jobs. One password without MFA ended a company that had operated since 1865.

    Expeditors International (February 2022): Forced to shut down most systems globally for approximately three weeks. Total impact: $47 million in incremental demurrage charges and $18 million for investigation and recovery. A company with $16.5 billion in annual revenue was reduced to manual operations for nearly a month.

    Estes Express Lines (October 2023): LockBit ransomware group compromised systems. Email, phones, website, and dispatch capabilities went offline. Over 21,000 individuals had personal data stolen. Systems took approximately three weeks to fully restore.

    AI-Enhanced Social Engineering and Deepfakes

    AI-generated voice calls that impersonate brokers, dispatchers, or executives are an emerging threat that bypasses technical controls by targeting human trust instead of system access. Modern AI can create a realistic voice impersonation from just a few seconds of recorded audio.

    One in four Americans received a deepfake voice call in the past twelve months. Over 10% of surveyed financial institutions suffered deepfake vishing attacks exceeding $1 million, with an average loss per case of approximately $600,000. In freight, the National Motor Freight Traffic Association (NMFTA) flagged deepfake voice calls impersonating executives, brokers, and dispatch staff as a rapidly emerging threat in their 2026 Transportation Cybersecurity Trends Report.

    The freight-specific risk: a convincing voice call that sounds like a known broker contact instructing a shipper to release freight to a different carrier, or that sounds like a carrier's dispatcher confirming a pickup that was never authorized. For how voice-based attacks already operate in freight without AI enhancement, read our guide on voice phishing and fake dispatchers.

    Why Splitting Cybersecurity From Freight Fraud Prevention Fails

    Most brokerages assign cybersecurity to IT and freight fraud prevention to operations. IT manages passwords, firewalls, and email filters. Operations manages carrier vetting, callback verification, and load monitoring. These teams rarely share intelligence, rarely attend each other's meetings, and rarely see each other's threat data.

    Diesel Vortex does not split its operations this way. The same group that manages phishing infrastructure also coordinates cargo theft. The same credentials that enable load board access also enable payment redirect fraud. The attack chain flows from IT vulnerability to operational exploitation without a seam.

    When a phishing email compromises a dispatcher's load board credentials, that is simultaneously an IT event (credential breach) and an operations event (the attacker can now see and book loads). When the attacker uses those credentials to book a load under a stolen carrier identity and dispatch a truck to pick up $340,000 in electronics, that is a cargo theft event that IT will never see in their security logs because the login looked legitimate. When the same group sends a spoofed email to change banking details for a different carrier relationship, that is a payment fraud event that operations will never connect to the load board compromise because it targets a different carrier on a different lane.

    The broker sees three separate incidents. The attacker ran one operation.

    The fix is structural. Cybersecurity intelligence (unusual logins, phishing attempts, credential resets) needs to flow to the operations team that handles carrier vetting and load monitoring. And freight fraud intelligence (suspicious carrier behavior, anomalous bookings, identity mismatches) needs to flow to IT. A weekly 15-minute sync between the person managing your firewall and the person managing your carrier onboarding is more valuable than either team's individual defenses.

    30 Days of Supply Chain Cyber Fraud Against One Brokerage: A Reconstructed Kill Chain

    This timeline composites documented attack patterns from the Diesel Vortex campaign, Proofpoint research, and Cloudflare freight fraud analysis into a single scenario that shows how the five vectors connect.

    The target: A 40-person brokerage in Indianapolis running 300 loads per month across Midwest lanes.

    DayWhat HappensWho Notices
    Day 1Phishing emails sent to 14 employees, mimicking a DAT password verification page.Nobody. The emails pass spam filters because the phishing domain is newly registered and not yet blacklisted.
    Day 3Two dispatchers enter credentials on the fake login page. Attacker now has two active DAT logins.Nobody. No MFA is enabled. No unusual-login alerts are configured.
    Day 5Attacker logs into DAT using stolen credentials. Monitors 47 posted loads. Identifies three electronics shipments worth $280,000 combined.Nobody. The login comes from a U.S.-based VPN exit point.
    Day 7Attacker books one of the electronics loads using a stolen carrier identity (MC number of a legitimate Ohio carrier).The broker's vetting process checks authority, insurance, and BASIC scores. Everything passes because the identity is real.
    Day 8An unauthorized truck picks up $120,000 in consumer electronics from a warehouse in Columbus. The DOT number on the truck doesn't match the booked carrier. Nobody at the dock checks.The shipper's dock staff loads the truck per the BOL. No DOT verification policy exists.
    Day 11Separately, a spoofed email arrives at the broker's AP department from "accounting@midwestcarriers-inc.com" (the real domain is "midwestcarriersinc.com" with no hyphen). The email requests updated ACH details for a carrier the brokerage pays $18,000 per week.The AP clerk processes the change. It looks like a routine bank update. No callback verification policy exists for payment changes.
    Day 15The broker pays $18,000 to the fraudulent account for a legitimate load hauled by the real Midwest Carriers.Nobody. The invoice is real. The amount is correct. The payment processes normally.
    Day 22Attacker uses credentials from the same phishing campaign to attempt fuel card fraud against the brokerage's EFS account.The EFS system flags the attempt based on geographic inconsistency. First detection of any breach.
    Day 25EFS notifies the brokerage of the suspicious fuel card activity. IT investigates and discovers the phishing campaign from Day 1.IT resets all compromised passwords. But they don't connect the fuel card fraud to the stolen load on Day 8 or the payment redirect on Day 11.
    Day 30The real Midwest Carriers calls asking where their $18,000 payment is. The brokerage discovers the ACH redirect. Only now, after investigating both the stolen load and the payment fraud, does anyone realize these were the same attackers.Total losses: $138,000 ($120,000 in cargo + $18,000 in redirected payment). Actual cost: $156,000 ($138,000 in losses + $18,000 re-payment to the real carrier).

    Three controls would have stopped this at three different points: MFA on the DAT account (Day 3), DOT verification at the dock (Day 8), and phone callback before processing the bank change (Day 11). None were in place. Not because the brokerage was negligent, but because each control belonged to a different team that didn't see the others' blind spots.

    How to Defend Against Supply Chain Cyber Fraud in Freight

    The defense that works against converged threats is itself converged: credential protection, system monitoring, payment verification, and incident response operating as a single program, not four separate initiatives owned by four separate people.

    Credential Protection: Close the Entry Point

    1. Enable multi-factor authentication on every platform that touches load data: TMS, load boards (DAT, Truckstop), email, accounting systems, and fuel card portals. MFA is the single control that would have stopped Diesel Vortex. A stolen password without the second factor is useless.
    2. Run quarterly phishing simulations tailored to freight scenarios (fake DAT password resets, spoofed TMS alerts, fraudulent rate confirmations). The National Motor Freight Traffic Association provides free cybersecurity guidebooks for mid-size fleets.
    3. Remove dormant accounts and reset credentials for any user who hasn't logged in for 90 days. Every unused account with active credentials is an unlocked door.

    System Monitoring: Catch What Gets Through

    1. Configure login alerts for unusual locations, new devices, and off-hours access on your TMS and load boards. A dispatcher in Indianapolis who logs in from a VPN exit point in Eastern Europe is a compromised account.
    2. Monitor for unauthorized RMM tool installations (SimpleHelp, ScreenConnect, LogMeIn Resolve, Fleetdeck). Proofpoint documented threat actors deploying these tools on carrier and broker systems after initial compromise.
    3. Audit load board and TMS activity weekly. Flag loads booked outside normal business hours, loads booked by users who don't typically book loads, and sudden changes in lane or commodity patterns. Use CarrierBrief's authority checker, which displays grant dates and operating history, to verify any carrier booked through unusual channels.

    Payment Verification: Block the Financial Extraction

    1. Establish a policy that no banking information change is processed based on email alone. Every bank detail change requires a phone call to the carrier at their FMCSA-registered number, not a number provided in the same email. Use CarrierBrief's MC/DOT lookup, which shows the FMCSA-registered phone number, to verify the correct callback number.
    2. Implement a 7-day hold on new banking information before sending payment to the updated account.
    3. Train AP staff to recognize lookalike email domains: "rn" swapped for "m," "1" for "l," added hyphens, or missing characters. Show real examples quarterly.

    For the full payment verification protocol covering ACH redirects, NOA interception, and double-identity billing, see our payment fraud protection guide.

    Incident Response: Limit the Damage When Something Gets Through

    1. Create a documented response plan that specifies who isolates systems, who notifies customers, who contacts law enforcement, and who coordinates recovery. Do this before an incident, not during one.
    2. Run a freight-specific exposure audit the moment you confirm a breach. Pull every load booked through the compromised account during the window between estimated initial access and detection. Verify each one: confirm the carrier that picked up matches the carrier on the rate confirmation, confirm delivery occurred at the correct consignee, and check whether any banking details were changed for carriers associated with those loads. Notify every shipper and carrier touched by loads in that window, even if nothing looks wrong, because some attacks take weeks to monetize and your call may be the first warning they get. This step is separate from IT's systems recovery and belongs to operations. If your IT team resets passwords but nobody audits the loads that moved while the account was compromised, you've secured the door after the freight already left the building.
    3. Maintain manual workarounds for dispatch, billing, and carrier communication. Paper-based dispatch and phone-based load tracking kept several ransomware victims operational during multi-week recovery periods.
    4. Test the response plan through tabletop exercises at least annually. A plan that exists in a binder but has never been practiced will fail under pressure.
    5. Carry cyber insurance and review the policy for social engineering exclusions, funds transfer sublimits, and verification requirement conditions. Less than 48% of transportation businesses currently have cyber insurance coverage.

    FAQ

    What is supply chain cyber fraud in freight?

    Supply chain cyber fraud is the use of digital attacks (phishing, account takeover, email spoofing, ransomware, or AI-generated social engineering) to steal cargo, redirect payments, or extort freight companies. In 2026, these attacks are increasingly run by organized criminal groups that combine cyber capabilities with traditional freight fraud operations like double brokering and cargo theft. The digital attack is the entry point; the physical theft or payment redirect is the monetization.

    How do hackers target freight brokerages?

    The most common entry point is credential phishing: fake login pages for load boards (DAT, Truckstop) or TMS platforms that capture usernames and passwords. Once inside, attackers monitor posted loads to identify high-value shipments, book loads under stolen carrier identities, redirect payments by spoofing carrier emails, or deploy ransomware that shuts down the entire operation. The Diesel Vortex campaign harvested 3,474 credential pairs from freight platforms using 52 phishing domains targeting over 57,000 email addresses.

    Can MFA stop supply chain cyber fraud?

    MFA stops the most common entry point. Multi-factor authentication requires a second verification step (typically a code from a phone app) in addition to a password. Since most freight cyber attacks begin with stolen credentials from phishing, MFA blocks the attacker at the first step by making a stolen password insufficient for login. KNP Logistics, a 158-year-old UK freight company, collapsed after ransomware attackers brute-forced a single password on an account without MFA. That one setting would have saved the company.

    What is the Diesel Vortex freight cyber attack?

    Diesel Vortex is a cybercrime group identified by security researchers as Armenian-speaking with connections to Russian infrastructure. Between September 2025 and February 2026, they ran a coordinated operation targeting freight platforms including DAT, Truckstop, TIMOCOM, Penske Logistics, and Girteka. The group harvested 3,474 stolen credentials using 52 phishing domains, attempted 35 check fraud incidents against fuel card systems, and was assessed to be coordinating with organized crime for physical cargo theft. The operation was disrupted through coordinated action by GitLab, Cloudflare, Google Threat Intelligence, CrowdStrike, and Microsoft.

    How much does supply chain cyber fraud cost the freight industry?

    Direct dollar figures across all digital attack types exceed billions annually. FBI IC3 reported $2.77 billion in BEC losses in 2024 across all industries, with transportation among the most targeted sectors. CargoNet recorded $725 million in cargo theft losses in 2025, with an increasing share involving cyber-enabled methods. Highway blocked nearly 2 million fraudulent emails targeting freight companies in 2025, up 117% year over year. Cyberattacks on logistics rose 61% in 2025 and are projected to double in 2026.

    Why doesn't carrier vetting protect against cyber freight fraud?

    Carrier vetting protects against identity-based fraud (stolen MC numbers, fictitious carriers) but not against attacks that target the broker's own systems. When an attacker compromises a broker's load board account or TMS, they operate inside the broker's trusted infrastructure. Loads booked through a compromised account look legitimate because they originate from a verified system. Payment redirects processed through a spoofed email bypass carrier vetting entirely because the attack targets the payment chain, not the carrier relationship. Cyber defense and carrier vetting must work together as parallel controls.

    How do I know if my freight company has been targeted by a cyber attack?

    Watch for these indicators: unexpected password reset emails for load boards or TMS platforms, login notifications from unfamiliar locations or devices, carriers or shippers referencing loads or communications you don't recognize, unexplained changes to carrier banking details in your system, and fuel card charges in locations where you don't operate. Any one of these warrants immediate investigation. If your IT team discovers a phishing breach, assume the attackers also targeted your load data and payment systems until proven otherwise.

    What should freight companies do first to protect against cyber fraud?

    Enable multi-factor authentication on every system that touches load or payment data. This single step blocks the most common entry point for every digital attack type targeting freight. After MFA, the highest-impact actions are: establish a no-email-only policy for banking changes (require phone callback to FMCSA-registered numbers), run quarterly phishing simulations for dispatch and AP staff, and create a cross-functional sync between IT security and freight operations so that a credential breach triggers a load audit and a suspicious booking triggers an IT investigation.

    The Bottom Line

    Diesel Vortex ran 52 phishing domains, harvested 3,474 credentials, attempted fuel card fraud, and coordinated physical cargo theft out of the same operation with the same staff. Five attack vectors, one organization. The freight industry can't afford to keep treating cybersecurity as IT's responsibility and freight fraud as operations' responsibility when the people attacking both sit in the same room. Enable MFA on every system your team touches this week. It takes five minutes per account and it is the one control that would have stopped the most documented digital attack on freight platforms in the last twelve months.

    More Articles

    Your Carrier Vetting Was Perfect. The Freight Still Got Stolen at the Dock.

    Fraud Prevention · 13 min read

    You Verified the MC Number. You Didn't Verify the Person. That's Where Identity Fraud Gets In.

    Fraud Prevention · 14 min read

    You Paid the Invoice. The Carrier Never Got the Money. How Payment Fraud Hits Freight Brokers.

    Fraud Prevention · 14 min read

    Back to all articles