The FBI has issued a public service announcement warning the U.S. transportation and logistics industry that cybercriminals are increasingly using phishing, business email compromise (BEC), and remote access tools to facilitate physical cargo theft — with losses across the U.S. and Canada reaching nearly $725 million in 2025, a 60% year-over-year increase.
// 01 Cyber-Enabled Cargo Theft: What We Know So Far
The FBI’s warning documents a sharp convergence of cyber intrusion and physical freight theft. Losses in 2025 surged to approximately $725 million while confirmed cargo theft incidents rose 18% compared to 2024. The average value stolen per incident climbed 36% to $273,990, indicating threat actors are increasingly targeting high-value loads rather than making opportunistic grabs.
The bureau named a specific threat group, Diesel Vortex, which has operated phishing campaigns using 52 domains since at least September 2025. The group’s modus operandi involves impersonating freight brokers and carriers through spoofed email domains and fake websites to intercept legitimate shipments, then rerouting loads to complicit drivers.
The National Motor Freight Traffic Association (NMFTA) has separately warned that the digital-to-physical theft pipeline is now “unmistakable,” with cyber intrusion routinely preceding or directly enabling the physical theft of freight. NMFTA researchers documented the use of AI-generated phishing emails, deepfake voice calls impersonating dispatchers, and GPS signal spoofing or jamming to mask vehicle location during active thefts.
The full attack chain observed across reported incidents follows a recognizable pattern:
- Initial access: Spear-phishing emails targeting freight brokers and carriers deliver remote monitoring and management (RMM) tools via fake web portals, establishing persistent access to dispatch systems.
- Reconnaissance: Threat actors harvest shipping lane data, driver records, billing templates, and load board credentials — often supplemented with data purchased from dark web markets.
- Execution: Fraudulent freight listings are posted to load boards at scale. Attackers accept real shipments under stolen carrier identities, then reroute loads.
- Cover: Carrier registration records with the Federal Motor Carrier Safety Administration (FMCSA) are altered post-theft and insurance records modified to slow investigation and attribution.
// 02 Why Cyber-Enabled Cargo Theft Matters
The $725 million figure from Verisk CargoNet represents only confirmed losses in North America — the American Trucking Associations estimates that total annual cargo theft costs the U.S. economy up to $35 billion when undetected and unreported incidents are factored in.
What makes this threat significant for security practitioners is the maturity of the attack infrastructure. This is not smash-and-grab theft adapted for the internet. Diesel Vortex alone operated 52 phishing domains over seven months. The use of AI-generated emails and deepfake voice impersonation of known dispatchers indicates investment in social engineering capabilities that defeat traditional training-based defenses.
For SOC and incident response teams, the injection of RMM software into carrier dispatch environments means these attacks can leave persistent footholds on corporate networks that outlast the physical theft itself. Organizations in adjacent sectors — cargo insurance, warehousing, and logistics software platforms — are equally exposed through supplier relationships with targeted carriers.
The FBI’s decision to name Diesel Vortex publicly is notable; the bureau rarely names domestic cybercrime groups in PSAs. It signals enough intelligence confidence in the group’s infrastructure and attribution to make public identification worthwhile, and likely indicates ongoing or planned enforcement action.
// 03 Cyber-Enabled Cargo Theft: What You Should Do Now
The FBI recommends the following immediate actions for transportation and logistics organizations:
- Verify all shipment requests through a secondary channel — call the broker or carrier using a known, independently verified phone number before executing any freight pickup. Do not use contact information provided in the original request.
- Enforce multi-factor authentication across load board accounts, dispatch platforms, and email systems. MFA eliminates credential-stuffing attacks that feed freight fraud campaigns.
- Audit third-party carrier credentials before engagement — cross-reference FMCSA registration data at safer.fmcsa.dot.gov and validate DOT numbers before tendering loads.
- Hunt for unauthorized RMM software on dispatch and logistics workstations. Threat actors install legitimate tools (AnyDesk, ScreenConnect, TeamViewer) that may not trigger AV or EDR signatures without custom detection rules.
- Report incidents immediately to IC3.gov — the FBI specifically requested incident reporting to build attribution data on active threat groups including Diesel Vortex.
// 04 Detection and Verification Checklist
To assess current exposure:
- Email authentication: Confirm SPF, DKIM, and DMARC are enforced on all domains used in logistics communications; Diesel Vortex relies on lookalike domains that fail these checks.
- RMM audit: Query your EDR for remote access tools installed in the past 90 days on dispatch and operations workstations; cross-reference against your approved software list.
- FMCSA record check: If your company registers carriers, audit recent modifications to your FMCSA entries at safer.fmcsa.dot.gov to confirm no unauthorized changes to addresses, contacts, or insurance records.
- Load board access review: Review account activity logs for logins from unfamiliar IPs or geographic locations; reset credentials for any shared or generic accounts.
- Staff awareness: No CVE covers this threat class. Distribute the FBI PSA and NMFTA guidance to operations and dispatch staff — the human layer is the primary attack surface.
— Sources: BleepingComputer, SecurityWeek / NMFTA, Verisk CargoNet via Claims Journal
For any query contact us at contact@cipherssecurity.com