Full Report
The U.S. Federal Bureau of Investigation (FBI) warned the transportation and logistics industry of a sharp rise in cyber-enabled cargo theft, with estimated losses in the United States and Canada reaching nearly $725 million in 2025. [...]
Analysis Summary
# Incident Report: Surge in Cyber-Enabled Strategic Cargo Theft
## Executive Summary
Since 2024, cybercriminal groups have increasingly targeted the transportation and logistics sector using sophisticated phishing and impersonation tactics to hijack high-value freight. These "cyber-enabled" thefts resulted in approximately $725 million in losses across the U.S. and Canada in 2025, a 60% increase from the previous year. The attacks involve compromising freight brokers to divert shipments, frequently resulting in stolen loads or ransom demands.
## Incident Details
- **Discovery Date:** September 2025 (Initial phishing campaign detection)
- **Incident Date:** Ongoing (Significant surge noted throughout 2025)
- **Affected Organization:** Multiple freight brokers, carriers, and logistics operators
- **Sector:** Transportation and Logistics
- **Geography:** United States, Canada, and Europe
## Timeline of Events
### Initial Access
- **Date/Time:** September 2025 – Present
- **Vector:** Phishing and Business Email Compromise (BEC)
- **Details:** Threat actors (such as "Diesel Vortex") used typosquatting domains and spoofed emails containing malicious links to lure employees to credential-harvesting phishing sites.
### Lateral Movement
- **Persistence/Movement:** Attackers installed remote monitoring software on compromised workstations. They used stolen credentials to gain undetected access to internal logistics management systems and online load boards.
### Data Exfiltration/Impact
- **Modification:** Attackers altered carrier registration details with the Federal Motor Carrier Safety Administration (FMCSA) and updated insurance records to maintain the guise of legitimacy.
- **Fraud:** Actors posted tens of thousands of fraudulent freight listings to digital marketplaces.
### Detection & Response
- **Detection:** Discovered via typosquatting monitoring platforms and reported spikes in missing shipments by brokers.
- **Response:** FBI Public Service Announcement (PSA) issued April 30, 2026; investigations by the IC3 and Law Enforcement.
## Attack Methodology
- **Initial Access:** Phishing emails and spoofed web links.
- **Persistence:** Installation of remote monitoring and management (RMM) software.
- **Privilege Escalation:** Not specified, but likely via credential theft from administrative personnel.
- **Defense Evasion:** Typosquatting (52+ domains like "Diesel Vortex"), legitimate software use (RMM), and altering official FMCSA registration records.
- **Credential Access:** Credential harvesting via fake login portals.
- **Discovery:** Identifying high-value loads on online load boards.
- **Lateral Movement:** Accessing internal logistics databases from compromised endpoints.
- **Collection:** Gathering shipment details and insurance documentation.
- **Exfiltration:** Stealing load data to facilitate physical theft.
- **Impact:** Strategic cargo theft, financial loss ($273,990 avg. per theft), and extortion/ransom of cargo locations.
## Impact Assessment
- **Financial:** Estimated $725 million in total losses (2025); 36% increase in value per theft.
- **Data Breach:** Compromise of carrier identities, insurance records, and employee credentials.
- **Operational:** Massive disruption to supply chains; fraudulent load board listings flooding the market.
- **Reputational:** Erosion of trust in digital freight marketplaces and online load boards.
## Indicators of Compromise
- **Network indicators:** 52 typosquatted domains (e.g., variations of legitimate logistics firms - *names not provided in text but indicated as "Diesel Vortex" related*).
- **Behavioral indicators:**
- Unexpected changes to FMCSA registration or insurance data.
- Massive influx of freight listings from a single carrier identity.
- Requests to reroute shipments to non-standard locations via driver communication.
## Response Actions
- **Containment:** Removal of fraudulent listings from online marketplaces.
- **Eradication:** Monitoring for and taking down typosquatted domains (e.g., Have I Been Squatted findings).
- **Recovery:** Reverting FMCSA registry changes and securing compromised accounts via MFA.
## Lessons Learned
- **Secondary Verification:** Relying solely on digital load boards without out-of-band verification is a high-risk practice.
- **Credential Protection:** Lack of Multi-Factor Authentication (MFA) remains the primary driver for account takeovers in this sector.
- **Registry Monitoring:** Logistics firms must actively monitor government and insurance registries for unauthorized changes.
## Recommendations
- **Authentication:** Implement and enforce Phishing-Resistant MFA for all broker and carrier accounts.
- **Verification:** Establish a mandatory "two-call" or secondary channel verification process for all shipment rerouting requests.
- **Monitoring:** Utilize typosquatting monitoring services to proactively identify phishing infrastructure before it is used.
- **Documentation:** Maintain rigorous records of vehicle IDs and driver credentials to verify identity upon pickup.