Hackers Steal Real-World Cargo from Trucking & Target Freight

Cybercriminals are targeting trucking carriers and freight brokers with a new wave of attacks. Their objective extends beyond data theft; they are digitally infiltrating logistics companies to steal physical cargo shipments worth millions of dollars.

Cargo theft is not a new crime, but the way it is carried out has changed dramatically. According to the National Insurance Crime Bureau (NICB), cargo theft losses reach billions of dollars annually, and those numbers have continued climbing.

In 2025, losses from cargo theft in North America rose to $6.6 billion, driven largely by digital attacks, according to fleet management data. Criminals once stole freight using brute force.

Today, they use laptops, phishing emails, and remote access software to redirect shipments without ever leaving their location.

The stolen cargo, which ranges from energy drinks and food products to electronics, is quickly sold online or shipped overseas before companies even realize what happened.

The threat campaign reflects a major shift in how organized crime groups operate in the digital age.

As supply chains moved online, criminals followed. The digitization of domestic and international supply chains created new vulnerabilities, giving organized theft groups the tools to exploit gaps using sophisticated cyber capabilities.

Threat actors now compromise trucking carriers and freight brokers and then use that access to fraudulently bid on cargo shipments, arrange transport through legitimate channels, and ultimately divert the goods to their own networks.

Proofpoint analysts and researchers identified this threat cluster and noted with high confidence that the actors are working alongside organized crime groups to carry out these sophisticated attacks.

The campaign has been active since at least June 2025, though evidence points to activity beginning as early as January 2025.

Since August 2025, Proofpoint observed nearly two dozen campaigns, with volumes ranging from fewer than 10 to over 1,000 messages per campaign.

Researchers also noted that the threat actors do not appear to target specific companies and go after targets ranging from small, family-owned businesses to large transport firms.

The attackers use three main methods to gain entry. First, they post fraudulent freight listings on compromised load board accounts to lure carriers into responding.

Second, they hijack existing email threads using compromised accounts and insert malicious URLs into ongoing conversations.

Third, they launch direct email campaigns against larger entities, including asset-based carriers, freight brokerages, and integrated supply chain providers.

In each case, emails contain malicious links that lead to executable files (.exe or .msi files), which, once clicked, silently install a remote monitoring and management (RMM) tool that hands over full control of the victim’s machine.

How Attackers Turn a Remote Login Into a Cargo Heist

Once a victim installs the RMM tool, the attacker begins a methodical process that eventually moves from the digital world into the physical one.

The threat cluster has been observed deploying tools such as ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve.

These are legitimate IT tools used by businesses for remote support, which is exactly what makes them so effective as an attack vehicle.

Since the installers are signed and appear trustworthy, antivirus software and network detection tools are far less likely to flag them.

After gaining remote access, the attacker conducts a full system reconnaissance, searching for credentials, active load bookings, and dispatcher information.

Credential harvesting tools such as WebBrowserPassView are then deployed to extract saved passwords from the victim’s browser.

Researchers from Proofpoint found public discussion on social media platforms that align precisely with the phishing and account takeover activity observed in these campaigns, further confirming how widely these methods are being shared among threat actors.

The final step is where the cyber intrusion becomes a real-world crime. Attackers delete existing freight bookings, block dispatcher notifications, and add their own device to the dispatcher’s phone extension.

They then rebook the load under the compromised carrier’s name and coordinate the actual transport of stolen goods, all while the legitimate company remains unaware.

Organizations in the surface transportation industry should take the following steps to defend against this type of attack. Restrict the download and installation of any RMM tooling not approved or confirmed by an organization’s IT administrator.

Place network detection rules in place, including use of the Emerging Threats ruleset and endpoint protection, to alert on any network activity to RMM servers.

Do not download and install executable files (.exe or .msi) delivered via email from external senders. Train users to identify the activity and report suspicious emails or links to their security teams, which can easily be integrated into an existing user training program.

Organizations at risk of cargo theft may also benefit from reviewing the National Motor Freight Traffic Association’s Cargo Crime Reduction Framework for additional guidance.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.