A new wave of attacks blends phishing, remote-access software abuse, and deep logistics know-how to redirect real-world shipments—from energy drinks to electronics—into criminal supply chains, with losses already climbing and poised to grow further.
Incident Overview
A fresh body of research shows financially motivated hackers collaborating with organized crime groups to infiltrate trucking carriers and freight brokers, gain remote access to their systems, and then hijack physical shipments for resale online or overseas, turning cyber compromise into real-world theft at scale. The campaign, highlighted this week, underscores a troubling escalation in “cyber-physical” crime that exploits both the pace of freight transactions and the trust signals that grease logistics workflows. Researchers report “high confidence” that threat actors are coordinating with off-platform operatives to physically pick up or intercept loads after gaining footholds inside target networks. This is not speculative; it is a live operational model observed across multiple incidents and entities in the surface transportation sector.
The operational tempo is accelerating. Proofpoint’s latest analysis notes nearly two dozen distinct email-borne campaigns since August 2025 alone, with volumes ranging from tens to over a thousand messages per campaign, and with malicious emails tailored for the freight context rather than generic lures. The thrust is to obtain remote control of brokers’ or carriers’ machines, harvest credentials, and manipulate dispatch and booking flows long enough to bid on real loads and route them to criminal end points. The pattern lines up with broader reporting that this threat cluster has been active since at least June 2025 and may trace back to infrastructure observed in January.
The financial stakes are enormous. The National Insurance Crime Bureau (NICB) estimates cargo theft drives tens of billions of dollars in annual losses and reports the crime spiked 27% in 2024 with an additional 22% rise projected in 2025, implying a worsening loss curve that ultimately shows up in consumer prices and supply-chain volatility. This rise is fueled by familiar cyber weaknesses—business email compromise, identity theft, synthetic identities, and spoofed communications—translated into fraud that physically diverts goods.
Technical Breakdown
The attack chain begins with identity deception and ends at a loading dock, and in between the operators aim to plant legitimate-looking remote monitoring and management agents so they can “live off the land” with hands-on access that resembles authorized IT administration. Proofpoint details three reliable first steps: compromising broker load-board accounts to post realistic fake loads and reply to interested carriers with a malicious link; hijacking active email threads from previously compromised accounts to insert a booby-trapped URL that recipients will trust; and spraying direct, freight-specific lures at larger asset-based carriers and brokerage firms to seed initial access at scale. The payload is rarely a noisy trojan; rather, it is an installer for Remote Monitoring and Management (RMM) or remote access software such as ScreenConnect, SimpleHelp, PDQ (Pretty Darn Quick) Connect, Fleetdeck, N-able (N-central), or LogMeIn/GoTo Resolve, and in some cases operators chain tools together, for example using PDQ to drop ScreenConnect and SimpleHelp, before pivoting to reconnaissance and credential harvesting with utilities like WebBrowserPassView. Once a foothold is established, attackers enumerate systems, capture credentials, and manipulate workflows, and there are observed cases of criminals deleting existing bookings, suppressing dispatcher notifications, adding their own device to a dispatcher’s phone extension, bidding on loads in the victim’s name, and coordinating pickups that look perfectly legitimate to dock staff until the cargo never arrives at its true destination. A key reason this works is that signed RMM installers and brand names that frontline staff recognize often evade both user skepticism and traditional detections, allowing the attackers to persist long enough to alter business decisions rather than just machines.
Broader Impact & Trends
This wave slots into two larger industry trends: the rapid digitalization of logistics and the cybercrime ecosystem’s growing preference for legitimate remote-access tools as first-stage payloads. As brokers, shippers, carriers, Third-Party Logistics (3PLs), and visibility platforms have stitched themselves together with portals and Application Programming Interface (APIs), the “break-in” often looks like someone posting a load or sending a rate confirmation, and the “getaway car” is a real truck dispatched under a trusted identity rather than a stolen vehicle in the night; the adversary’s advantage is speed and plausibility, not zero-days. Proofpoint underscores that cyber-enabled cargo theft is global in character even when a campaign concentrates on North American freight, and the most commonly targeted commodities—food and beverages among them—are easy to resell and hard to trace, which makes the business model durable. In parallel, industry bodies like the National Motor Freight Traffic Association are publishing practical guidance that treats identity spoofing, fraudulent pickups, and digital freight matching abuse as first-class security problems, because load-board compromises and look-alike domains have become reliable precursors to theft by deception. Against that backdrop, macro indicators from the National Insurance Crime Bureau paint a worsening curve—more incidents, larger average losses, and steadily rising totals—so the cost of slow action is higher detention fees, premium increases, and shelf gaps that roll downhill to consumers.
What It Means for Businesses/Individuals
For brokers and carriers, this is a mandate to treat inboxes, identity, and RMM governance as part of physical cargo security, because the adversary is not trying to crash your systems so much as impersonate your process long enough to redirect a trailer. Enforce multi-factor authentication on Transportation Management System (TMS), email, and all load-board accounts; add conditional access that restricts logins by device health and geography; rotate credentials aggressively for shared dispatch accounts; and audit for forwarding rules and inbox filters that hide messages from specific counterparties or subjects, since those are classic signs of a hands-on-keyboard intruder trying to suppress alarms while they stage changes. Turn RMM from a convenience into a controlled pathway by allow-listing approved tools, blocking MSI/EXE installers delivered via email, and monitoring for beaconing or Domain Name System (DNS) lookups to known RMM infrastructure, and when service partners truly need remote access, provide it through a segmented jump host, record sessions, and require just-in-time authorization so there is something to review if a booking suddenly moves. Because the objective is fraud in the business layer, slow down the highest-impact moments with out-of-band verification: when pickup locations, drivers, or consignee instructions change at the last minute, require a callback to a number on file rather than to the one in the latest email, and introduce two-person approval for after-hours dispatch changes so a single busy staffer cannot be socially engineered into releasing a high-value load. Map these controls to the specific techniques highlighted by researchers—watch for first-time installations of ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, or GoTo Resolve; alert on the use of browser password dumpers; correlate new RMM check-ins with load-board logins; and flag sudden mass edits to bookings—so that your Security Information and Event Management (SIEM) detects the actual theft play rather than only generic malware traits. Train dispatchers, brokers, and drivers with practical examples from the current campaigns, including screenshots of fake “carrier packets,” “rate confirmations,” and look-alike domains that Proofpoint has catalogued, because user-facing teams are the ones most likely to see the tell before the SOC does. Finally, extend the same discipline to your vendor ecosystem through contract clauses and onboarding: insist that partner agents use Multi-factor authentication (MFA), prohibit double-brokering, require prompt disclosure of suspected account takeover, and align your verification steps to the National Motor Freight Traffic Association, Inc. (NMFTA) Cargo Crime Reduction Framework so your counter-fraud measures match the threat model on today’s platforms.
Final Thoughts
The uncomfortable truth for supply-chain leaders is that the line between “IT incident” and “stolen truckload” has effectively vanished, because attackers are mastering the tempo and language of modern freight rather than the internals of your servers, which means the right defense is less about exotic detection and more about disciplined identity proofing, remote-access governance, and friction at the moments where money and custody actually change hands. If your team books loads, manages lanes, or receives goods, assume that a realistic-looking PDF and a signed installer can become a seven-figure theft within hours, and act accordingly by tightening MFA, curating which RMM agents are allowed to exist, rehearsing callbacks before honoring urgent changes, and measuring your readiness against the specific techniques outlined by current research; the upside is that every one of those moves is feasible this quarter, and the downside of waiting is that an attacker who already understands your process will use it—quietly, confidently, and at your expense.