Financially motivated cyber gangs are working with organized crime to steal massive amounts of cargo through the abuse of remote monitoring tools, according to a report released Monday from Proofpoint.
The cyber thieves, operating at least since June 2025, but possibly dating back to January, have used remote monitoring and management tools such as ScreenConnect or SimpleHelp to gain access to targeted trucking carriers or freight brokers, conduct reconnaissance activity and then use harvesting tools to steal credentials.
A separate campaign, running from 2024 through March 2025, involved hackers using DanaBot, NetSupport or LummaStealer to target ground transportation companies. DanaBot is malware that has been used in botnets and was linked to a Russia-based cybercrime operation.
The risk of cargo theft is a major concern to the logistics industry, leading to an average of $34 billion in losses per year, according to data from the National Insurance Crime Bureau. Cargo theft losses rose 27% in 2024 and were projected to increase by another 22% in 2025, according to NICB data.
Organized cargo theft has increasingly become an area of concern for U.S. authorities. The Department of Transportation in September issued a request for comment about ways to combat cargo theft.
Industry leaders have been increasingly focused on combatting the role that cyber plays in targeting vulnerable supply chains.
“The bad actors are using tried and true methodologies that stem from social engineering, as they are proven effective. Phishing and smishing campaigns as well as business email compromises still are the number one entry points into a system,” Artie Crawford, director of cybersecurity at the National Motor Freight Traffic Association, told Cybersecurity Dive.
Organized theft became a major focus during the COVID-19 pandemic, as global supply chains were constrained and resulted in lengthy backlogs at major port facilities.
According to Proofpoint, attackers gain access to these freight and trucking carriers, and then bid on cargo shipments, before stealing and putting them up for sale online or selling them overseas.
The attackers compromise what is called a broker load board account, which is used by trucking firms to search for available trucks. In certain cases the hackers will post a fraudulent freight listing on a compromised account, followed by sending an email with a malicious URL to the firm that inquires about the listing.
In other cases, the attackers will use compromised email accounts to inject malicious content into an existing conversation. A third method involves sending direct email campaigns to asset-based carriers or freight-brokerage firms.
