惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

美团技术团队
W
WeLiveSecurity
Stack Overflow Blog
Stack Overflow Blog
L
LangChain Blog
S
SegmentFault 最新的问题
Apple Machine Learning Research
Apple Machine Learning Research
Google DeepMind News
Google DeepMind News
F
Full Disclosure
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
The Register - Security
The Register - Security
G
Google Developers Blog
C
Check Point Blog
GbyAI
GbyAI
A
About on SuperTechFans
V
Vulnerabilities – Threatpost
T
The Blog of Author Tim Ferriss
T
Tor Project blog
AWS News Blog
AWS News Blog
Cyberwarzone
Cyberwarzone
C
CERT Recently Published Vulnerability Notes
MongoDB | Blog
MongoDB | Blog
Latest news
Latest news
aimingoo的专栏
aimingoo的专栏
U
Unit 42
Y
Y Combinator Blog
P
Privacy International News Feed
Cisco Talos Blog
Cisco Talos Blog
S
Securelist
S
Schneier on Security
雷峰网
雷峰网
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Attack and Defense Labs
Attack and Defense Labs
P
Proofpoint News Feed
C
Cisco Blogs
Webroot Blog
Webroot Blog
T
Troy Hunt's Blog
Google Online Security Blog
Google Online Security Blog
月光博客
月光博客
P
Privacy & Cybersecurity Law Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
罗磊的独立博客
Cloudbric
Cloudbric
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Hacker News: Ask HN
Hacker News: Ask HN
H
Hackread – Cybersecurity News, Data Breaches, AI and More
博客园 - 司徒正美
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Microsoft Security Blog
Microsoft Security Blog

Ctrl-Alt-Intel

Burnt by Burgers: Highlighting Void Blizzard’s Russian State Links Wordpress Exploitation Exposure Checker Chinese actor compromises thousands of Wordpress sites South-East Asian Military Entities Targeted via cPanel (CVE-2026-41940) Watch Guard! Qilin affiliate exploits network appliances for initial access KongTuke on compromised WordPress sites, DDOS Botnets and Cybercriminal Feuds Dissecting FudCrypt: A Real-World Malware Crypting Service Analysis Supply-Chain Attacks, TP-Link devices & a pair of socks The BuddyBoss Attack: Claude’s Supply-Chain Attack The BuddyBoss Attack: Full Incident Analysis Inside the UPMI Phishing-as-a-Service Platform FancyBear Exposed: Major OPSEC Blunder Inside Russian Espionage Ops MuddyWater Exposed: Inside an Iranian APT operation Investigating Suspected DPRK-Linked Crypto Intrusions Aeternum Loader: When your C2 lives forever Aeternum Loader: Inside the binary ErrTraffic Under the Hood: A look at the source code
Diesel Vortex: Exploring connections to Russian LLCs
Ctrl-Alt-Intel · 2026-02-23 · via Ctrl-Alt-Intel

Overview

In February 2026, Ctrl-Alt-Intel and Have I Been Squatted identified a financially motivated threat actor we’ve tracked as Diesel Vortex. The group operate a phishing-as-a-service platform branded Global Profit or MC Profit Always and harvested more than 1,600 unique credentials belonging to Western logistics, trucking, and transportation companies.

Have I Been Squatted retrieved and analysed source code from the Global Profit phishing platform, which provided visibility into both infrastructure and operations. Telegram webhook logs embedded within the platform exposed months of internal coordination between operators.

Linguistic analysis of those logs indicates Armenian-speaking operators targeting companies in the logistics sector. While the initial access vector is phishing, the conversations show a fraud workflow: impersonating carriers and brokers, bypassing verification calls using spoofed/virtual numbers, and coordinating access to freight systems. Multiple messages align with double-brokering mechanics (booking loads under a stolen carrier identity, obscuring the chain, and re-assigning or diverting freight).

During infrastructure analysis, Ctrl-Alt-Intel identified a domain registration that linked the phishing panel to a Russian-registered email address. That same email appears linked to corporate records of potentially linked logistics and warehousing LLCs that reported over 14.3 billion rubles ($180+ million USD) in annual revenue within 2024.

1

Main Correlation Graph

This research is based solely on open-source intelligence (OSINT) and analysis of materials obtained during technical investigation. References to individuals and Russian-registered limited liability companies (LLCs) are provided for research context only, based on publicly available records and observed technical artifacts. Any linkages described are hypotheses derived from correlational indicators and should not be interpreted as findings of guilt, intent, or legal liability.

Key Terminology

Before taking a look at the private conversations of Armenian fraudsters, or the links to Russian LLCs, we will define some key terminology which is relevant to this industry.

Term Definition
Motor Carrier (MC) A company authorized by the FMCSA to transport goods for hire. Each carrier is assigned a unique MC number used for identification across the freight ecosystem.
FMCSA Federal Motor Carrier Safety Administration - the US federal agency that regulates trucking companies, issues operating authority, and maintains public safety records.
Freight Broker A licensed intermediary that connects shippers (companies with goods to move) with carriers (companies with trucks). Brokers arrange loads and handle payment, making them a high-value target for fraud.
DAT The largest digital freight marketplace in North America. Brokers post available loads, carriers search and book them. Access requires an MC number and verified credentials.
RMIS Registry Monitoring Insurance Services a third-party compliance platform used by brokers to verify carrier insurance, authority, and safety records. Brokers require carriers to register through RMIS before assigning loads. Diesel Vortex cloned RMIS registration portals as their primary phishing vector.
Double Brokering A fraud scheme where a threat actor operates a malicious carrier, books a load from a broker, then either re-brokers it to an actual carrier at a lower rate (pocketing the difference) or diverting the cargo entirely.
Blind Shipment A legitimate logistics term for a shipment where the shipper or receiver’s identity is hidden from the driver. Diesel Vortex operators exploited this mechanism to obscure the fraud chain and prevent drivers from contacting the real broker.

To perform Double Brokering, criminal gangs might attempt to impersonate known and trusted Motor Carrier (MCs), or have their own Motor Carrier registered as a legitimate LLCs within the United States.

Regardless of the method, these schemes typically require two capabilities:

  1. Access to freight systems
  2. A credible carrier persona (MC/DOT + email + phone presence)

Phishing in Yerevan

Within the recovered source code, developers logged all Telegram webhook calls to a file named apidata-full.txt. The logs correspond to a prior campaign deployment and span from 22 November 2024 through 25 April 2025.

Four Telegram chats were captured:

TG Chat ID # of messages # of members Primary Language First Message (UTC) Last Message (UTC)
-1002326535196 1255 8 Armenian (Latin Script) 2024-11-22 16:19:23 2025-04-11 20:28:21
-1002159174580 134 6 Armenian 2025-01-10 16:44:57 2025-04-25 19:09:35
-1002335202080 50 3 Russian 2024-12-06 14:20:30 2024-12-23 16:41:03
-1002495358035 5 2 Russian 2025-01-09 23:13:28 2025-01-09 23:15:32

The dominant chat, containing 1,255 messages, was conducted in Armenian using Latin script, with occasional Russian messages. Operators discussed:

  • Credential harvesting results (broker portals, carrier onboarding systems, email access)
  • Motor Carriers (MCs) to impersonate and the supporting “carrier package” required to appear legitimate
  • SMS/VOIP/SIP and call spoofing used to pass broker verification checks
  • Anti-detect browsers, VPNs and SOCKS proxies to sustain access and rotate infrastructure
  • Remote access tooling (RMM/RDP-style workflows) to operate inside compromised environments
  • Freight-specific tactics including blind shipment narratives to obscure the broker–carrier–driver chain

Although 14 unique Telegram user IDs registered to the platform, the majority of the messages were sent by 4 users:

User ID username # of messages
7779899846 gts100 465
5270565142 TA1 411
5318416774 TGMC100 247
2077544656 TA2 245
7517405011 antonioprimoderivera 29
1087968824 GroupAnonymousBot 21
6570551667 sapip_188 7
5321390016 GTPOCO_2 6
389288453 Mc100Mc 4
5712841521 gts10 3

Translated conversations analysis

Most messages were written in Armenian using Latin script. Where possible, we translated them to better understand campaign context. Seeing how they speak to each other, on the day to day, provided a lot of insight to the operation. For some reason, some accounts only had their Telegram ID and not username. I’ve named these TA1 and TA2. The other usernames were found within the logs.

1

Translated Chat Excerpt

Two members of Diesel Vortex discussed, “do we have an MC with 250k cargo?”. This suggests they’re looking for a usable carrier identity (or a compromised carrier account) suitable for high-value freight. In the freight ecosystem, higher cargo values typically mean stricter verification and insurance requirements, indicating the group is planning for higher-trust, higher-value loads rather than relying on opportunistic phishing alone.

Besides conversing in Armenian Latin script, analysis of the Telegram webhook log reveals the below Armenian resedential IP addresses accessed the platform:

  • 78.109.70[.]111
  • 46.162.227[.]180
  • 46.36.114[.]119
  • 46.36.112[.]127

Additionally, on the 22nd of April a member of this chat revealed he was in Komitas, located within Yerevan, Armenia:

1

Chat Log showing an operator within Komitas, Armenia

The Infrastructure Pivot

Within the phishing panel source code, the file njhTghagTGgYT\template\footer.php contained a reference to the domain yasomawork[.]space. The domain was embedded within the login panel of the phishing-kit.

1

Source Code Excerpt

Historical DNS records show yasomawork[.]space resolving to 45.130.41[.]81 on 14 February 2025. The domain itself was registered three days earlier, on 11 February 2025 at 16:51:57 GMT. We can see, from the chat logs, Diesel Vortex was active during this time.

RDAP data shows the domain was registered through the Russian provider BEGET-RU. The associated IP address was also hosted on infrastructure allocated to Beget.

2

RDAP Record

Unlike anonymized registrations commonly used in phishing operations, this domain contained registrant details including:

  • A full name
  • A phone number
  • An email address

From Infra to Identity

The registrant email address exposed in the RDAP record was reused across multiple services and corporate filings. We used the platform osint.industries to pivot on the email and phone number to find profiles under the names:

3

Screenshot from osint.industries platform

  • Yura Ivlev
  • Yuri Ivlev
  • Yuri Ivlev Konstantinovich
  • Юрий Ивлев Константинович

We will use the name Yuri or Yuri Ivlev for the remainder of this analysis.

Publicly accessible social media accounts contain photos dating from 2014 through 2023. The same email address was used to register the domain unx-defence[.]ru on 8 December 2021, also via Beget.

3

Yuri's Facebook Photo (2014)

4

Yuri's Whatsapp Photo (2023)

Corporate registry records show the identity linked to the email [email protected] associated with several Russian LLCs operating in wholesale trade, transportation and warehousing.

From 2014 to 2025, Yuri was a founder or co-founder of the 5 registered entities:

Registration Date LLC Name Translation ИНН/Tax ID Email Sector Ownership at incorporation
25th Sep 2014 (closed) КОРОНА ХОСТЕЛ KORONA HOSTEL 7715446004 N/A Hotel/Accommodation 100%
30 Sept 2021 ЮНИКС ГРУПП UNIX GROUP LLC 7713484999 buh[@]unx-defence[.]ru Wholesale trade 100%
15th Jun 2023 ВПМ VPM 9726047206 y.ivlev[@]gmail[.]com Wholesale trade 100%
13th July 2023 ТЕРМИНАЛ ИКС Terminal X 9726049122 nkazarinov[@]yandex[.]ru Warehousing/Storage 67%
10th Oct 2025 ПСМ PSM 5044145482 y.ivlev[@]gmail[.]com Wholesale trade 100%

UNIX GROUP LLC

UNIX Group LLC was registered on 30 September 2021. On 8 December 2021, the domain unx-defence[.]ru was registered using the same email address identified in the phishing panel RDAP record. In June 2022, Yuri Ivlev assumed ownership of the company.

Corporate filings show UNIX Group LLC registered more than 30 OKVED classifications. The primary classification is:

  • 46.90 — Non-specialized wholesale trade

However, additional classifications include:

  • 49.20.9 — Transportation of other cargo
  • 52.10 — Warehousing and storage activities
  • 52.29 — Other auxiliary activities related to transportation

These codes directly align with logistics, freight handling, and storage operations.

6

UNIX Group LLC OKVED code

The domain unx-group[.]ru is the publicly accessible website for the entity UNIX GROUP LLC:

7

UNIX Group website

“UNIX Group, a trading and manufacturing company, is a direct partner of leading Chinese factories and offers a wide range of high-quality industrial and consumer raw materials”. We can see they also have “Our own logistics service for international transportation” and are in “Close cooperation with leading factories in Russia and China”.

8

UNIX Group website

This appears to be a legitimate registered business that comes along with a product catalog:

9

UNIX Group website

On 23 March 2022, UNIX Group LLC was issued an official trade certificate through a Kyrgyz government export and import documentation system. The certificate is publicly accessible and registers the company in connection with cross-border trade activity. Notably, the certificate lists the name Olga Olegovna Ivleva, who previously appeared in ownership records associated with the company.

10

Kyrgyz trade certificate

Rapid Growth

Using 1 Ruble = 0.013 USD:

Year Revenue (USD) Net Profit (USD)
2021 $604,700 $2,000
2022 $54,420,000 $9,670,000
2023 $95,180,000 $16,270,000
2024 $154,890,000 $10,910,000

T-Bank - ООО “ЮНИКС ГРУПП” (UNIX GROUP LLC)

Between 2021 and 2024, UNIX Group LLC scaled from sub-million revenue to more than $150 million annually. Net profit margins in 2023 exceeded 17 percent.

We have no evidence to prove these funds have originated from cargo theft, nor is Ctrl-Alt-Intel suggesting this. At minimum, the overlap establishes that the registrant of phishing infrastructure operates or has operated companies in the same sector targeted by Diesel Vortex.

11

Correlation Graph #1

Terminal X was registered on 13 July 2023.

Ownership at formation:

  • Yuri Ivlev - 67%
  • Nikita Kazarinov - 33%

12

Split ownership of Terminal X

The company lists the following OKVED classifications:

  • 52.10 — Warehousing and storage activities
  • 52.10.9 — Storage and warehousing of other cargo
  • 52.29 — Other auxiliary transportation activities
  • 82.99 — Other business support services

The classifications again align with freight handling and cargo operations.

Financial filings for Terminal X show limited revenue and small annual losses between 2023 and 2025. However, the structural importance of Terminal X lies not in revenue, but in shared ownership at incorporation.

On 20 February 2026, just days prior to publication of this report, Nikita Kazarinov assumed full ownership of Terminal X. Yuri Ivlev no longer retained shares.

Terminal X serves as the bridge between Yuri Ivlev and Nikita Kazarinov within the corporate network.

Shuttle Logistic and the “Terminal” Network

Nikita Kazarinov previously founded or owned several logistics-related entities, including:

  • FILIKA GROUP
  • TERMINAL PLUS
  • TERMINAL BROKER
  • TERMINAL X

Both Terminal Plus and Terminal Broker are associated with the domain shuttle-logistic[.]ru, operating under the brand “Shuttle Logistics Solutions”:

14

Shuttle Logistics website

Unlike UNIX Group LLC, the Shuttle Logistics website prominently displays staff identities and executive leadership. Nikita Kazarinov is publicly presented as CEO.

15

Nikita Kazarinov

Industry media coverage from Russian logistics publications references Kazarinov in connection with freight and transportation operations.

15

Snippet of logirus.ru article

15

Screenshot from logirus.ru website

See below for the full list of registered entities with corresponding email addresses.

Registration Date LLC Name Translation ИНН/Tax ID Email Sector Ownership at incorporation
22nd May 2014 (closed) ФИЛИКА ГРУПП FILIKA GROUP 7715432611 N/A Cargo transportation 33%
22nd Sept 2016 ТЕРМИНАЛ ПЛЮС Terminal Plus 7728349199 kiseleva_n1971[@]mail.ru Transportation 100%
26th Aug 2021 ТЕРМИНАЛ БРОКЕР Terminal Broker 7726481674 info[@]shuttle-logistic[.]ru Transportation 100%
13th July 2023 ТЕРМИНАЛ ИКС Terminal X 9726049122 nkazarinov[@]yandex[.]ru Warehousing/storage 67%

Address Clustering in Moscow

Five of the six identified LLCs are registered at the same address:

117105, Moscow, Novodanilovskaya Embankment, Building 4A

15

Correlation Graph #2

In October 2025, a newly registered LLC diverged from this pattern, listing an address in the Esipovo Industrial Park in Solnechnogorsk.

The concentration of logistics-oriented entities at a single Moscow address reinforces the structural connectivity within the network.

Sector Convergence

The Telegram logs recovered from the phishing platform showed Armenian operators targeting:

  • Freight brokers
  • Trucker drivers
  • Logistics firms

The objective discussed was theft of cargo and/or funds.

The Russian LLCs associated with Yuri Ivlev and Nikita Kazarinov list OKVED classifications covering:

  • Wholesale trade
  • Transportation of cargo
  • Warehousing and storage
  • Auxiliary transportation services

Public websites for these companies advertise:

  • International freight handling
  • Warehousing capacity
  • Cross-border trade coordination

The sector alignment is direct. This report does not assert that the corporate revenue is being derived from phishing or diversion activity.

However, the same email identified used to register phishing infrastructure appears in corporate filings for logistics companies operating in the same vertical targeted by Diesel Vortex.

What we can establish

Based on the technical artifacts and public records, the following claims can be made:

  1. Diesel Vortex operated a phishing platform targeting logistics-sector companies.
  2. Telegram logs show Armenian-speaking operators discussing credential harvesting and cargo-related activity.
  3. The phishing panel contained a domain registered with identifiable personal information.
  4. That email identifier appears in Russian corporate filings for multiple logistics-oriented LLCs.
  5. Several of these companies share sector classifications and a common Moscow address.
  6. A co-owned entity between Yuri Ivlev and Nikita Kazarinov transferred ownership shortly before publication.

Each data point is independently verifiable through infrastructure records and public corporate registries.

Conclusion

The investigation into Diesel Vortex began with a phishing platform targeting Western logistics companies. Source code recovered by Have I Been Squatted exposed not only credential harvesting mechanisms, but operational Telegram logs that revealed Armenian-language coordination tied to freight impersonation, mailbox compromise, and activity consistent with double-brokering or cargo diversion.

The technical analysis published by Have I Been Squatted details the inner workings of the Global Profit and MC Profit Always platform, including Telegram architecture, phishing templates, and victim telemetry, and lots of IOCs. That research establishes the operational capability of Diesel Vortex.

A domain embedded within the phishing panel created an infrastructure pivot. The registration record exposed an email identifier. That same identifier appears in the corporate filings of multiple Russian LLCs operating in wholesale trade, warehousing, and transportation. Several of these entities report substantial revenue and share both sector classifications, executive-leadership history and registration addresses.

It is possible that the domain registration reflects negligence, unrelated administrative overlap, or another explanation not visible through open-source analysis. At present, the evidence supports correlation, not attribution.