























In February 2026, Ctrl-Alt-Intel and Have I Been Squatted identified a financially motivated threat actor we’ve tracked as Diesel Vortex. The group operate a phishing-as-a-service platform branded Global Profit or MC Profit Always and harvested more than 1,600 unique credentials belonging to Western logistics, trucking, and transportation companies.
Have I Been Squatted retrieved and analysed source code from the Global Profit phishing platform, which provided visibility into both infrastructure and operations. Telegram webhook logs embedded within the platform exposed months of internal coordination between operators.
Linguistic analysis of those logs indicates Armenian-speaking operators targeting companies in the logistics sector. While the initial access vector is phishing, the conversations show a fraud workflow: impersonating carriers and brokers, bypassing verification calls using spoofed/virtual numbers, and coordinating access to freight systems. Multiple messages align with double-brokering mechanics (booking loads under a stolen carrier identity, obscuring the chain, and re-assigning or diverting freight).
During infrastructure analysis, Ctrl-Alt-Intel identified a domain registration that linked the phishing panel to a Russian-registered email address. That same email appears linked to corporate records of potentially linked logistics and warehousing LLCs that reported over 14.3 billion rubles ($180+ million USD) in annual revenue within 2024.
Main Correlation Graph
This research is based solely on open-source intelligence (OSINT) and analysis of materials obtained during technical investigation. References to individuals and Russian-registered limited liability companies (LLCs) are provided for research context only, based on publicly available records and observed technical artifacts. Any linkages described are hypotheses derived from correlational indicators and should not be interpreted as findings of guilt, intent, or legal liability.
Before taking a look at the private conversations of Armenian fraudsters, or the links to Russian LLCs, we will define some key terminology which is relevant to this industry.
| Term | Definition |
|---|---|
| Motor Carrier (MC) | A company authorized by the FMCSA to transport goods for hire. Each carrier is assigned a unique MC number used for identification across the freight ecosystem. |
| FMCSA | Federal Motor Carrier Safety Administration - the US federal agency that regulates trucking companies, issues operating authority, and maintains public safety records. |
| Freight Broker | A licensed intermediary that connects shippers (companies with goods to move) with carriers (companies with trucks). Brokers arrange loads and handle payment, making them a high-value target for fraud. |
| DAT | The largest digital freight marketplace in North America. Brokers post available loads, carriers search and book them. Access requires an MC number and verified credentials. |
| RMIS | Registry Monitoring Insurance Services a third-party compliance platform used by brokers to verify carrier insurance, authority, and safety records. Brokers require carriers to register through RMIS before assigning loads. Diesel Vortex cloned RMIS registration portals as their primary phishing vector. |
| Double Brokering | A fraud scheme where a threat actor operates a malicious carrier, books a load from a broker, then either re-brokers it to an actual carrier at a lower rate (pocketing the difference) or diverting the cargo entirely. |
| Blind Shipment | A legitimate logistics term for a shipment where the shipper or receiver’s identity is hidden from the driver. Diesel Vortex operators exploited this mechanism to obscure the fraud chain and prevent drivers from contacting the real broker. |
To perform Double Brokering, criminal gangs might attempt to impersonate known and trusted Motor Carrier (MCs), or have their own Motor Carrier registered as a legitimate LLCs within the United States.
Regardless of the method, these schemes typically require two capabilities:
Within the recovered source code, developers logged all Telegram webhook calls to a file named apidata-full.txt. The logs correspond to a prior campaign deployment and span from 22 November 2024 through 25 April 2025.
Four Telegram chats were captured:
| TG Chat ID | # of messages | # of members | Primary Language | First Message (UTC) | Last Message (UTC) |
|---|---|---|---|---|---|
| -1002326535196 | 1255 | 8 | Armenian (Latin Script) | 2024-11-22 16:19:23 | 2025-04-11 20:28:21 |
| -1002159174580 | 134 | 6 | Armenian | 2025-01-10 16:44:57 | 2025-04-25 19:09:35 |
| -1002335202080 | 50 | 3 | Russian | 2024-12-06 14:20:30 | 2024-12-23 16:41:03 |
| -1002495358035 | 5 | 2 | Russian | 2025-01-09 23:13:28 | 2025-01-09 23:15:32 |
The dominant chat, containing 1,255 messages, was conducted in Armenian using Latin script, with occasional Russian messages. Operators discussed:
Although 14 unique Telegram user IDs registered to the platform, the majority of the messages were sent by 4 users:
| User ID | username | # of messages |
|---|---|---|
| 7779899846 | gts100 | 465 |
| 5270565142 | TA1 | 411 |
| 5318416774 | TGMC100 | 247 |
| 2077544656 | TA2 | 245 |
| 7517405011 | antonioprimoderivera | 29 |
| 1087968824 | GroupAnonymousBot | 21 |
| 6570551667 | sapip_188 | 7 |
| 5321390016 | GTPOCO_2 | 6 |
| 389288453 | Mc100Mc | 4 |
| 5712841521 | gts10 | 3 |
| … | … | … |
Most messages were written in Armenian using Latin script. Where possible, we translated them to better understand campaign context. Seeing how they speak to each other, on the day to day, provided a lot of insight to the operation. For some reason, some accounts only had their Telegram ID and not username. I’ve named these TA1 and TA2. The other usernames were found within the logs.
Translated Chat Excerpt
Two members of Diesel Vortex discussed, “do we have an MC with 250k cargo?”. This suggests they’re looking for a usable carrier identity (or a compromised carrier account) suitable for high-value freight. In the freight ecosystem, higher cargo values typically mean stricter verification and insurance requirements, indicating the group is planning for higher-trust, higher-value loads rather than relying on opportunistic phishing alone.
Besides conversing in Armenian Latin script, analysis of the Telegram webhook log reveals the below Armenian resedential IP addresses accessed the platform:
Additionally, on the 22nd of April a member of this chat revealed he was in Komitas, located within Yerevan, Armenia:
Chat Log showing an operator within Komitas, Armenia
Within the phishing panel source code, the file njhTghagTGgYT\template\footer.php contained a reference to the domain yasomawork[.]space. The domain was embedded within the login panel of the phishing-kit.
Source Code Excerpt
Historical DNS records show yasomawork[.]space resolving to 45.130.41[.]81 on 14 February 2025. The domain itself was registered three days earlier, on 11 February 2025 at 16:51:57 GMT. We can see, from the chat logs, Diesel Vortex was active during this time.
RDAP data shows the domain was registered through the Russian provider BEGET-RU. The associated IP address was also hosted on infrastructure allocated to Beget.
Unlike anonymized registrations commonly used in phishing operations, this domain contained registrant details including:
The registrant email address exposed in the RDAP record was reused across multiple services and corporate filings. We used the platform osint.industries to pivot on the email and phone number to find profiles under the names:
Screenshot from osint.industries platform
We will use the name Yuri or Yuri Ivlev for the remainder of this analysis.
Publicly accessible social media accounts contain photos dating from 2014 through 2023. The same email address was used to register the domain unx-defence[.]ru on 8 December 2021, also via Beget.
Yuri's Facebook Photo (2014)
Yuri's Whatsapp Photo (2023)
Corporate registry records show the identity linked to the email [email protected] associated with several Russian LLCs operating in wholesale trade, transportation and warehousing.
From 2014 to 2025, Yuri was a founder or co-founder of the 5 registered entities:
| Registration Date | LLC Name | Translation | ИНН/Tax ID | Sector | Ownership at incorporation | |
|---|---|---|---|---|---|---|
| 25th Sep 2014 (closed) | КОРОНА ХОСТЕЛ | KORONA HOSTEL | 7715446004 | N/A | Hotel/Accommodation | 100% |
| 30 Sept 2021 | ЮНИКС ГРУПП | UNIX GROUP LLC | 7713484999 | buh[@]unx-defence[.]ru | Wholesale trade | 100% |
| 15th Jun 2023 | ВПМ | VPM | 9726047206 | y.ivlev[@]gmail[.]com | Wholesale trade | 100% |
| 13th July 2023 | ТЕРМИНАЛ ИКС | Terminal X | 9726049122 | nkazarinov[@]yandex[.]ru | Warehousing/Storage | 67% |
| 10th Oct 2025 | ПСМ | PSM | 5044145482 | y.ivlev[@]gmail[.]com | Wholesale trade | 100% |
UNIX Group LLC was registered on 30 September 2021. On 8 December 2021, the domain unx-defence[.]ru was registered using the same email address identified in the phishing panel RDAP record. In June 2022, Yuri Ivlev assumed ownership of the company.
Corporate filings show UNIX Group LLC registered more than 30 OKVED classifications. The primary classification is:
However, additional classifications include:
These codes directly align with logistics, freight handling, and storage operations.
The domain unx-group[.]ru is the publicly accessible website for the entity UNIX GROUP LLC:
“UNIX Group, a trading and manufacturing company, is a direct partner of leading Chinese factories and offers a wide range of high-quality industrial and consumer raw materials”. We can see they also have “Our own logistics service for international transportation” and are in “Close cooperation with leading factories in Russia and China”.
This appears to be a legitimate registered business that comes along with a product catalog:
On 23 March 2022, UNIX Group LLC was issued an official trade certificate through a Kyrgyz government export and import documentation system. The certificate is publicly accessible and registers the company in connection with cross-border trade activity. Notably, the certificate lists the name Olga Olegovna Ivleva, who previously appeared in ownership records associated with the company.
Using 1 Ruble = 0.013 USD:
| Year | Revenue (USD) | Net Profit (USD) |
|---|---|---|
| 2021 | $604,700 | $2,000 |
| 2022 | $54,420,000 | $9,670,000 |
| 2023 | $95,180,000 | $16,270,000 |
| 2024 | $154,890,000 | $10,910,000 |
T-Bank - ООО “ЮНИКС ГРУПП” (UNIX GROUP LLC)
Between 2021 and 2024, UNIX Group LLC scaled from sub-million revenue to more than $150 million annually. Net profit margins in 2023 exceeded 17 percent.
We have no evidence to prove these funds have originated from cargo theft, nor is Ctrl-Alt-Intel suggesting this. At minimum, the overlap establishes that the registrant of phishing infrastructure operates or has operated companies in the same sector targeted by Diesel Vortex.
Correlation Graph #1
Terminal X was registered on 13 July 2023.
Ownership at formation:
Split ownership of Terminal X
The company lists the following OKVED classifications:
The classifications again align with freight handling and cargo operations.
Financial filings for Terminal X show limited revenue and small annual losses between 2023 and 2025. However, the structural importance of Terminal X lies not in revenue, but in shared ownership at incorporation.
On 20 February 2026, just days prior to publication of this report, Nikita Kazarinov assumed full ownership of Terminal X. Yuri Ivlev no longer retained shares.
Terminal X serves as the bridge between Yuri Ivlev and Nikita Kazarinov within the corporate network.
Nikita Kazarinov previously founded or owned several logistics-related entities, including:
Both Terminal Plus and Terminal Broker are associated with the domain shuttle-logistic[.]ru, operating under the brand “Shuttle Logistics Solutions”:
Unlike UNIX Group LLC, the Shuttle Logistics website prominently displays staff identities and executive leadership. Nikita Kazarinov is publicly presented as CEO.
Industry media coverage from Russian logistics publications references Kazarinov in connection with freight and transportation operations.
Screenshot from logirus.ru website
See below for the full list of registered entities with corresponding email addresses.
| Registration Date | LLC Name | Translation | ИНН/Tax ID | Sector | Ownership at incorporation | |
|---|---|---|---|---|---|---|
| 22nd May 2014 (closed) | ФИЛИКА ГРУПП | FILIKA GROUP | 7715432611 | N/A | Cargo transportation | 33% |
| 22nd Sept 2016 | ТЕРМИНАЛ ПЛЮС | Terminal Plus | 7728349199 | kiseleva_n1971[@]mail.ru | Transportation | 100% |
| 26th Aug 2021 | ТЕРМИНАЛ БРОКЕР | Terminal Broker | 7726481674 | info[@]shuttle-logistic[.]ru | Transportation | 100% |
| 13th July 2023 | ТЕРМИНАЛ ИКС | Terminal X | 9726049122 | nkazarinov[@]yandex[.]ru | Warehousing/storage | 67% |
Five of the six identified LLCs are registered at the same address:
117105, Moscow, Novodanilovskaya Embankment, Building 4A
Correlation Graph #2
In October 2025, a newly registered LLC diverged from this pattern, listing an address in the Esipovo Industrial Park in Solnechnogorsk.
The concentration of logistics-oriented entities at a single Moscow address reinforces the structural connectivity within the network.
The Telegram logs recovered from the phishing platform showed Armenian operators targeting:
The objective discussed was theft of cargo and/or funds.
The Russian LLCs associated with Yuri Ivlev and Nikita Kazarinov list OKVED classifications covering:
Public websites for these companies advertise:
The sector alignment is direct. This report does not assert that the corporate revenue is being derived from phishing or diversion activity.
However, the same email identified used to register phishing infrastructure appears in corporate filings for logistics companies operating in the same vertical targeted by Diesel Vortex.
Based on the technical artifacts and public records, the following claims can be made:
Each data point is independently verifiable through infrastructure records and public corporate registries.
The investigation into Diesel Vortex began with a phishing platform targeting Western logistics companies. Source code recovered by Have I Been Squatted exposed not only credential harvesting mechanisms, but operational Telegram logs that revealed Armenian-language coordination tied to freight impersonation, mailbox compromise, and activity consistent with double-brokering or cargo diversion.
The technical analysis published by Have I Been Squatted details the inner workings of the Global Profit and MC Profit Always platform, including Telegram architecture, phishing templates, and victim telemetry, and lots of IOCs. That research establishes the operational capability of Diesel Vortex.
A domain embedded within the phishing panel created an infrastructure pivot. The registration record exposed an email identifier. That same identifier appears in the corporate filings of multiple Russian LLCs operating in wholesale trade, warehousing, and transportation. Several of these entities report substantial revenue and share both sector classifications, executive-leadership history and registration addresses.
It is possible that the domain registration reflects negligence, unrelated administrative overlap, or another explanation not visible through open-source analysis. At present, the evidence supports correlation, not attribution.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。