Hackers Steal Your Coffee: Cyber Gangs Hijack Real-World Cargo

Cybercriminals are increasingly exploiting trucking and logistics companies through elaborate cyber-enabled schemes designed to steal real-world cargo. 

As digital systems become more embedded in the global supply chain, attackers have adapted old crimes for the modern era — using remote access tools and fraudulent online bids to hijack shipments worth millions.

A New Era of Cargo Theft

According to Proofpoint’s research, threat actors have developed attack chains that combine social engineering, credential theft, and remote access software to infiltrate freight carriers and brokers. 

Once inside, they use stolen access to bid on legitimate shipments and redirect them for theft and resale. 

This form of cyber-enabled cargo theft mirrors traditional organized crime tactics, but now takes advantage of logistics technology designed to make transportation more efficient.

Cargo theft has long been a costly issue, with the National Insurance Crime Bureau estimating annual global losses at $34 billion. 

Historically, such thefts involved physical hijacking or insider collusion. 

Today, however, the digital transformation of logistics — load boards, electronic bidding, and online dispatch systems — has introduced new vulnerabilities that criminals are eager to exploit.

The Attack Chain

Proofpoint’s findings reveal a sophisticated, multi-stage attack process. 

First, criminals compromise broker or carrier accounts, often through phishing or credential theft. 

They then post fraudulent load listings on legitimate freight boards, tricking real trucking companies into responding.

When a carrier clicks on a malicious link, the actor delivers Remote Monitoring and Management (RMM) tools such as ScreenConnect, SimpleHelp, PDQ Connect, or LogMeIn Resolve. 

These legitimate tools are repurposed to grant attackers persistent remote access. 

Once access is established, the attackers perform reconnaissance, harvest credentials using utilities like WebBrowserPassView, and deepen their control over the network.

In some cases, threat actors hijack email threads to insert malicious URLs or directly target large logistics companies through spoofed emails. 

Clicking these links installs RMM software, giving attackers the same administrative privileges as a trusted IT professional. 

Because RMM tools are commonly used for legitimate purposes, they often bypass antivirus detection and fail to raise immediate suspicion.

Organized Crime Connection

Proofpoint assesses with high confidence that these operations are linked to organized crime groups. 

The cybercriminals use their technical access to facilitate thefts of physical goods — ranging from consumer electronics to beverages — by impersonating legitimate carriers. 

Once they gain control of an account, they can manipulate shipments, delete records, and reroute deliveries without the victim’s awareness.

A case described on Reddit illustrates this perfectly: attackers compromised a carrier’s system, deleted legitimate bookings, and inserted themselves into dispatcher communications. 

They then arranged and executed the theft of goods, leaving the legitimate carrier unaware until long after the cargo disappeared.

While most observed activity has targeted North American companies, Proofpoint warns that global cargo theft hotspots include the U.S., Brazil, Mexico, India, Germany, and South Africa. 

The most frequently stolen goods are food and beverages — easy to sell and hard to trace.

Timeline

The campaigns have been active since at least June 2025, though some evidence traces back to early 2025. 

Each campaign varies in scale — some sending a handful of phishing emails, others exceeding a thousand messages. 

The attackers rely on three core delivery tactics:

1. Compromising load boards to post fake shipments.
2. Hijacking existing email threads to add malicious links.
3. Launching direct email campaigns targeting carriers and brokers.

This activity aligns with a broader shift in the cybercrime landscape, where RMM tools have become a preferred first-stage payload. 

Because these applications are trusted and signed by legitimate vendors, attackers can “fly under the radar” longer than they could with traditional malware.

Protecting the Supply Chain

Security professionals recommend that logistics and transportation companies implement stronger access controls and security awareness programs. 

A few best practices for this include:

• Restrict RMM installations to only those approved by IT administrators.
• Deploy network monitoring to detect connections to known RMM servers.
• Avoid downloading executables (.exe or .msi files) from unsolicited emails.
• Provide user training to recognize social engineering attempts.

Organizations should also reference the National Motor Freight Traffic Association’s Cargo Crime Reduction Framework, which offers guidance on detection, prevention, and incident response for cargo theft.

Cargo theft has evolved from physical hijackings to digital infiltration, blending traditional organized crime with modern cyber tactics. 

As the transportation industry continues to digitize, cybercriminals are finding ways to turn remote access into real-world profit.

The rise of RMM-based attacks against logistics companies serves as a reminder that even legitimate tools can become weapons in the wrong hands.