Cybercriminals exploit remote tools to steal global cargo worth USD $34 billion

Proofpoint researchers have identified cybercriminal activity targeting trucking and logistics companies, using legitimate remote monitoring tools to steal cargo freight and physical goods.

The research details how criminal groups are adapting to the digitisation of global supply chains, with cyber-enabled theft now driving a shift in traditional cargo theft methods. Organised crime groups, according to Proofpoint's assessment, are working with threat actors who compromise carriers and freight brokers in order to bid on, hijack, and ultimately steal valuable freight.

Criminal methods evolving

The study describes how digital transformation in logistics has expanded the avenues for criminals to exploit. Cyber-enabled thefts have become increasingly common, with social engineering and industry knowledge allowing attackers to take advantage of new vulnerabilities.

"...the digitization of domestic and international supply chains has created new vulnerabilities and thus opportunities for [Organized Theft Groups] to exploit gaps using sophisticated and ever-evolving cyber capabilities. These groups can steal freight remotely by exploiting the technology that has been embedded into supply chains to move cargo more efficiently."

According to data cited from the National Insurance Crime Bureau, annual losses from cargo theft total USD $34 billion. Although the observed Proofpoint campaigns focus on operations in North America, cargo theft is widespread globally, with hotspot countries including Brazil, Mexico, India, the US, Germany, Chile, and South Africa. Commonly targeted goods range from food and beverages to electronics and energy drinks.

Attack techniques identified

Proofpoint researchers have tracked a distinct cluster of cybercriminal activity active since at least June 2025, with evidence suggesting campaigns started as early as January. Attackers typically gain access to logistics companies by distributing remote monitoring and management (RMM) tools or remote access software such as ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve. These tools are legitimate IT solutions often used for network administration but, when installed by unauthorised actors, enable full access to compromised systems.

Once access is established, attackers conduct system reconnaissance and deploy credential-harvesting tools, aiming to deepen their reach within target environments. Previous campaign data from 2024 and early 2025 indicate related activity involving malware including DanaBot, NetSupport, Lumma Stealer, and StealC, with similar operational methods across these campaigns.

The use of RMM tools by threat actors allows for stealthier operations, as these applications are usually trusted and can evade detection by endpoint protection. Proofpoint researchers noted that "using RMM tools can enable threat actors to fly further under the radar. Threat actors can create and distribute attacker-owned remote monitoring tools, and because they are often used as legitimate pieces of software, end users might be less suspicious of installing RMMs than other remote access trojans. Additionally, such tooling may evade anti-virus or network detections because the installers are often signed, legitimate payloads distributed maliciously."

Email-based delivery

Campaign tactics frequently involve compromising load boards-online marketplaces where logistics companies book freight. Fraudsters post fake loads with compromised accounts and contact legitimate carriers, usually via email, for shipping offers. These emails contain links to downloads for infected executables or installers, which deliver RMM tools.

Email thread hijacking is another tactic. Attackers insert malicious links into ongoing business conversations using compromised email credentials, increasing the likelihood of successful compromise. Additionally, direct targeting via mass email campaigns enables threat actors to cast a wide net, potentially affecting both small businesses and major logistics firms.

Proofpoint notes that these threat actors are considered opportunistic rather than selective, targeting any carrier that responds to fraudulent postings. Public forums have documented incidents matching this modus operandi, with one user describing a breach in which attackers deleted existing bookings, blocked dispatcher notifications, and assumed control of dispatch communications to facilitate cargo theft.

Industry impact and recommendations

Cargo theft has increased markedly, with the National Insurance Crime Bureau reporting a 27 percent rise in 2024 and forecasts a further 22 percent increase in 2025. Proofpoint has observed almost two dozen email campaigns since August 2025 targeting the transportation sector with malware-laden messages.

To mitigate risks, Proofpoint recommends organisations restrict unauthorised downloads of RMM tools, implement network monitoring capable of detecting suspicious remote connections, and train staff to recognise and report unusual activity. The National Motor Freight Traffic Association Cargo Crime Reduction Framework is also recommended as a resource.