Cyber-Enabled Cargo Theft: Hackers Hijack Logistics Firms with RMM Tools to Steal Physical Shipments

Proofpoint researchers have uncovered a sophisticated cyber-enabled cargo theft operation in which threat actors infiltrate trucking and logistics companies, use remote monitoring tools, and exploit industry-specific platforms to hijack freight shipments. The report reveals how criminals are combining social engineering and cyber intrusion to steal physical goods worth millions of dollars from U.S. and global supply chains.

“Cybercriminals are compromising trucking and freight companies in elaborate attack chains to steal cargo freight,” Proofpoint wrote. “Cargo theft is a multi-million-dollar criminal enterprise, and digital transformation has led to an increase in cyber-enabled theft.”

Cargo theft has long been a problem in global trade, but Proofpoint highlights how modern logistics digitization—from online freight platforms to automated dispatch systems—has created new entry points for attackers.

The researchers estimate that cargo theft leads to $34 billion in annual losses, citing the National Insurance Crime Bureau (NICB). Criminal groups now blend traditional theft methods with cyber tactics, creating a new era of “digital hijacking.”

Proofpoint’s analysts assess with high confidence that the threat actors are working with organized crime groups, targeting trucking carriers and freight brokers to gain access to shipment information. Once inside, they bid on legitimate cargo, arrange its pickup, and then divert or sell it illicitly—often through online marketplaces or international shipping routes.

The attack chains documented by Proofpoint begin with email-based intrusions that deliver Remote Monitoring and Management (RMM) tools—legitimate IT utilities repurposed for malicious use.

“The threat actors typically deliver remote monitoring and management (RMM) tools, aligning with the broader trend of cybercriminals adopting these as a first-stage payload across the threat landscape,” the report stated.

Since at least June 2025, Proofpoint has tracked campaigns delivering RMM or remote access software such as ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve. These tools allow attackers to monitor networks, harvest credentials, and gain full administrative control over compromised systems.

“Once initial access is established, the threat actor conducts system and network reconnaissance and deploys credential harvesting tools such as WebBrowserPassView,” Proofpoint explained. “This activity indicates a broader effort to compromise accounts and deepen access within targeted environments.”

Because RMM tools are widely used by legitimate IT teams, attackers using them often fly under the radar, avoiding antivirus and network-based detections.

Proofpoint identified three primary tactics used by these actors to distribute RMM payloads and compromise logistics networks:

1. Compromised Load Boards

The attackers hijack or create fake accounts on freight load boards—marketplaces where transport companies book loads. They post fraudulent freight listings, then send malicious URLs to carriers who inquire. Clicking these links downloads an RMM payload disguised as a carrier–broker agreement or shipping document.

2. Email Thread Hijacking

Using stolen credentials, threat actors inject malicious links into existing business conversations between freight brokers and carriers.

“Using compromised email accounts, the threat actors inject malicious content and URLs into existing conversations,” Proofpoint reported.

3. Direct Targeting of Large Entities

Attackers send phishing emails directly to large freight brokers and carriers, impersonating partners or logistics coordinators. These emails contain URLs or MSI installers that execute malicious RMM software upon opening.

In some campaigns, attackers went further—creating fake transportation-themed domains to enhance believability. Domains such as nextgen1[.]net/carrier.broker.agreement[.]html were used to deliver ScreenConnect payloads.

“The actor posts fraudulent freight listings using compromised accounts on load boards and then sends emails containing malicious URLs to carriers who inquire about the loads,” the report added.

Once attackers gain remote access, they exploit insider visibility to intercept and reroute valuable shipments. Proofpoint detailed one case, corroborated by a Reddit post from a victim, describing how an attacker booked real loads under a compromised carrier’s name after taking over its dispatch system.

“The attacker compromised the company via RMM delivery, deleted existing bookings and blocked dispatcher notifications, added their own device to the dispatcher’s phone extension, booked loads under the compromised carrier’s name, and coordinated the transport,” Proofpoint wrote.

These operations blend social engineering, technical compromise, and fraudulent logistics transactions, creating a hybrid crime model that straddles both cyber and physical domains.

While the campaigns Proofpoint studied were focused primarily in North America, the researchers warned that cargo theft is a global problem. Hotspots include Brazil, Mexico, India, Germany, Chile, and South Africa, where food, beverages, and electronics are the most frequently stolen commodities.

Related Posts:

• Browser Wallet Flaws Allow Silent Crypto Drains Without User Interaction
• 2024 US Election Faces Escalating Iranian Cyber Influence, MTAC Warns
• Seamless eSIM Transfer: iOS 26 Now Supports Direct Migration to Android
• FCC Reallocates 6GHz Wi-Fi Band to Mobile Carriers: Threatens Next-Gen Wi-Fi Speeds & Innovation