A cluster of cybercriminal activity linked to organized crime has been observed in North America conducting cyber-enabled cargo theft by targeting trucking and logistics companies and infecting them with remote monitoring and management (RMM) tools for financial gain.In a Nov. 3 blog post, Proofpoint researchers said that based on observing more than two dozen such campaigns since August 2025, truckers are sent to pick up the physical loads after the broker or carrier has been compromised by threat actors via the RMM tools.The products mentioned in the Proofpoint blog include the following: ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve.“Based on our research, there are a few ways that [these cargo theft activities] happen,” explained Ole Villadsen, staff threat researcher at Proofpoint. “The cybercriminals successfully compromise the ship and impersonate the broker or carrier company, so it looks like they’re legitimately taking ownership of loads with the true intent of delivering them to a location likely controlled by criminals, all unbeknownst to the shipper or hacked company.”Villadsen explained that the actual truckers picking up the loads may be working directly with the criminals, but it’s also plausible the threat actors are using "double-brokering," in which the loads are resold once again to a legitimate trucking company that doesn't even know they’re involved in cargo theft and think they’re transporting goods legitimately.“In all cases, these operations require people to be physically present to get their hands on the goods, and the goods will be delivered to a location or warehouse controlled by the criminals,” said Villadsen. “We have also observed other types of cyber-enabled physical goods theft in which thieves will get goods shipped or delivered to warehouses or locations owned by mules to take delivery of the stolen goods and then resell them or further ship them overseas.”According to the National Insurance Crime Bureau, cargo theft leads to $34 billion in losses annually. The NICB reported that cargo theft losses increased 27% in 2024, and losses are expected to increase another 22% in 2025. NICB confirmed that cargo theft is a profitable criminal enterprise, and based on Proofpoint’s data, cybercriminals are increasingly targeting surface transportation organizations to steal real, physical goods.Damon Small, board member at Xcape, Inc., said this emerging trend, dubbed a "cyber-physical hack," exploits vulnerabilities in the digital infrastructure of the logistics supply chain. The attackers aim to manipulate digital records, said Small, not control the ships themselves, so they can intercept cargo before it's picked up or delivered.Small said these recent activities mirror the 2012 Antwerp Port hack, in which criminals used digital access to steal containers.“The threat is widespread, affecting the entire logistics ecosystem, and isn't limited to specific operating systems despite suggestions to the contrary as reported by 9to5Mac,” said Small. “The primary targets are vulnerable trucking firms, brokers, and port systems.”Randolph Barr, chief information security officer at Cequence Security, added that what we used to think of as only a physical crime has now become a complex mix of internet access and physical execution. It's not enough to just stop a truck or container from getting stolen today; it frequently starts with an API query, explained Barr.“As logistics operations get more modern, so do enemies, who are now going after the digital infrastructure that supports the global supply chain,” said Barr. “APIs are at the heart of that infrastructure.”Barr said APIs are now the main tools that modern logistics use to get work done. APIs let logistics companies arrange and bid on shipments between brokers and carriers, keep track of where cargo is and what it's doing in real time, and make sure that drivers and cars are who they say they are at ports, warehouses, and fulfillment centers. Barr said APIs also let merchants and distribution networks keep their inventories in sync, manage customs operations, and send electronic proof-of-delivery after a shipment is complete.“Attackers don't need to break into a warehouse anymore to steal anything because of this strong connectivity,” said Barr. “Instead, they steal passwords, use exposed API endpoints, or get in through phishing and other online methods. They exploit such access to abuse the system's logic by pretending to be trusted carriers, changing delivery routes, scraping real-time product availability, or changing destination and delivery data. The planning, targeting, and execution are all becoming more digital, even yet the theft is real.”
Application security, Ransomware, Malware

Cyber-enabled cargo theft targeting North American ports

(Adobe Stock)

Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



