Supply Chain Risk Intelligence After the Cargo-Theft Surge

In 2025, cargo theft losses across the United States and Canada hit nearly $725 million. That is a 60 percent jump from the year before.

The number that should bother you is a different one. The volume of incidents barely moved. Verisk CargoNet logged 3,594 supply-chain crime events in 2025, against 3,607 in 2024. Roughly the same number of thefts. Roughly $270 million more stolen.

So the losses did not climb because more freight got hit. They climbed because the people hitting it got better at picking what to take and how to take it. The average theft rose 36 percent to $273,990, because criminals stopped grabbing whatever fell off the back of a truck and started selecting high-value loads on purpose.

Here is the part most coverage skips. The reason they can select is that they are no longer breaking in. They are logging in.

The cargo-theft surge is an identity story, not a trucking story

Strategic cargo theft used to require a team near the freight. Someone had to be where the trailer was, cut the lock, and drive it off. That model has a ceiling. You can only be in so many places, and you have to physically show up, which is also how you get caught.

The model that drove the 2025 numbers does not need a team near the freight. It needs a working login and a believable identity.

The FBI's Internet Crime Complaint Center spelled out the mechanism in its April 30 public service announcement. Since at least 2024, threat actors have been getting into the systems of freight brokers and carriers through spoofed emails, fake URLs, and compromised carrier accounts. Once inside, they pose as the legitimate company. They post fraudulent listings on load boards, the digital marketplaces where shippers, brokers, and carriers match freight to trucks. They bid on real shipments using hijacked identities. Then they reroute the goods and resell them.

That is not a trucking crime with a computer attached. It is an identity crime with a truck attached.

We have made a version of this argument before, on the enterprise side, in vendor risk assessment is not supply-chain intelligence. The software supply chain and the physical one are now failing the same way. The attacker does not defeat your controls. The attacker becomes someone your controls already trust.

How the load board became an attack surface

Walk through the scheme the way the Bureau described it, because the sequence is the point.

It starts with access. A phishing link installs a remote access tool on a broker's or carrier's machine, and now the criminal has quiet control of a real logistics account. From there they do two things at once. They flood load boards with fraudulent listings, and they bid on legitimate freight using the hijacked identity of a carrier that looks completely clean.

When they win a load, they double-broker it, handing it down to an unsuspecting driver who thinks he is hauling for a real company. Along the way they alter the documents that everyone downstream trusts: bills of lading, delivery destinations. To buy time, they change the carrier's contact and insurance details with regulators, so that when the shipment goes missing, the trail points at a record that has already been edited.

The goods get rerouted, cross-docked, or transloaded to a complicit driver, and resold. In some cases the actors then demand a ransom to say where the freight is.

Notice what is doing the work in that whole chain. Not lock-cutting. Not brute force. Trust. Every step depends on a counterparty looking legitimate at the moment a decision gets made.

The part nobody screens for: a clean file is now a weapon

CargoNet flagged something in its outlook that should change how security teams think about onboarding. Many of the more complex theft schemes rely on acquiring existing motor carriers that already have strong load histories.

Sit with that. The criminal does not forge a fake carrier and hope it passes. The criminal buys a real one, with a real authority, a real safety record, and a real history of completed loads. The file is clean because the file is genuine. The fraud is who is sitting behind it now.

The thief did not pick the lock. He bought the keys from someone who was allowed to have them, and the dock crew helped him load the truck.

This is the same failure we wrote about in when public records search is not enough on its own. A record tells you what an entity says it is. It does not tell you who controls it today, whether the controlling interest changed last quarter, or whether the operation matches the paperwork in any way that survives a phone call. A carrier with a spotless DOT record and a recently transferred ownership stake is exactly the kind of thing that passes automated screening and fails a real investigation.

Catching it is investigative work, not software work. It is beneficial-ownership tracing, corporate-registry analysis, and OSINT applied to the people and entities behind a relationship, not just the relationship's documents. It is the same discipline that makes public records search support

intelligence-led investigations instead of just confirming what someone already told you. The record is where you start. It is not where you stop.

Why monitoring software sees the theft and misses the setup

The executives responsible for this already know the surface of the problem. They mostly do not know the shape of it.

The World Economic Forum's Global Cybersecurity Outlook 2026 found that 65 percent of large companies now rank third-party and supply-chain vulnerabilities as their greatest cyber challenge, up from 54 percent a year earlier. That is awareness. Here is the gap underneath it: only 33 percent of organizations comprehensively map their supply-chain ecosystems, and only 27 percent run incident exercises with their partners. The WEF said it plainly. Supply-chain risk is still treated too often as a compliance checklist rather than a dynamic, continuous process.

The breach data tells the same story from the other end. Verizon's 2026 Data Breach Investigations Report found that third-party involvement now shows up in 48 percent of breaches, up roughly 60 percent year over year, and that vulnerability exploitation has become the single most common way in, at 31 percent. Nearly half of breaches now run through someone you do not directly control.

Monitoring software is good at the part that has already happened. It pings you when a threshold gets crossed, a credential leaks, a domain looks off. That is useful and you should have it. But it is reading the symptom. It tells you the broker account is behaving strangely now. It does not tell you that the carrier you onboarded eight months ago quietly changed hands, or that the entity bidding on your high-value lane is a shell with a borrowed history.

That is the line between monitoring and intelligence, and we have drawn it before in what early warning systems actually detect. Monitoring is the alarm. Intelligence is knowing, before the alarm, which doors are worth watching and which counterparties were never what they claimed.

Five signs a carrier, broker, or vendor relationship needs investigation now

None of these is proof of anything on its own. Together, or moving in the wrong direction, they are reasons to stop and look harder before the next load, payment, or onboarding goes through.

Ownership or control changed recently, and quietly. A carrier or vendor with a long clean history that transferred ownership in the last year or two deserves a fresh look at who is actually behind it now, not just the record the prior owner built.
The paperwork is immaculate but the operation is hard to verify. Perfect documents and a thin, hard-to-confirm physical footprint is a pattern. Real operations leave real traces. Investigate when the file is cleaner than the company.
Contact, banking, or insurance details changed mid-relationship. A request to update payment routing, a new dispatch email, a switched insurance contact. Each is a routine business event and each is also a classic step in an impersonation, which is why it gets verified out of band, not over the same channel that asked.
Communication moved off the channel you established. Pressure to move the conversation or the transaction onto a new email, a new portal, or a new phone number is worth treating as a signal, not a convenience.
The counterparty is bidding on, or routing, your highest-value freight specifically. Strategic theft is selective by definition. Disproportionate interest in your most valuable lanes is the behavior the loss numbers are built on.

What to ask before the next routing, payment, or onboarding decision

The useful question is not "did this vendor pass screening." It is "do we actually know who we are dealing with, right now, on this load."

Who controls this entity today, and has that changed since we onboarded them. Does the operation we can independently verify match the operation on file. Did any contact, payment, or routing detail change recently, and did we confirm it through a channel the counterparty did not choose. Are we looking at this relationship the way an adversary would, or only the way an auditor would.

If those answers come from a questionnaire and a dashboard, you have documentation. If they come from someone who investigated, you have intelligence. The cargo numbers are what it costs to keep confusing the two.

The freight did not get easier to steal. The trust did.

Frequently asked questions

What is supply chain risk intelligence?

Supply chain risk intelligence is the investigative work of verifying who actually sits behind the vendors, carriers, brokers, and counterparties in a supply chain, and whether those relationships are trustworthy right now. It goes past static screening and continuous monitoring to examine ownership, control, identity, and behavior, so an organization can catch a compromised or impersonated counterparty before a loss instead of after one.

Why did cargo theft losses rise 60 percent in 2025 if the number of incidents stayed flat?

Losses rose because criminals became more selective, not more numerous. According to Verisk CargoNet, total supply-chain crime events were essentially unchanged in 2025 (3,594 versus 3,607), while estimated losses reached nearly $725 million and the average value per theft rose 36 percent to $273,990. Thieves targeted high-value shipments deliberately, often using cyber-enabled impersonation rather than physical break-ins.

What is cyber-enabled strategic cargo theft?

Cyber-enabled strategic cargo theft is the use of hacking and impersonation to steal freight. Per the FBI's April 2026 advisory, actors compromise broker and carrier accounts through spoofed emails and fake links, post fraudulent listings on load boards, bid on real shipments using hijacked carrier identities, alter shipping documents, and reroute goods for resale. The theft is set up through identity and access, then completed physically.

How is supply chain risk intelligence different from vendor risk assessment?

A vendor risk assessment evaluates whether a supplier can produce documentation of controls at a point in time. Supply chain risk intelligence evaluates whether that supplier or carrier is who it claims to be and whether anything has changed since onboarding. One is a backward-looking compliance artifact. The other is current, investigative, and focused on the integrity of the relationship itself.

Can monitoring software prevent this kind of theft?

Monitoring software helps but does not close the gap. It detects anomalies once they appear, such as an unusual login or a leaked credential. It does not establish who controls a carrier today, whether ownership changed quietly, or whether a clean record was acquired by a criminal operation. Those questions require investigation, including beneficial-ownership tracing, corporate-registry analysis, and OSINT.