‘Trojan Driver’ Cargo Theft Scam Exposes a New Weak Point in Trucking Security

A newly reported cargo-theft tactic is forcing transportation teams to rethink a basic assumption in freight security: that a load is relatively safe once it is awarded to a legitimate, vetted motor carrier. Trade reporting on April 23-24, 2026 described what some security specialists are calling a “Trojan Driver” or “Trojan horse” scam, in which organized theft crews place a driver inside a real trucking company and then use that access to steal freight during what looks like a normal move. That matters because it shifts the weak point from carrier onboarding to the driver, dispatch, pickup, and in-transit custody layers.

What changed this week

The clearest recent public description came from FleetOwner on April 23, which cited Scott Cornell, chief risk officer at Anova + LogistIQ and chair of TAPA Americas. Cornell said criminals, instead of trying to pass carrier-vetting platforms themselves, “send one of their crew members to go work as a driver at a legitimate trucking company.” In that scenario, the motor carrier is real, licensed, and insurable, so the company passes normal onboarding checks even though the assigned driver may be the real exposure.

That is a materially different problem than the identity-spoofing and fake-carrier schemes that dominated freight-fraud discussions in 2024 and 2025. The FBI’s cargo-theft guidance still defines strategic cargo theft primarily as the use of fraud and deception to trick shippers, brokers, and carriers into handing freight to criminals, including identity theft, fictitious pickups, account takeovers, double brokering, and fraudulent carriers. But the Trojan Driver pattern sits one layer deeper: the carrier can be genuine while the theft is enabled from inside the operating chain.

How the Trojan Driver method reportedly works

Public reporting remains limited, and CAP could not independently confirm a formal TAPA bulletin laying out the full six-step model referenced in some trade coverage. But the operating pattern described by Cornell and other industry sources is broadly consistent:

1. A criminal operative gets hired or placed as a driver at a legitimate carrier.
2. The carrier receives freight through ordinary commercial channels.
3. The load moves under real dispatch and real authority.
4. The driver identifies a target load worth diverting.
5. The theft occurs during a routine or explainable stop, handoff, or unattended window.
6. The event can initially appear to be a conventional theft or driver noncompliance case rather than an infiltrated operation.

FleetOwner reported that in some cases the driver simply parks during the route, abandons the equipment, and allows accomplices to remove the cargo. Cornell said one reason the pattern can be hard to identify is that the carrier may treat the incident as a straightforward theft and fire the driver, allowing the operative to seek work elsewhere before links to prior incidents are recognized.

That nuance matters operationally. A shipper or broker may have verified the carrier’s authority, insurance, and safety profile, yet still have weak controls over the actual person arriving to pick up the load, any substitution of that driver, and any change in custody once the freight is moving.

Why standard vetting may no longer be enough

The freight market has spent the past two years tightening controls around carrier identity. The FMCSA says it began incorporating identity verification into the Unified Registration System in April 2025, and the agency’s registration modernization FAQs say all existing registrants will have to complete identity and business verification before transacting in the new Motus registration system as it fully launches in 2026.

Those are important steps, but they are aimed mainly at entity-level fraud: fake companies, stolen identities, sham registrations, and unauthorized account access. The FMCSA’s own fraud alert focuses on broker and carrier identity theft, such as unauthorized use of a legitimate company’s USDOT number. The Trojan Driver scenario exposes a different gap. A clean FMCSA profile does not authenticate the specific driver at the dock, the legitimacy of a last-minute swap, or whether dispatch and route control remain intact after pickup.

In other words, carrier onboarding is becoming more robust while pickup and custody-transfer discipline may still be uneven.

What freight is most exposed

Broadly, the highest-risk loads are still the ones that are easiest to resell, hardest to recover quickly, and costly to replace under time pressure. CargoNet said in its January 21, 2026 annual analysis that estimated supply-chain crime losses rose nearly 60% in 2025 to about $725 million, while incidents involving confirmed cargo theft increased 18% year over year to 2,646 across the United States and Canada.

Commodity patterns also support focusing controls on high-liquidity freight. CargoNet’s third-quarter 2025 analysis said food and beverage led all categories in that quarter, followed by household goods and metals. CNBC reported in May 2025, citing Verisk CargoNet, that food and beverage was the No. 1 target commodity, while more recent trade coverage has also pointed to interest in higher-margin technology and industrial equipment. The NICB warned in June 2025 that criminals were using business email compromise, identity theft, VoIP vulnerabilities, and synthetic identities to reroute high-value consumer goods such as electronics, medicine, and clothing.

For industrial supply chains, that means the exposure is not limited to consumer freight. Components, electrical gear, metal products, maintenance spares, and project cargo subassemblies can all be attractive if resale channels exist or if replacement timelines are long enough to trigger downtime.

Where control is actually being lost

The Trojan Driver story is useful because it clarifies that many companies are strongest at the front gate of the process and weakest in the handoff between approved company and actual shipment release.

1. Pickup authentication

If a facility verifies only the carrier name and MC/USDOT profile, but does not verify the specific assigned driver, truck, trailer, and pickup credentials, a real carrier can still be the vehicle for a bad handoff.

The FBI specifically advises companies to confirm the positive identities of drivers at pickup, including driver information and truck and trailer identifiers, and to use secure pickup numbers.

2. Driver substitution and relays

An otherwise routine last-minute driver change can create ambiguity if the shipper, broker, and carrier do not all confirm it through known contacts. That is especially true on high-value loads, after-hours pickups, repowers, relays, and team-driver operations.

Cornell’s recommendation, cited by FleetOwner, is notable here: for high-value freight, brokers should consider requesting drivers who have been employed for more than six months. That is not a foolproof control, but it recognizes that tenure can matter when the risk is infiltration rather than fake authority.

3. Stop discipline

If the theft is executed during a “normal” stop, then geofence alerts and route plans need to distinguish between expected behavior and unexplained dwell. A stop that looks ordinary in a TMS may be the point where custody is actually lost.

4. Dispatch integrity

Several 2025-2026 warnings have pointed to email compromise and account-takeover risk. FleetOwner reported that experts are seeing thieves access carrier email systems, intercept communications, and bid on loads or alter instructions from inside legitimate channels. That means companies cannot assume dispatch instructions are trustworthy just because they came from a familiar address.

A practical control checklist for 2026

No single step will stop this kind of theft. The point is to add controls between carrier approval and final delivery.

For shippers and shipping facilities

• Verify the assigned driver’s identity at pickup, not just the carrier.
• Match the driver name, truck number, trailer number, and seal information against the dispatch record.
• Use a secure pickup number or release code that is not easily forwarded.
• Escalate all last-minute driver swaps or equipment substitutions through known operations contacts.
• Tighten release procedures for high-value freight, after-hours tenders, and first-time facility pickups.

For brokers and 3PLs

• Confirm pickup changes through known dispatch contacts, not numbers or emails introduced mid-load.
• Require additional scrutiny for newly hired drivers, recent driver substitutions, or unusual relay requests on high-value loads.
• Set milestone alerts for pickup departure, first stop, dwell exceptions, route deviations, and unexpected signal loss.
• Treat an unexplained stop early in the trip as a security event, not just a service exception.
• Document custody-transfer details carefully in case a later claim turns on who authorized what and when.

For carriers

• Strengthen driver background screening and re-screening where legally appropriate.
• Review who can access dispatch systems and how instructions are authenticated.
• Monitor for patterns of “bad luck” involving a driver, truck, lane, or terminal that may indicate something other than random theft.
• Lock down company email, MFA, and dispatch credentials to reduce the chance that a physical infiltration is paired with digital compromise.
• Train operations staff to treat cargo theft as potentially strategic even when the initial facts suggest ordinary trailer burglary or abandonment.

The policy backdrop is moving, but slowly

The legislative picture is broader than this one scam, but it is relevant. The TIA said in May 2025 that the Senate Commerce Committee advanced the Household Goods Shipping Consumer Protection Act (S. 337), sponsored by Sens. Deb Fischer and Tammy Duckworth, to restore and enhance FMCSA tools to combat fraud, including civil penalties for unauthorized brokerage activity, enforcement of principal-place-of-business requirements, and examination of commonalities among applicants.

Separately, the TIA said on January 13, 2026 that the House Judiciary Committee moved H.R. 2853, the Combating Organized Retail Crime Act of 2025 (CORCA), which the group said would expand federal authority to prosecute organized cargo theft, create a DHS-led crime coordination center, increase penalties, and improve data sharing and public-private collaboration.

Those efforts matter, but they do not change the immediate operating reality. Even if Congress ultimately gives regulators and law enforcement more tools, day-to-day prevention will still depend on tighter pickup controls, better driver authentication, and faster escalation when route behavior does not make sense.

What remains uncertain

There are still gaps in the public record around the Trojan Driver pattern. CAP was able to verify the existence of the warning through recent trade reporting and through comments from a named security executive tied to TAPA Americas, but not a publicly accessible formal TAPA advisory that fully documents the six-step sequence referenced in some secondary reports. Likewise, public law-enforcement case files have not yet established how widespread this specific infiltration model is compared with better-documented schemes such as fictitious pickups, identity theft, account takeovers, and double brokering.

That uncertainty is worth stating clearly. But it should not be confused with a lack of operational significance. If the method is emerging now, the prudent response is to harden the control point it targets before incident volumes are large enough to make the pattern obvious.

For CAP Logistics readers, the practical implication is straightforward: an inbound production-critical load can still be compromised even when the carrier on paper is legitimate. That raises the stakes for driver-level verification, stop-event monitoring, and documented chain-of-custody controls on high-value or downtime-sensitive freight.