Trust but verify

How a $400,000 lobster theft exposed the hidden security gaps in modern logistics

By Skeeter Wesinger

January 5, 2026

Earlier this month, thieves made off with roughly $400,000 worth of lobster from a Massachusetts facility. The seafood was never supposed to vanish; it was en route to Costco locations in the Midwest. Instead, it became the end product of a carefully staged deception that blended cyber impersonation, procedural blind spots, and physical-world confidence tricks.

This was not a smash-and-grab. It was a systems failure.

The operation began quietly, with an altered email domain that closely resembled that of a legitimate trucking company. To most humans—and most workflows—that was enough. The email looked right, sounded right, and fit neatly into an existing logistics conversation. No servers were hacked. No passwords were cracked. The attackers didn’t break in; they were let in.

Modern organizations often believe that email authentication technologies protect them from impersonation. They do not. Tools like SPF, DKIM, and DMARC can verify that a message truly came from a domain, but they cannot tell you whether it came from the right one. The gap between technical validation and human trust remains wide, and that gap was the attackers’ point of entry.

Once inside the conversation, the criminals did what sophisticated attackers always do: they followed the process. They presented themselves as the selected carrier, responded on time, and matched expectations. Crucially, no one stopped to verify the change using a trusted, out-of-band channel—no phone call to a number already on file, no portal confirmation, no secondary check. The digital impersonation slid smoothly into operational reality.

The real turning point came at the loading dock. A tractor-trailer arrived bearing the branding of the legitimate company. The drivers carried paperwork and commercial licenses convincing enough to pass a quick inspection. Faced with routine procedures and time pressure, facility staff released the shipment. In that moment, digital deception became physical authorization.

This is where the incident stops being about phishing and starts being about trust. Visual cues—logos, uniforms, familiar names—still function as de facto security controls in high-value logistics. They are also trivial to counterfeit. Without a strong shared secret, such as a one-time pickup code or independently issued authorization token, the chain of custody rests on appearances.

After the truck departed, the final safeguards failed just as quietly. GPS trackers were disabled, and their sudden silence did not trigger an immediate, decisive response. In security terms, there was no deadman switch. When telemetry went dark, escalation was not automatic. By the time uncertainty turned into alarm, the window for recovery had likely closed.

Logistics theft experts know this pattern well. The first hour after a diversion is decisive. Organized theft rings plan around confusion, delayed verification, and fragmented responsibility. Their confidence suggests experience, not luck.

The CEO of Rexing Cos., the logistics firm coordinating the shipment, later described the crime as “very sophisticated” and attributed it to a large criminal organization. That assessment aligns with the evidence. This was not a crime of opportunity. It was a repeatable playbook executed by people who understood how modern supply chains actually operate—not how they are diagrammed.

The most unsettling lesson of the lobster theft is that no single system failed catastrophically. Email worked. Scheduling worked. Dock operations worked. Tracking existed. Each layer functioned more or less as designed. The failure emerged in the seams between them.

Security professionals often say that attackers don’t exploit systems; they exploit assumptions. This incident is a case study in that truth. Every handoff assumed the previous step had already done the hard work of verification. Each trust decision compounded the last until six figures’ worth of cargo rolled away under false pretenses. Always trust, but also verify, to quote President Reagan: “Doveryay, no proveryay”- “Trust, but verify.”

As supply chains become more digitized and more automated, it is tempting to treat logistics as paperwork and coordination rather than as critical identity infrastructure. This theft demonstrates the cost of that assumption. High-value goods move through a chain of identities—domains, vendors, drivers, vehicles—and each identity must be independently verified, not inferred.

The lobster didn’t disappear because the system was weak. It disappeared because the system was polite.