Somali Piracy Is Back: What the Incident Data Shows and Where the Risk Is Concentrating

Executive Summary

Between April 21 and May 2, 2026, a discrete sequence of dated, geographically clustered, and operationally coherent incidents marked the clearest reactivation of Somali Pirate Action Group activity since suppression efforts brought the threat to background levels nearly a decade ago.

This report walks the incident data in order, maps the three corridors where activity is concentrating, identifies the vessel categories under selection, and flags the behavioral indicators that were visible before the first April 21 boarding. As of mid-May 2026, the numbers describe a coordinated resurgence with established shoreside infrastructure, at least two concurrent PAGs, and a target-selection pattern consistent with sustained operations rather than opportunistic flares.

Windward assesses the April–May cluster as the early phase of a sustained operating cycle, not a contained incident. The behavioral preconditions: dhow seizures resuming, skiff approaches without follow-through, naval coverage diverted toward the Hormuz and Red Sea theatres, and a year-on-year doubling of commercial transit density east of the former High Risk Area, were all visible before the first hijacking. They remain in place today.

Scale and Scope

The April 21 to May 2 window produced six discrete maritime security incidents of operational significance: four confirmed hijackings (three commercial vessels and at least one dhow), one armed boarding attempt deterred by embarked security, and at least two suspicious skiff approaches inside the Maritime Security Transit Corridor (MSTC). A further attempted approach was reported approximately 500 NM east of Mogadishu on April 28, in which a tanker was approached by a suspected pirate action group employing a larger wooden vessel as a mothership and two smaller skiffs, the operational signature of an extended-range PAG deployment.

Three of the four hijacked commercial vessels remain under pirate control as of mid-May 2026. Ransom demands on Eureka alone are reported to have escalated from $3 million to $10 million.

This pace and density are without modern precedent in the post-suppression era. The most recent successful hijacking of a commercial tanker by Somali pirates before this cluster was the MV Ruen in December 2023, followed by sporadic activity through 2024 and early 2025. The April–May 2026 sequence is qualitatively different: multiple successful seizures inside two weeks, two concurrently operating PAGs, and a return to the dhow-as-mothership operational model that defined the 2008–2012 peak.

For context, Somali piracy peaked between 2009 and 2011, with more than 230 attacks recorded in 2011 alone, upwards of 700 crew members held simultaneously across the operating area, and an estimated $7 billion annual cost to global shipping. Suppression was driven by three overlapping coalition missions — the US-led CTF-151 under Combined Maritime Forces (a 47-nation coalition headquartered in Bahrain), the EU’s Operation Atalanta (launched December 2008 and still technically active), and NATO’s Operation Ocean Shield (2009 to December 2016) — supported at peak by roughly 25 to 30 warships from the US, UK, France, Russia, China, India, Japan, and South Korea operating in the region simultaneously. By 2013 no commercial vessel was successfully hijacked off Somalia; by 2017 the threat was reduced to occasional flashes; in January 2023 the International Maritime Bureau formally lifted the Indian Ocean High Risk Area designation. The last ransom-concluded hijacking before the current cluster was the bulk carrier MV Abdullah in March 2024, held for 33 days and released for a reported $5 million. The April–May 2026 cluster is the first time since the 2010–2012 peak that three commercial vessels have been held simultaneously.

Windward has classified the operational risk to commercial shipping off the Somali coast and in the southern Gulf of Aden as substantial, the level immediately below “severe” in standard maritime threat taxonomies. UKMTO and JMIC have issued matching classifications.

The April 21 – May 2 Incident Sequence

Six incidents anchor the cluster. Each is detailed below with the vessel data and operational context required to assess the sequence as a coordinated pattern rather than an isolated string.

April 21 — Honour 25

Palau-flagged product tanker Honour 25 was boarded by six armed pirates approximately 30 nautical miles off the Somali coast. The vessel was en route from Berbera, Somaliland, to Mogadishu, laden with 18,500 barrels of refined oil — cargo intended to ease an acute fuel shortage in the Somali capital. Reinforcements arrived shortly after the initial boarding, bringing the on-board pirate count to at least eleven. Honour 25 was anchored off the Puntland coast in the vicinity of Xaafun and Bandar Beyla. Crew of 17 included Pakistani (10), Indonesian, Indian, Sri Lankan, and Myanmar nationals. No embarked armed security at time of attack.

Geographic Concentration: Three Corridors

The incidents are not evenly distributed across the operating area. They cluster in three identifiable corridors with distinct operational characteristics.

Corridor A: Somali Basin Inshore — Garacad to Eyl

The April 23 Elfriede approach, the April 25 dhow seizure, and the April 26 Sward boarding are all attributable to a single PAG operating in the Garacad–Godobjiran sector, per the 29 April 2026 CMF and Operation Atalanta assessment. This is the classic Somali Basin inshore operating area, and it is where the highest density of boardings and attempted boardings has occurred. The 83 NM range of the Elfriede approach is on the high end of inshore PAG reach; the six NM range of the Sward boarding is well within standard operating distance.

The operational signature is consistent: small skiffs deployed from coastal launch points or from a recently seized dhow, targeting transiting vessels within a window of roughly 100 NM from the coast, with rapid redirection toward Puntland anchorages on successful boarding.

Behavioral Indicators That Preceded the Surge

The April–May cluster did not appear without warning. Several indicator categories were elevated in the weeks before the first hijacking. Each was visible in open-source and proprietary reporting before April 21.

Indicator 1: Dhow seizures resuming

Operation Atalanta confirmed the March 2026 hijacking of Alwaseemi 786 east of Mogadishu before its early-April release. Dhow seizures are the operational prerequisite for offshore PAG attacks. When they resume after a quiet period, the operational pipeline for offshore boarding is reactivating. This is the earliest reliable lead indicator of a forthcoming PAG cycle.

Indicator 2: Skiff approaches without follow-through

In the weeks preceding April 21, UKMTO and MSCIO had been reporting suspicious approaches and aggressive small-craft activity in the Somali Basin. The April 23 Elfriede approach 83 NM south of Eyl was the first one that crossed into clearly hostile contact: two skiffs closing inside 600 metres, with return fire when warning shots were taken — classic PAG approach behavior, not opportunistic fishing-vessel proximity.

Indicator 3: Naval presence redistribution

The window aligns with the diversion of significant Combined Maritime Forces, Operation Atalanta, and UAE assets away from the Western Indian Ocean toward the Strait of Hormuz and Red Sea theatres. Windward’s Iran War Intelligence coverage has tracked this redistribution since late February 2026. The Western Indian Ocean has been operating under stretched coalition coverage for approximately ten weeks ahead of the April 21 boarding.

The sequencing matters. The Houthi Red Sea campaign from late 2023 pulled EU NAVFOR and CTF-151 assets northward toward Bab el-Mandeb. NATO’s Operation Ocean Shield, terminated in December 2016, was never reconstituted to backfill the southern flank. When the Hormuz crisis escalated in early 2026, the remaining counter-piracy assets shifted again, this time eastward toward the Persian Gulf. What had been three overlapping naval missions covering the Western Indian Ocean has been reduced to the thinnest patrol coverage the Somali Basin has seen since before Operation Atalanta stood up in late 2008.

Reduced surveillance is not itself an attack. It is the operating-environment shift that PAGs price into their decision to deploy. Historically, the correlation between reduced coalition naval presence and resumed Somali pirate activity is robust — most clearly demonstrated by the post-2018 drawdown period and the December 2023 MV Ruen hijacking, which followed the early-stage Houthi crisis-driven shift in naval focus toward the Red Sea.

Indicator 4: Reroute density east of the former HRA

Vessel transits east of the former Indian Ocean High Risk Area (HRA, lifted by the IMB in January 2023) roughly doubled year-on-year through 2024 as operators shifted away from the Bab el-Mandeb and the Red Sea under Houthi targeting pressure. More commercial traffic, fewer escorts, and a stretched coalition presence are an unambiguous demand-side signal for opportunistic boarding. By Q1 2026, with the Strait of Hormuz crisis pushing additional traffic around the Cape of Good Hope and through Somali-adjacent waters, the operating environment for PAGs had become materially more permissive than at any point in the previous five years. Windward’s Q1 2026 Maritime Risk Report documents the broader corridor reordering.

Indicator 5: Vessel posture deterioration

A non-trivial share of vessels transiting Somali-adjacent waters in early 2026 were operating without embarked armed security, in many cases under cost pressure from extended Cape of Good Hope routings. None of the three hijacked commercial vessels in the April–May cluster carried embarked armed security at time of attack. The only confirmed hostile contact in the cluster that did not end with the vessel under PAG control — the Elfriede approach — was the only one with armed security on board.

Indicator 6: AIS destination-field signaling on Somali EEZ transits

A review of vessel visits to the Somali EEZ between January and May 2026 identified a recurring pattern of ships using the AIS destination field to broadcast operationally significant messages as they transited Somali waters. Two distinct clusters of messaging emerged. The first advertised the presence of embarked private armed security — broadcasts such as “ARM GUARD OB,” “ARMGRD ONBOARD,” and “ARMEDGRDTRCRV” — pitched directly at any pirate group conducting pre-attack reconnaissance via AIS. The second emphasised Chinese crew or ownership ties, with messages including “CHINA CREW & OWNER,” “CHINESE ONBOARD,” and “OMSLL CHINA CREW,” trading on the perceived diplomatic and commercial cost of interfering with Chinese-affiliated vessels.

Taken together, these broadcasts amount to a deliberate practice of repurposing the AIS destination field as a low-cost security signalling channel on high-risk Somali transits. As a behavioural indicator they read in two directions. First, they are a real-time measure of operator threat perception: mariners are pricing the Somali Basin as a corridor where deterrent signalling is now worth the operational cost, in line with the vessel-posture and reroute-density shifts above. Second, they are themselves an intelligence signal that PAGs and their shoreside support networks can read as easily as any analyst, sharpening the target-selection problem for vessels transiting without embarked security, without Chinese affiliation, or without a credible cover story in the destination field.

Indicator 7: Reported external enablement

Reporting from May 2026 alleges that PAGs operating in the Somali Basin have received GPS tracking equipment and small arms from Houthi networks, enabling mothership-supported attacks at ranges of up to 600 NM offshore. Attribution remains uncorroborated and Windward treats the claim as reported rather than confirmed. The operational read holds either way: the 500 NM April 28 mothership-supported approach east of Mogadishu is consistent with the extended-reach profile this kind of enablement would produce, whether the underlying material support is Houthi-linked, sourced through regional smuggling networks already active in the Gulf of Aden, or a combination. The indicator to watch is not the attribution but the range envelope of subsequent incidents; sustained activity beyond 400 NM would confirm that PAG reach has materially shifted.

The Limits of Single-Source Maritime Awareness

The current threat picture in the Western Indian Ocean illustrates the limits of single-source maritime awareness. Three operational realities make AIS-based monitoring insufficient on its own:

Dhows operate dark by default. Most large dhows in the region either do not carry AIS or do not transmit. A pirate-controlled dhow used as a mothership is, by AIS, indistinguishable from a routine regional fishing vessel — until it is too late.

Hijacked commercial vessels go dark on boarding. Honour 25 and other recent hijacked vessels disabled or had their AIS disabled shortly after boarding. AIS-only tracking loses the vessel at the exact moment its position and trajectory become operationally consequential.

Approach behavior precedes boarding by minutes. Skiff approaches are detectable in retrospect through AIS deviation patterns, but at the speed of attack, real-time fused intelligence is required to provide warning before contact.

Windward’s Maritime AI™ Platform addresses these gaps through multi-source fusion: AIS, Remote Sensing Intelligence (SAR, EO, RF), ownership records, flag history, and behavioral models trained on more than a decade of global maritime activity. For the Western Indian Ocean threat picture specifically, this allows the platform to track vessels — including hijacked commercial vessels and dhow motherships — when AIS is absent, manipulated, or actively disabled.

The Sward track from boarding through coastal anchoring at Garacad was monitored on the platform in this manner, with multi-source data sustaining vessel identity and position through the post-seizure operational window.

For government and defense customers requiring forensic, court-ready intelligence on individual incidents, Windward’s Maritime Intelligence Operations Center (MIOC) provides analyst-led assessments combining platform data, remote sensing imagery, and behavioral context.

Operational Outlook

Three indicators will determine whether the April–May 2026 cluster is a contained surge or the start of a sustained operating cycle.

Dhow seizure rate. Further hijackings of large dhows along the Somali and southern Yemeni coasts are the leading indicator. Each new dhow is a potential mothership for an additional four to six weeks of offshore reach. A continuation of the current dhow seizure pace would imply that PAGs are building out, not running down, their operational pipeline.

Time-to-resolution on the held vessels. Honour 25, Sward, and Eureka remain under pirate control as of mid-May 2026. The terms of their release — ransom paid in full, ransom negotiated down, vessel seized by naval forces, crew separated from vessel — will set the financial incentive structure for the next cohort of PAGs. A high-ransom successful resolution materially increases the likelihood of a sustained cycle. A negotiated low-ransom or military-recovery resolution compresses it.

Coalition naval rebalancing. Any return of Combined Maritime Forces, Operation Atalanta, or independent national assets to dedicated Western Indian Ocean patrol coverage will compress the operating window for PAGs. Continued diversion toward the Hormuz and Red Sea theatres will not. The most likely intermediate scenario — partial rebalancing combined with continued Hormuz-related demand on assets — preserves a permissive operating environment for PAG activity through the southwest monsoon transition in June.

The numbers are the story. As of mid-May 2026, the numbers say Somali piracy is back as an active operational threat to commercial shipping in the Western Indian Ocean and southern Gulf of Aden. The pattern of clustered, organized, geographically concentrated incidents — combined with the behavioral indicators that preceded them — is consistent with the early phase of a sustained operating cycle rather than a flare.