Hiding in Plain Sight – Not All That Transmit are Legit
Deceptive shipping practices have existed since the beginning of commercial shipping. Way back in the 17th century, pirates used neutral flags to mask their true identities and fool potential victims. The more things change, the more they stay the same in terms of the desire to deceive. Vessels are still changing flags to disguise their true identities, but that is of course far from all that they are doing…
The rules of the maritime detection game (along with the terminology and technology) have changed. “Going dark” (disabling the AIS system) is still popular, but sophisticated bad actors now understand that a vessel worth millions of dollars is too expensive to risk going dark for a single transaction. If identified, the vessel, crew, and owners will not only be exposed to sanctions, but will also suffer from seized cargo and lasting reputational damage. And having a vessel idle for a long period of time could prove costly.
Instead of trying to conceal vessel behavior, many bad actors have changed direction. They now seek to reap the benefit of illegal activities while projecting a veil of “business as usual.” In other words, they are hiding in plain sight.
New tactics have emerged, making identity changes look as quaint as a 17th century tactic. An umbrella term called “spoofing” has been driving the maritime industry crazy with multiple interpretations. Within this concept, there are multiple tactics involving the use of various identities, transmitters, and even GNSS manipulation methodologies that are growing at an exponential speed compared to previous deceptive shipping practices.
And the U.S. Treasury Department’s Office of Foreign Asset Control’s (OFAC) early guidance on implementation of a maritime services policy for seaborn Russian oil was a recent reminder that the stakes are high. Entities throughout the maritime ecosystem are expected to be able to track and flag abnormal shipping routes or transshipments, and know who they are doing business with.
This whitepaper aims to make it easier for you to find the hiders by explaining the new deceptive shipping tactics; quantifying the amount of location tampering worldwide, based on Windward’s AI-driven insights and research; and presenting real-life use cases of vessels that seemingly would do anything to evade sanctions unnoticed.
From identity tampering to “AIS handshakes” and a new concept we are introducing, “zombie vessels,” Windward will expose the tactics currently outwitting the overwhelming majority of marine domain awareness (MDA) systems.
As can be seen in the graph below, the exponential growth of this new, sophisticated typology is clear.
When we break down the data by vessel class, it becomes clear that this type of illicit behavior is being used for one main purpose – oil smuggling. Out of the 265 unique vessels that conducted the 600 GNSS events, 97% were tankers, followed by 1.5% fishing vessels, and 0.75% cargo vessels.
The flag distribution shows a pretty clear enabler for this type of behavior. While the distribution spreads across 34 different nations, 77.7% of them are flags of convenience. Windward’s data shows that 31% of the 600 location tampering cases sailed under the Panama flag during the manipulation incident(s), 11% under the Liberia flag, and 8% under the Cameroon flag.
In comparison to the GNSS manipulation trend, dark activity has a much steadier monthly growth rate. Since dark activity is easy to execute and is widely used by vessels of all classes and sizes, Windward does not expect it to decline in the near future.
To get an even more laser-focused look into these behaviors, we examined the normalized comparison in a more constrained context, sanctions evasion. The data is compelling. While the exponential growth of location tampering and other behavioral tactics continues at the same rate, dark activity has actually declined, showing it is becoming less popular among vessels transporting sanctioned commodities.
Following its departure from Fujairah, the tanker sailed towards Iraq and was spotted on February 14 slowing down just 20 NM away from the Basrah oil terminal. On that same day, February 14, the vessel began exhibiting strange, unnatural drifting patterns in the same location outside the terminal, indicating the crew was manipulating its global navigation system.
A satellite image from February 19 indicates the vessel was not where it is claiming to transmit from. In comparison, another vessel of a similar size just five nautical miles away can be seen in the satellite image, proving the AIS/satellite image matching to be precise.
On February 23, during the manipulation period, Windward was able to spot a vessel in Kharg Island, one of the main loading terminals in Iran, just 73 NM away from the transmitted location of our vessel. This non-transmitting vessel appeared to be loading at one of the berths and matched our vessel’s prominent visual features:
- Length (180-190 meters)
- White bridge
- Red deck
- White pole at the bow
(Satellite image source: Planet Labs)
On February 26, the tanker resumed transmission, heading back towards the Hormuz straits at normal sailing speed, sailing through Iranian territorial waters. The vessel’s location upon resuming transmission correlated with the average speed, distance, and time it would take to make the trip back from Kharg Island.
Two days later, on February 28, the vessel indicated a change in draft, showing it is fully laden, although there is no activity related to cargo loading, such as a port call or ship-to-ship operation.
Zombie Vessel
Windward also identified another behavioral trend that is growing at an alarming pace – zombie vessels. This is a term recently coined by Windward for vessels that use the identity of scrapped ships – essentially resurrecting them from the dead after months or even years of being out of service (and in some cases, literally decimated at scrap yards).
On April 21, 2022, a Marshall Islands-flagged tanker arrived at the Alang scrapyard on what appeared to be its final journey. Little did it know, it would be resurrected less than two months later…
On June 8, our scrapped vessel sprang back to life and appeared to ”meet” with a tanker known for conducting illicit operations and evading sanctions. However, satellite imagery clearly indicates that only one vessel was physically present at that meeting.
It was during that “meeting” that our original suspect assumed the “clean” identity of the scrapped vessel and started its new life with a clean slate, as a zombie vessel.
AIS Handshake
On April 26, 2020, the Giessel, a 333-meter crude vessel was sailing under the flag of Saint Kitts and Nevis at the time of this event. The vessel was spotted near Khor Fakkan and reported an empty draft. Three days later, that same vessel had a small positional jump of 2 NM, and suddenly appeared to be transmitting with a whole different ship length (275 meters).
During the time the 275m vessel assumed Giessel’s identity, the original 333m vessel was presumably loading Iranian crude oil. It then resumed transmission with a full draft, and its original 333-meter length on May 5, 2020, without any reported loading activity (such as a port call or STS operation). As seen below from the Windward system, the geographic proximity makes this identity handshake even harder to detect for traditional marine domain awareness (MDA) systems.
