Recent years have seen a notable increase in deceptive shipping practices (DSPs), particularly in the form of AIS spoofing and dark fleet activity.
The implementation of Russia-related sanctions and a price cap on the sale of Russian oil and petroleum products has led threat actors to turn towards more sophisticated forms of sanctions evasion. Their aim is to deceive authorities and financial crime compliance programs via the creation of a shadow economy that operates outside of the confines of US, UK, EU, and G-7 law.
Despite the new era of sanctions compliance challenges that such DSPs have created, it is possible to comprehend, detect and mitigate these practices, as the Research Team at Pole Star Global in partnership with Blackstone Compliance explains.
The challenge: maritime sanction evasion
Sanctions targets require access to allied countries’ markets, including commodities traders; financial institutions; flag registries; and ship charterers (“covered persons”) – all of whom have compliance obligations, including those relating to the price cap on Russian oil.
The Office of Foreign Assets Control (OFAC) and other sanctions authorities have outlined an attestation process to document that Russian oil sales are within the Price Cap. However, this is not a mere record-keeping problem. The current price cap for oil leaves very little room for margin, meaning threat actors may attempt to falsify documentation, pass goods off as being of non-Russian origin, or violate other sanctions outside the Price Cap – such as acting on behalf of a blocked party or attempting to export oil to an allied country.
The authorities have therefore warned covered persons to be aware of evasion attempts. For instance, in April, OFAC singled out P&I clubs, ship owners, flag registries, and commodities brokers to remain vigilant for DSPs as evidence of sanctions evasion.
In addition, the UK’s National Crime Agency has warned the wider financial community that sanctions targets may use proxies and enablers to gain access to the financial system – access they would otherwise be denied. This advice is equally applicable to the maritime industry.
Illicit dark fleet activity
There are two primary methods emerging for sanctions evasion: the “dark fleet” and “AIS spoofing”.
The dark fleet is a fleet of tankers owned and operated by persons outside of allied jurisdictions. These tankers – estimated to number around 600 vessels globally – are acquired for trading with Russia or other sanctioned countries. Owners will go to great lengths to disguise their stakes in these vessels.
That said, dark fleet vessels are not used exclusively for sanctioned trade – and not all vessels will therefore present the same level of risk. For instance, they may be shipping oil within the confines of the Price Cap. However, they do present an increased risk to covered persons. Covered persons should therefore proceed cautiously when dealing with a dark fleet vessel and conduct enhanced due diligence on the provenance of the cargo, the buyer and the seller.
Determining whether a vessel is part of the dark fleet is a subjective process. A number of criteria and factors must be considered before a ship can be categorised:
Ownership: A vessel’s owner may be tied directly to Russia, Iran, or Venezuela. Likewise, threat actors may attempt to obfuscate their interest by owning the vessel through shell or front companies, or by making rapid changes to a vessel’s declared owners and operators.
Movement: Dark fleet vessels may frequent Russian or sanctioned ports with deliveries to non-allied countries, and/or conduct ship-to-ship transfers in known high-risk zones, such as those used off the coast of Greece.
Deceptive Practices: Consideration for vessels who engage in AIS spoofing or who opportunistically turn off their AIS transponder with the intent of avoiding sanctions.
Timing: The timing of a vessel’s ownership change may indicate an intent to evade sanctions. For instance, moving vessels to new owners directly after the Russian price cap was passed. Likewise, if a vessel makes its first voyage – or routinely makes the same voyages – to Russia or a sanctioned country, this may indicate the vessel was purchased for sanctioned trade.
Fleet coordination: Consideration of a vessel’s changes in conjunction with other vessels owned or operated by the same person. If a fleet of vessels change their flag simultaneously or incorporate into a new high-risk jurisdiction, this may signal that the owner and operators intend to misuse the vessel.
Finally, covered persons should also be aware of the increase in pop-up P&I clubs, outside of the recognised International Group consortium. Thorough and intensified due diligence on the vessel’s owner, operator, or charterer, as well as the source of the cargo, is recommended.
The rise of AIS Spoofing
Spoofing was once considered a minor part of maritime sanctions evasion, but in the past six months, the practice has surged ahead to become the predominant form of evasion – at least for vessels carrying high-value cargoes such as oil and petroleum products.
In the past, high-risk countries would simply prohibit the export of AIS data, and compliance officers denied access to AIS information. These gaps in AIS coverage were easy to spot. In reaction, there’s been a major shift toward deceptive strategies, which is the provision of false AIS information. That is, inaccurate positional and navigation data is given, making a vessel appear where it is not.
This presents a far more difficult problem for the maritime community to tackle because threat actors have access to a broader range of spoofing techniques, and maritime intelligence firms will need to keep up with those tactics to counter them. OFAC recommends insurers, flag registries, and ship managers turn to “maritime intelligence services to improve detection of AIS manipulation”.
False AIS data can be uploaded through a variety of means and can be targeted towards individual AIS ground stations and data providers, or through radio frequency broadcasts targeting satellites. Typically, an AIS position is broadcast from a vessel’s transponder, which is then received by either a terrestrial ground station (“T-AIS”) or an overhead satellite (“S-AIS”). This information is then transmitted digitally – such as through an API – to either an AIS aggregator or directly to a maritime intelligence provider.
A threat actor can insert its false data at any point in this chain. Yet, with the right security protocols or an automated ability, receiving sources can discriminate between valid and invalid transponders.
In general, spoofing can be categorised into four typologies, each having distinct signatures:
- “Anchor spoofing” simulates the vessel remaining in the same place for impractical amounts of time. The vessel may appear to be at anchor or may look like offshore storage. However, a review of the vessel’s signal activity or use of human or imagery sources allows us to confirm that it is not the transmitted location.
- “Circle spoofing” describes a situation where the vessel moves in geometric circles at a set location. Circle spoofing is generally used closer to shores and ports over a few days to a week – which is enough time to visit a sanctioned port and return to the station.
- “Slow roll spoofing” is when the vessel pretends to be moving in a general direction of travel at very slow speeds. This movement will lack an economic purpose and/or be inconsistent with local traffic patterns.
- “Pre-programmed route spoofing” is the most realistic technique used. The vessel is programmed to travel along feasible routes. This requires either duplicating or sourcing past AIS data to successfully mimic the vessel’s movements, or more careful planning is used to ensure that the route appears to have an economic purpose. This methodology is hardly infallible, but is difficult to identify based on a visual inspection of the underlying data.
The threat of maritime sanctions evasion has increased tremendously over the past year. We are now seeing the wholesale creation of fleets for side-stepping allied sanctions, a drastic increase in AIS spoofing and more complex forms of maritime sanctions evasion.
With the threat environment only likely to increase; the onus is on covered persons and those involved in sanctions enforcement to conduct enhanced due diligence on all transactions involving potential dark fleet vessels and eschew – if possible – transactions involving the highest risk fleets, jurisdictions, flags, and classification societies. Working in partnership with providers of maritime intelligence services will be key to ensuring the most up-to-date data is used as part of this due diligence.