Sanctions Evasion Vessel Tracking: OSINT Field Guide
A practitioner methodology for detecting and tracking sanctions-evading tankers using AIS forensics, satellite cross-checks, registry analysis, and open data — the repeatable workflow behind shadow-fleet attribution.
Tracking a vessel that does not want to be tracked is a discipline, not a database lookup. Operators in the so-called "shadow" or "dark" fleet — the aging tankers moving sanctioned Russian, Iranian, and Venezuelan crude outside Western insurance and the G7 oil price cap — deliberately corrupt every signal an analyst would normally rely on. They switch off transponders, forge positions, swap flags and names, and layer opaque shell ownership across multiple jurisdictions. This field guide sets out the repeatable, source-grounded methodology our analysts use to defeat those techniques and build defensible attribution.
The scale of the problem is now well documented in the public record. On 10 January 2025, the U.S. Treasury's Office of Foreign Assets Control (OFAC) designated 183 vessels in a single action targeting Russian oil revenue alongside Gazprom Neft and Surgutneftegas — by far the largest tanker action since the 2022 invasion. Reported The European Union's mid/late-2025 packages added well over 100 further vessels, and the Kyiv School of Economics counted 621 unique tankers designated by all jurisdictions combined as of 19 December 2025. These are the entities a tracking methodology must locate, link, and monitor.
The Evasion Playbook You Are Tracking Against
Before chasing signals, an analyst must understand the adversary's toolkit. OFAC's May 2020 global maritime advisory codified the deceptive shipping practices that remain the canonical reference list — and almost every one of them leaves an observable trace.
| Evasion technique | Purpose | Observable OSINT trace |
|---|---|---|
| AIS disabling ("going dark") | Hide a port call or transfer | Gap in transmission vs. expected track |
| AIS spoofing / manipulation | Falsify position or identity | Impossible speed, location jumps, GPS circle-spoofing |
| Ship-to-ship (STS) transfer | Launder cargo origin | Two vessels loitering, paired SAR returns |
| Flag hopping / flags of convenience | Escape oversight and de-listing | Rapid registry changes, deregistration notices |
| Name / IMO falsification | Obscure a sanctioned hull | Identity duplication, registry mismatch |
| Opaque ownership layering | Defeat compliance screening | Newly formed one-ship shell companies |
| Falsified documentation | Defeat price-cap attestation | Insurance / P&I cover gaps |
Technique 1 — AIS Gap and Dark-Sailing Detection
The Automatic Identification System (AIS) is a self-reported collision-avoidance signal, not a surveillance system — which is precisely why it can be weaponized. The most basic evasion is simply switching the transponder off before a sensitive event. Detection therefore reduces to a question of expectation versus observation: where should the vessel have transmitted, and did it?
Building the expectation baseline
Analysts reconstruct a vessel's normal transmission cadence (AIS reporting intervals vary by speed and navigational status) and overlay its declared voyage. A gap that coincides with a high-risk geography — near a known STS zone, an embargoed terminal, or a contested strait — is a far stronger indicator than a gap in open ocean, where genuine receiver coverage thins out. The discriminator is always context, not the gap alone.
| Gap attribute | Low concern | High concern |
|---|---|---|
| Location | Mid-ocean, low receiver density | Near sanctioned terminal / STS zone |
| Duration | Hours | Days to weeks |
| Draft change | None across gap | Laden ⇄ ballast across gap |
| Reappearance | Same heading/area | Distant, inconsistent position |
| Pattern | One-off | Repeated at same coordinates |
The single most powerful corroborant is a draft (loadline) change across the gap: a vessel that vanishes riding high in ballast and reappears sitting low and laden almost certainly loaded cargo somewhere it did not want recorded. We treat this methodology in depth in our AIS gap analysis methodology.
Technique 2 — AIS Spoofing and Identity Manipulation
More sophisticated than going dark is broadcasting a false position so the hull appears to be somewhere innocent. Public-domain research (notably by SkyTruth, Global Fishing Watch and academic GNSS groups) has repeatedly documented two signatures that betray manipulation.
| Signature | What it looks like | Why it is impossible |
|---|---|---|
| Speed anomaly | Reported track implies 40+ knots | Exceeds tanker hull speed |
| Position teleport | Jump of hundreds of nm in minutes | No vessel travels that fast |
| Circle spoofing | Track forms tight circles/loops on land or at berth | GNSS jamming artifact, not real movement |
| Static drift | "Moving" while moored at a known dock | Berth position contradicts AIS |
| Two-place identity | Same MMSI/IMO transmitting from two regions | One hull cannot be in two places |
Technique 3 — Satellite Cross-Checking (SAR and Optical)
Because AIS is self-reported, the only way to confirm a vessel's true position during a gap or suspected spoof is independent observation. This is where GEOINT closes the loop. Two sensor types dominate open practice.
Synthetic Aperture Radar (SAR)
SAR satellites (the EU's free Copernicus Sentinel-1 constellation being the workhorse for open analysts) image the sea surface day or night and through cloud, returning bright "blobs" for metallic hulls. A SAR return at the location of an AIS gap — especially a pair of returns moored alongside each other — is a strong indicator of a dark vessel or an STS transfer.
Optical confirmation
Optical imagery (Sentinel-2, and commercial high-resolution tasking when budget allows) provides the human-readable confirmation: hull color, deck layout, manifold hoses rigged between two ships. The standard workflow correlates a SAR detection with the nearest optical pass to classify the contact.
| Need | Sensor | Open source |
|---|---|---|
| All-weather, night, wide-area | SAR | Copernicus Sentinel-1 |
| Visual ID, daylight, clear sky | Optical (medium-res) | Copernicus Sentinel-2 |
| Hull detail, name read | Optical (high-res) | Commercial tasking |
| Dark-vessel matching at scale | SAR + AIS fusion | Global Fishing Watch |
Technique 4 — Ship-to-Ship (STS) Transfer Detection
STS transfers — pumping cargo between two vessels at sea — are the primary mechanism for laundering the origin of sanctioned oil. A "clean" tanker takes on crude from a "dirty" one mid-voyage, then presents itself with sanitized paperwork at the destination. Recurring STS hotspots have been publicly reported off Greece (Laconian Gulf), Malaysia, Ceuta, and the Gulf of Oman.
The STS signature
- Two vessels converge and hold near-identical position and near-zero speed for several hours.
- One or both may go dark immediately before pairing.
- SAR shows two adjacent returns; optical may show connecting hoses.
- Draft changes are mirrored — one rises, the other settles.
The mirrored draft change is the forensic clincher: it demonstrates mass actually moved between hulls. Full tradecraft is documented in our STS transfer detection methodology.
Technique 5 — Flag Hopping and Flags of Convenience
A flag state is supposed to regulate its vessels. Shadow-fleet operators exploit "open registries" with weak oversight and migrate between them whenever scrutiny rises. The behavior is so endemic that registries have begun publicly purging sanctioned tonnage: since an October 2024 decree, Panama's Maritime Authority removed roughly 200 ships from its registry in the first five months of 2025, while flags such as Gabon, Comoros and Gambia have absorbed reflagged sanctioned vessels — often within days of a designation.
| Indicator | Why it matters |
|---|---|
| Multiple flag changes in 12 months | Evading registry-level enforcement |
| Move to a registry after a designation | Seeking a jurisdiction that ignores listings |
| "False flag" / unregistered operation | Flag state denies the vessel is on its register |
| Flag mismatch with AIS-reported flag | Documentary inconsistency |
Flag history is reconstructible from public registry data and IMO records; we expand on this in the flags of convenience methodology.
Technique 6 — Name and IMO Identity Changes
The IMO ship identification number is permanent and welded to the hull, which makes it the analyst's anchor. Names, MMSI numbers and call signs are all mutable; the IMO number is not. Lloyd's List has documented an escalating progression of IMO fraud in the dark fleet: stealing the IMO numbers of scrapped tankers, inventing fake numbers outright, hijacking the IMO of a live "donor" tanker, and most recently spoofing the numbers of ships still under construction. From November 2024 to April 2025, OFAC observed at least 19 vessels simultaneously spoofing MMSIs.
| Attribute | Mutable? | Tracking value |
|---|---|---|
| IMO number | No (permanent) | Primary anchor |
| Vessel name | Yes | Low — track history of changes |
| MMSI | Yes | Low — changes with flag |
| Call sign | Yes | Low |
| Hull dimensions | No | High — cross-check vs. SAR length |
Where an IMO is suspect, analysts cross-validate the physical dimensions reported in the registry against the hull length measured from SAR imagery. A 250-metre SAR return claiming to be a 180-metre registered hull is a duplicated identity until proven otherwise. Our shadow fleet IMO lookup tool resolves an IMO number to its designation status and identity history.
Technique 7 — Insurance, P&I and Price-Cap Gaps
Under the G7 price cap — set at $60 per barrel for crude from December 2022 and lowered by the EU and partners to a dynamic level of around $47.60 from September 2025 — Western service providers may only insure and transport Russian crude sold below the cap, supported by attestations. The shadow fleet's defining trait is operating outside this system. KSE Institute found that among tankers carrying Russian oil, only about 16.9% had identifiable P&I cover, versus the International Group clubs that insure the mainstream fleet. An apparently functioning tanker with no verifiable P&I club, or cover from an unknown domestic insurer, is a strong evasion indicator and a major environmental-liability red flag.
| Check | Clean fleet | Shadow fleet |
|---|---|---|
| P&I cover | IG club, verifiable | Absent / unknown insurer |
| Price-cap attestation | On file with provider | None / fabricated |
| Beneficial owner | Established operator | One-ship shell, recent |
| Class society | IACS member | Withdrawn / non-IACS |
Technique 8 — Ownership and Corporate Layering
The final layer is corporate. Sanctioned trade is routinely fronted by single-purpose companies registered weeks before a vessel changes hands, often in light-touch jurisdictions, with nominee directors. Open corporate registries and sanctions databases let an analyst walk the ownership chain.
| Signal | Source to check |
|---|---|
| Company formed shortly before vessel purchase | OpenCorporates |
| One company owns exactly one vessel | Equasis / registry |
| Shared address across many shell owners | OpenCorporates clustering |
| Owner / manager already designated | OFAC SDN, EU, OpenSanctions |
The Public Toolkit
None of the above requires classified access. The following open datasets and tools form a complete analyst workbench.
| Tool / dataset | Use | Access |
|---|---|---|
| Copernicus Sentinel-1 / Sentinel-2 | SAR & optical imagery | Free |
| Global Fishing Watch | AIS + SAR dark-vessel fusion | Free |
| Equasis | Ship particulars, ownership, history | Free (registration) |
| IMO GISIS | Authoritative IMO number records | Free (registration) |
| OpenCorporates | Corporate ownership chains | Freemium |
| OpenSanctions | Consolidated designations, incl. vessels | Free |
| OFAC SDN List | U.S. designations of record | Free |
| EU / UK consolidated lists | EU & UK designations | Free |
Putting It Together: A Repeatable Workflow
A defensible tracking case is built by stacking independent indicators until the alternative explanations collapse. No single signal is conclusive; convergence is.
| Step | Action | Output |
|---|---|---|
| 1 | Anchor on IMO number | Stable identity |
| 2 | Pull registry + flag history | Flag-hop timeline |
| 3 | Walk ownership chain | Shell-company map |
| 4 | Build AIS expectation baseline | Gap / spoof candidates |
| 5 | Cross-check gaps with SAR | True positions |
| 6 | Confirm STS / port calls optically | Cargo-event evidence |
| 7 | Check P&I and cap compliance | Insurance gap |
| 8 | Screen against designation lists | Sanctions status |
| Indicator | Standalone strength | Best corroborant |
|---|---|---|
| AIS gap | Low | SAR return + draft change |
| Spoofing artifact | Medium | Imagery at true location |
| STS pairing | Medium-High | Mirrored drafts |
| Identity duplication | High | SAR hull-length mismatch |
| Designated owner | High | Official list entry |
Why This Matters: The Scale of the Target Set
The methodology exists because the fleet is large and growing. Independent monitoring by the Kyiv School of Economics (KSE) Institute and the Centre for Research on Energy and Clean Air (CREA) shows that sanctioned shadow tankers carried roughly 65% of Russian crude exports in November 2025, with a further share on non-sanctioned shadow vessels — meaning the dark fleet, not the mainstream G7-serviced fleet, now moves the majority of Russia's seaborne crude.
| Reference | Reported figure | Source |
|---|---|---|
| Largest single OFAC tanker action | 183 vessels (10 Jan 2025) | U.S. Treasury |
| EU shadow-fleet vessel listings | well over 100 further vessels (mid/late-2025 packages) | EU Council |
| UK shadow-fleet action | 101 ships (9 May 2025) | UK Gov / OFSI |
| All-jurisdiction designated tankers | 621 unique (19 Dec 2025) | KSE Institute |
| EU crude price cap (lowered) | ~$47.60/bbl from Sep 2025 | EU Council / CREA |
| Russian crude on sanctioned shadow tankers | ~65% (Nov 2025) | CREA |
Frequently Asked Questions
What is the single best signal for spotting a sanctions-evading vessel?
There is no single best signal — defensible attribution comes from convergence. That said, an AIS gap that coincides with a draft change and is corroborated by a SAR satellite return at a sensitive location is among the strongest individual indicator stacks available to an open-source analyst.
Can sanctions evasion really be tracked with free, public tools?
Yes for most of the workflow. Copernicus Sentinel-1/2 imagery, Global Fishing Watch, Equasis, IMO GISIS, OpenSanctions and the OFAC/EU/UK lists are all free. High-resolution optical confirmation and commercial AIS history are the main paid add-ons, but the core method runs on open data.
Why is the IMO number so important?
Because it is permanent. Names, MMSI numbers, call signs and flags can all be changed to confuse trackers, but the seven-digit IMO number is assigned for the life of the hull. Anchoring an investigation on the IMO defeats name and flag changes and exposes identity-duplication fraud.
How do analysts confirm a ship-to-ship transfer actually happened?
By stacking three signals: two vessels holding near-identical position at near-zero speed for hours, a paired return in SAR imagery (ideally with connecting hoses visible in optical), and a mirrored draft change where one vessel rises as the other settles, proving mass moved between hulls.
What is the price cap and how does it relate to the shadow fleet?
The G7/EU price cap permits Western insurers and shippers to service Russian crude only when sold below a set price, evidenced by attestations. The shadow fleet exists to move oil outside that system — typically without recognized P&I insurance — which is why insurance and attestation gaps are core detection signals.
Is AIS data reliable enough to base findings on?
AIS is self-reported and routinely manipulated, so it is a starting point, not proof. Treat every AIS anomaly as a hypothesis to be confirmed against independent observation — satellite imagery, registry records, and corporate data — before drawing a conclusion.
Sources
- U.S. Department of the Treasury — "Treasury Intensifies Sanctions Against Russia by Targeting Russia's Oil Production and Exports" (10 Jan 2025; 183 vessels, Gazprom Neft, Surgutneftegas). home.treasury.gov/news/press-releases/jy2777
- U.S. Department of the Treasury / OFAC — Updated Price Cap Coalition Advisory for the Maritime Oil Industry (deceptive shipping practices). ofac.treasury.gov price cap advisory
- U.S. Department of the Treasury — "U.S. Treasury Designates Russian State-Owned Sovcomflot" (23 Feb 2024; 14 tankers identified). home.treasury.gov/news/press-releases/jy2121
- Council of the EU — "Council sanctions 41 vessels of the Russian shadow fleet" (18 Dec 2025; nears 600 total). consilium.europa.eu press release
- Council of the EU — EU adopts 18th package of economic and individual measures (18 Jul 2025; lowered oil price cap). consilium.europa.eu 18th package
- KSE Institute — Russian shadow fleet tracker and sanctioned-tanker counts (621 vessels by 19 Dec 2025). sanctions.kse.ua
- KSE Institute — "Oil Spill Insurance and the Shadow Fleet" (P&I coverage gaps, Feb 2025). kse.ua insurance report (PDF)
- CREA — Monthly analysis of Russian fossil fuel exports and sanctions (Nov 2025; shadow-fleet share, lowered cap). energyandcleanair.org Nov 2025
- Lloyd's List — "Dark fleet tactics evolve as tankers take on multiple interchangeable digital identities." lloydslist.com identity manipulation
- Global Fishing Watch — Sentinel-1 SAR vessel-detection dataset and AIS-matching methodology. globalfishingwatch.org SAR detections
- Copernicus Data Space Ecosystem — Sentinel-1 (SAR) and Sentinel-2 (optical) open imagery. dataspace.copernicus.eu
- OpenSanctions — consolidated sanctions data including designated vessels. opensanctions.org
- Equasis — public ship particulars, ownership, P&I and inspection history. equasis.org
- IMO GISIS — Global Integrated Shipping Information System, authoritative IMO records. gisis.imo.org