The Secret Lives of the Shadow Fleet: The evolving practice of AIS spoofing in vessel identity manipulation

What may look like a routine AIS anomaly on the surface, could be a calculated deception. As the shadow fleet refines its identity-manipulation tactics, maritime professionals face an evolving threat that can compromise safety, compliance, and operational decision-making.

From falsified positions, to cloned MMSI numbers, AIS spoofing is no longer on the fringes - it’s becoming a daily operational hazard.

The growth of AIS spoofing

In 2025, Lloyd’s List Intelligence recorded a significant uptick in spoofing-related incidents around the world, driven by an expanding shadow fleet and a growing adoption of the deceptive shipping tactic to hide the movement of sanctioned barrels.

The prevalence of AIS manipulation coupled with its growing sophistications exposes the entire supply-chain – charterers, brokers, insurers, refiners, traders –to financial, legal or reputational risk as the chances of unwittingly interacting with spoofing vessels grows.

Source: Seasearcher

Two spoofing hotspots to keep on your radar

1.The Gulf of Oman

The Gulf of Oman has become a hub for the transshipment of Russian crude between sanctioned and non-sanctioned tankers, with Lloyd’s List revealing the sophisticated tactics used to disguise this activity.

First identified in early 2024, these ship-to-ship transfers exploited an area long considered fertile waters for such activity and have grown in frequency over the last year.

Through AIS manipulation, the tankers involved in these transactions are able to move oil under the radar and then deliver to destinations like India or China on so-called “clean” (non-sanctioned) ships. It also allows designated tankers to return to Russia more quickly for reloading, which improves logistical efficiency.

The spoofed data often mimics normal sailing patterns, making monitoring and enforcement more difficult without sophisticated tools.

Example on Spoofing activity around The Gulf of Oman

Source: Seasearcher

At least 14 tankers sanctioned by the US Treasury in December 2025 used fake AIS data to falsely show port calls at Khor al Zubair, Iraq during the first half of last year. Nearly half of all AIS-generated voyages to the Iraqi port in that period were likely simulated, according to Lloyd’s List Intelligence analysis.

This advanced spoofing tactic, which mimics normal voyages to and from berths, is commonly used in the Middle East Gulf and Gulf of Oman to hide loadings of sanctioned Iranian cargoes, including crude oil and refined products.

Smaller product tankers most often engage in these operations, with most vessels under 50,000 dwt.

2. Malaysia and The South China Sea

Malaysia continues to be a hotspot for the movement of Iranian, Venezuelan and Russian cargoes. In July last year, Malaysia’s government vowed to crack down on what it described as “illicit” STS transfers taking place off its coast. Lloyd’s List Intelligence found over 50 tankers per month were manipulating their positional data to disguise these cargo transfers before the oil was delivered to China.

The sheer volume of tankers that are undetectable at any given moment and long duration of spoofing events complicate identification of STS transfers, making detection (of illicit activities) in this bustling transshipment hub incredibly challenging.

Below, as evidenced in Seasearcher, are three different examples of spoofing patterns that can be spotted because of the impossibility of the movement. The yellow vessel is stationary, the pink vessel moves in a perfect circle and the green vessel appears to be moving back and forth in a completely straight line.

Source: Over 50 shadow fleet ships are spoofing off Malaysia’s sanctioned oil transfer hub monthly :: Lloyd's List

Separating fact from the fictitious

Common spoofing methods and trends identified by Lloyd’s List Intelligence in the past year include:

Fake AIS Positioning: Simulating port calls or routes to mask sanctioned cargo movements.

Fraudulent IMO numbers: Stealing the IMO numbers of scrapped tankers, inventing IMO numbers, hijacking IMO numbers of live tankers, and recently the use of IMO numbers of ships still under construction.

Geographic Hotspots: Gulf of Oman, Malaysia’s outer port limits, Middle East Gulf, South China Sea, Sea of Japan, Black Sea, Gulf of Finland.

Running the risk

Effective vessel risk assessment should extend beyond checking against sanctions lists. Deceptive practices, such as AIS spoofing, inadvertently expose companies to:

• Loss of cargo or charter hire (if the vessel turns out to be rerouted, seized, or off-chartered)
• Legal or sanctions risk — e.g., inadvertently transporting sanctioned goods
• Insurance issues: if a vessel is misrepresenting its identity or movements, claims may be disputed or denied (or carriers may withdraw cover)
• Reputational damage — being associated with “shadow fleet” vessels that knowingly manipulate tracking data

We keep track, so you can stay safe

The practice may be expanding and evolving with more sophisticated methods, but with our ever-advancing ai and machine learning models, supported by human intelligence and precise AIS coverage we can ensure deceptive practices do not go undetected.

Seasearcher, a Lloyds List Intelligence solution, has implemented a host of robust enhancements to enable better detection of AIS spoofing events, replaying all data through a 24-month period to match compliance standards and regulation and ensuring we provide accurate, and expanded, risk detection for vessel behaviour patterns.

Watch out for our upcoming ‘science behind the data’ blog where we will deep dive into the more technical aspects of our enhanced capabilities.

Can’t wait until then? Get in touch with us today to find out more!