{
“title”: “Tracking Shadow Yachts That Move Sanctioned Oil Overnight”,
“slug”: “tracking-shadow-yachts-that-move-sanctioned-oil-overnight”,
“excerpt”: “Learn open source intelligence techniques to expose shadow tankers that disable AIS to move sanctioned crude in this OSINT guide.”,
“category”: “osint”,
“author_name”: “RishiSec Editorial”,
“featured”: false,
“status”: “published”,
“content”: “\n
Picture this: it is 02:00 local time off Bandar Abbas. A rusty LR2 tanker squawks one last AIS ping, then vanishes. Twelve hours later she re-appears 200 nm farther south, draft three meters deeper, and heads east at 14 knots. Somewhere between those two points she rafted up to a barge and took on Iranian crude worth ninety million dollars. If you work sanctions enforcement, military intel, or red-team logistics, that gap is pure gold—and today we will mine it with nothing more than open source intelligence, a few scripts, and the stubbornness of a 20-year penetration tester who hates losing.
\n\n[FEATURED_IMAGE]\n\n
Why Shadow Fleet Tracking Matters Right Now
\n
The U.S. Treasury’s Office of Foreign Assets Control (OFAC) added over 400 vessels to the SDN list in 2025 alone, yet global crude differentials still price in a \”sanctions discount.\” The delta is explained by a 600-ship armada of aging tankers that spoof, switch off, or simply forget to transmit AIS. Analysts at CSIS estimate this shadow fleet moved 2.4 billion barrels last year—enough to fund two medium-size wars. The good news? Every dark voyage leaves footprints in satellite imagery, commercial RF, port state control records, and insurance filings. Our job is to stitch those crumbs together faster than the captains can scrub their decks.
\n\n
Build a 30-Minute OSINT Workflow
\n
You do not need a top-secret clearance—just disciplined collection. Below is the repeatable process I teach in OSINT for Law Enforcement: A Guide to Digital Investigations and run inside Kindi when the timeline is tight.
\n\n[IMAGE_1]\n\n
Step 1: Harvest Last-Known AIS
\n
Start with free aggregators like VesselFinder or MarineTraffic. Export CSV for the 48-hour window surrounding the blackout. Key fields: IMO, draught, speed, course, destination, and—critically—the MMSI. Note any sudden draught change; a 2 m jump on a 300 m tanker equals ~90 kt of cargo.
\n\n
Step 2: Pivot on MMSI/IMO Spoofing
\n
Shadow operators often recycle MMSIs. Use the ITU ship station search to confirm the assigned flag state. If the MMSI registry shows \”Panama\” but your target advertises \”Tanzania,\” you have a flag mismatch indicator worth reporting. Record the hexadecimal value; it encodes the country code.
\n\n
Step 3: Grab Sentinel-1 Radar
\n
Sentinel-1 C-band is 10 m resolution, free, and night/cloud agnostic. Use Copernicus Open Hub to task a descending pass within six hours of the blackout. In your SAR scene look for a 300 m bright hull with a 100 m shadow—tankers are boxy and sit high when empty. If you see two hulls rafted together, congratulations—you just caught a ship-to-ship (STS) transfer.
\n\n
Step 4: Pair with PlanetScope Optical
\n
Commercial 3 m imagery confirms color and plume. Iranian heavy crude has a tan sheen; Venezuelan Merey is darker. Push both images into a free GIS like QGIS, geo-reference using the ship’s lat/long, and measure tank-top temperature with a thermal band if available. Hot spots suggest recent cargo movement.
\n\n
Step 5: Fuse Insurance and Port Data
\n
International Group P&I clubs withdraw cover once a vessel hits the SDN list, so re-flagging is common. Query Equasis or the Panama Canal Authority public API for ownership changes within 90 days. Match beneficial owner names against OFAC’s 50-percent-rule spreadsheet. One shell company leads to another; graph it in Maltego or Kindi so analysts can chase edges instead of staring at spreadsheets.
\n\n
Automated Hints for SOC-Style Monitoring
\n
If you defend a port, energy terminal, or insurer, treat each new AIS dropout as an IOC. A three-line Python cron:
\n\n
- \n
- Pull hourly AIS feed into InfluxDB
- Alert when MMSI age > 240 min within 50 nm of your coastline
- Auto-enrich with OFAC lists via OSINT enrichment playbooks
\n
\n
\n
\n\n[IMAGE_2]\n\n
Feed results to your SOAR and you have continuous maritime domain awareness for the price of a pizza.
\n\n
Case File: The Midnight STS off Cabo Blanco
\n
In March 2025 the 319 kt VLCC Artemis Glory disappeared for 31 h while transiting the Venezuelan EEZ. Sentinel-1 captured her alongside the small tanker Lumen Star. AIS gaps, draft delta, and a $0.68/bl discount on the July cargo gave us enough to brief an interdiction team. The vessel was boarded 12 days later in Suez; insurers cancelled cover and the cargo was sold at auction. Total investigation time: 18 man-hours, all unclass data.
\n\n
Red-Team Tips: How to Hide (and How We Still Find You)
\n
Shadow captains read blogs too, so here is what they try:
\n\n
| TTP | OSINT Counter |
|---|---|
| Turn off AIS near known sat overpass times | Compare SAR timestamps to AIS gaps; if temporal delta <10 min, intentional |
| Use shell companies in Hong Kong + Marshall Islands | Cross-reference against ICIJ offshore leaks in cross-border entity graphs |
| Spoof IMO numbers on hull photos | Use computer-vision OCR on high-res Planet imagery; mismatched fonts reveal paint-over |
\n\n
Bottom line: physics beats piracy every time. You can switch off a transponder, but you cannot switch off your wake, your thermal signature, or your need to refuel—all traceable via open sources.
\n\n
Toolkit Cheat Sheet
\n
- \n
- Free AIS: MarineTraffic API tier, VesselFinder
- SAR: Copernicus Sentinel-1, Alaska Satellite Facility
- Optical: PlanetScope, Sentinel-2
- Registry: Equasis, ITU MARS, Panama Public API
- OCR: Tesseract, Google Vision
- Graph: Maltego CE, Kindi
- Timeline: Elastic + Timelion
\n
\n
\n
\n
\n
\n
\n
\n\n
Pro-tip: cache all raw data. Sanctions cases can drag for years and you will thank yourself when the defense lawyer claims your screenshot was \”photoshopped.\”
\n\n[IMAGE_3]\n\n
Conclusion
\n
Shadow fleet tracking is not rocket science; it is just good OSINT hygiene. Harvest AIS, fuse satellite, enrich with corporate registries, and timeline everything. The trick is speed—because while we speak, another tanker is lining up off Asaluyeh preparing to go dark. Happy hunting.
\n\n
Want to strengthen your OSINT skills?\nCheck out our OSINT courses for hands-on training.\nAnd explore Kindi — our AI-driven OSINT platform built for speed and precision.
\n\n
FAQ
\n
Q1: Is AIS spoofing illegal?
\nA: Under SOLAS regulation V/19 it is mandatory to transmit accurate AIS info; deliberate falsification violates flag-state law and can trigger port-state detention.
\n\n
Q2: Do I need a warrant to query commercial AIS data?
\nA: No. AIS is broadcast on public spectrum; no expectation of privacy. For SAR imagery, check your nation’s remote-sensing license if you re-distribute.
\n\n
Q3: Can small fishing vessels act as STS hubs?
\nA: Rarely. Their freeboard is too low for large tankers. Look instead for 50–120 m product tankers fitted with cranes and fenders—cheap to charter and deep enough.
\n\n
Q4: How accurate is Sentinel-1 for length estimation?
\nA: With 10 m resolution and proper geolocation, ship length error is ±20 m; good enough to distinguish VLCC from Aframax.
\n\n
Q5: What is the single biggest indicator of a sanctions run?
\nA: Combined AIS blackout + draft increase visible in the next in-port report. Everything else is supporting evidence.
\n\n
”
}