Europe’s coastal states just put sharper language on paper about shadow fleet behavior in the Baltic and North Seas. The message targets two operational weak points that have stayed slippery for years: ship nationality and positioning integrity. The legal threat is specific: shadow fleet stateless vessels. The 14-state warning raises the prospect of treating certain tankers as without nationality under international law, a status that opens the door to boarding and inspection. The question is whether Europe will act on that framing when the next tanker transits.
FleetLeaks has another reason to care. We are already measuring the behaviors named in the warning, at scale, and attaching evidence panels that other analysts can audit. The question is no longer whether these tactics exist. The question is whether Europe will sustain enforcement when the paper meets the next tanker.
Words are not policy. Europe has a pattern.
The frozen Russian assets debate showed the gap: years of statements about using seized funds to support Ukraine, followed by legal hesitation and liability concerns. Maritime enforcement risks the same cycle. Warnings issued, headlines written, then operational caution takes over. The test for shadow fleet enforcement is execution. “May be treated as stateless” is a phrase. A boarding is a fact.
What was said, and what it implies
A group of 14 European states issued an open warning focused on maritime safety risks tied to Russia’s so-called shadow fleet. The letter highlights deceptive practices, including location signal manipulation and flag practices that blur nationality.
The legal line that keeps appearing in coverage is simple: vessels shall sail under the flag of only one state. A vessel using two or more flags according to convenience may be treated as a ship without nationality.
That phrasing is not a new invention. It tracks the core rule in the United Nations Convention on the Law of the Sea that ships on the high seas fall under the exclusive jurisdiction of one flag state, with narrow treaty exceptions. It also tracks the long-standing principle that convenience flag switching can strip a vessel of the ability to claim nationality against other states.
A second thread in the warning focuses on signal integrity. The letter points to GNSS interference and AIS manipulation as safety hazards, with public reporting that the signatories also flagged spoofing or falsifying AIS data as a search and rescue and collision risk. The operational subtext is enforcement leverage. A ship that cannot reliably prove who it is, where it is, and who insures it is a ship that raises the cost of doing nothing.
Evidence vs inference: what “stateless” can mean in practice
FleetLeaks readers have seen the term “stateless vessel” used in headlines with a lot of confidence. The underlying law is narrower and more procedural.
UNCLOS Article 110 covers a right of visit in limited circumstances, including when a ship is without nationality or when there is reasonable ground to suspect the ship has no nationality. It also covers the case where a ship claims a foreign flag but is in reality the same nationality as the visiting warship.
This matters because it sets the boundary between rhetoric and action. A right of visit is a tool for checking nationality. It does not automatically resolve downstream jurisdiction questions. Enforcement can still hinge on coastal state powers in territorial waters, port state control, and the specifics of the boarding context.
The letter’s language signals intent to use that legal space more aggressively. It does not guarantee consistent outcomes. Enforcement will still depend on political appetite, operational capacity, and the willingness to accept escalation risk when a ship resists.
How a legitimate flag change works
A flag change is a transfer of registry. It is administrative, document-heavy, and slow by design. Each flag state sets its own conditions, then issues nationality documents and certificates through its maritime administration and recognized organizations.
A clean change of registry usually includes:
- Deletion or deregistration from the prior registry, documented through a deletion certificate or equivalent proof.
- Registration approval under the new flag state, including ownership and management documentation, class status, and statutory compliance.
- Re-issue or endorsement of safety certificates aligned to the new flag administration and its recognized organizations.
- Radio licensing updates, including call sign and MMSI allocation, followed by AIS configuration changes that match the new identity.
International legal frameworks try to keep flag status stable during voyages. The Convention on the High Seas and UNCLOS both include language that a ship may not change its flag during a voyage or while in a port of call, with an exception for a real transfer of ownership or change of registry.
Those are not cosmetic details. They define what “normal” looks like. They also define where anomalies become actionable.
What “flag hopping” looks like when it turns improper
The phrase “flag hopping” gets used loosely. Some ships change flag for commercial reasons, financing, crewing, or management structures. Illicit behavior starts when flag becomes a tool for ambiguity.
Common improper patterns include:
- A claimed flag that cannot be verified in the registry records of the alleged flag state.
- Rapid flag switches clustered around enforcement events, detentions, sanctions designations, or insurance disruptions.
- Overlapping claims across paperwork and AIS identity fields, including inconsistent radio identifiers.
- A documentation gap where ownership, management, or registration records fail to line up over time.
The 14-state warning highlights the specific risk of vessels sailing under multiple flags according to convenience. That is an observable claim. It is testable through registry records and identity continuity checks.
FleetLeaks will treat any such case as a verification problem first. The core question is whether the ship is entitled to fly the flag it claims. NOAA’s summary of vessel jurisdiction states the same principle in plain terms: once nationality has been granted, a ship may not sail under a different flag unless sold or re-registered.
AIS integrity is a safety rule, and a compliance signal
AIS was built for collision avoidance and maritime domain awareness. It is also a compliance primitive because it exposes a ship’s declared identity and movement in near real time.
The IMO’s own AIS page states that ships fitted with AIS shall maintain AIS in operation at all times, except where international agreements, rules, or standards provide for the protection of navigational information.
The exception exists for real security risk. It exists inside a safety framework. It does not create a free license for silent running as a business practice.
National regulations reflect similar principles. US rules emphasize that AIS should return to continuous operation once the security compromise has passed, and the time and reason for a silent period should be recorded and reported.
What “AIS manipulation” means in operational terms
AIS manipulation is a bucket, not one tactic. For a monitoring system, the useful split is by what breaks.
Availability failures: gaps and silence
A vessel can stop transmitting AIS for benign reasons. Antenna faults, power issues, reception limits, and coastal coverage gaps all exist. Long gaps that start and end in sensitive areas, or repeat as a pattern, deserve attention.
FleetLeaks tracks AIS gap events as timed intervals, with evidence panels, so readers can inspect the raw basis for the classification.
Identity conflicts: name, call sign, MMSI inconsistencies
Ships can broadcast inconsistent identity fields, intentionally or through misconfiguration. Persistent inconsistencies raise the cost of due diligence. They also create plausible deniability in documentary chains.
A registry check becomes the anchor. The IMO number is the stabilizing identifier in most cases. A vessel that loses its IMO in public databases, or appears under conflicting identities, should be treated as higher risk until proven otherwise.
Position integrity failures: GNSS interference and implausible motion
GNSS interference has been reported for years in the Baltic region. The current European warning explicitly cites this as a safety issue.
A monitoring system should treat position anomalies as indicators, not verdicts. Satellite navigation disruption can produce false positions without intent by the vessel. A ship can also benefit from the fog created by interference. Intent is hard to prove from AIS alone.
What FleetLeaks observed in the last 30 days
FleetLeaks AIS Events converts raw tanker AIS tracks into a filterable feed of behavior signals. The event types currently include zone dwell, loiter, STS candidates, and AIS gaps, each with an evidence payload.
From December 29, 2025 through January 28, 2026, FleetLeaks recorded 34,516 AIS events across all monitoring zones.
| Event Type | 30-Day Count | 7-Day Count |
|---|---|---|
| Zone Dwell | 21,705 | 17,120 |
| Loiter | 9,850 | 7,582 |
| STS Candidate | 2,449 | 2,179 |
| AIS Gap | 512 | 382 |
| Total | 34,516 | 27,263 |
These totals are not “shadow fleet count.” They are behavior detections within FleetLeaks monitoring zones. The same vessel can generate multiple events. Each event is a unit of evidence, not a unit of guilt.
European corridor activity: Danish Straits and Baltic transit
The Danish Straits monitoring zone produced 4,160 events over the 30-day window, spanning 171 unique vessels. The event mix in that zone is dominated by zone dwell and loiter signals, with 23 AIS gaps recorded in the same period.
| European Zone | Events (30d) | Unique Vessels |
|---|---|---|
| Danish Straits | 4,160 | 171 |
| Russia Baltic Transit | 2,331 | 95 |
The pattern fits a chokepoint environment. High traffic density increases slow-speed behaviors around traffic separation schemes, pilotage, queuing, and congestion. The data supports a narrow conclusion: the Danish Straits is an area where behavior-based triggers will fire often, and analysts need careful filtering to separate operational friction from risk signals.
These are the exact places where the coastal state warning is aimed. They are crowded. They are politically sensitive. They are the corridors where maritime safety language can translate into intervention.
A FleetLeaks vignette: one STS candidate with auditable evidence
FleetLeaks uses an evidence panel for each STS candidate event, including the time window, vessel identifiers, distance metrics, speed metrics, and a score breakdown that shows why the confidence is high.
Event 31456 is an STS candidate in the Sakhalin South Approach zone. The event window runs from January 26, 2026 at 00:07 UTC to 03:36 UTC. The vessels are AZOV (IMO 9084401) and PHOENIX II (IMO 8603638), both flagged Russia.
| Metric | Value |
|---|---|
| Duration | 209 minutes |
| Minimum separation | 157.8 meters |
| Average separation | 189.9 meters |
| Distance consistency | ±22.8 meters |
| AZOV avg speed | 0.08 knots |
| PHOENIX II avg speed | 0.0 knots |
| Confidence score | 90% |
This is the part that matters for auditability. The claim is not “an STS transfer happened.” The claim is “AIS data shows a high-confidence STS candidate pattern, defined as two tankers maintaining near-stationary, stable parallel positioning at close range for a sustained duration.” That is a signal. Intent and cargo transfer cannot be confirmed from AIS alone.
Satellite corroboration can raise confidence. In this event, FleetLeaks did not find a Sentinel-1 scene covering the area and time window. That absence limits what we can claim.
Why publish a vignette outside Europe in a Europe-focused editorial
The joint coastal warning is about two methods: identity ambiguity and signal ambiguity. Those methods are global. A clear STS vignette provides a concrete example of how FleetLeaks defines and scores a behavior signal, with evidence that a reader can inspect.
European enforcement will not rely on Sakhalin data. European enforcement will rely on the same categories of evidence, applied to the Baltic and North Sea. That is the bridge.
What we think is happening, and what we cannot confirm
FleetLeaks data supports a defensible inference: behavior signals associated with sanctions evasion and gray shipping practices appear repeatedly in specific zones, with some vessel identities generating unusually high volumes of detections.
The same export shows a top STS pair, AZOV and PHOENIX II, appearing as a repeated pair with 394 STS events in 30 days and an average confidence of 81.4%.
| STS Pair | Events (30d) | Avg Confidence |
|---|---|---|
| AZOV + PHOENIX II | 394 | 81.4% |
| FLAGMAN + PHOENIX II | 390 | 91.3% |
| AZOV + FLAGMAN | 380 | 83.4% |
| ZAPRAVSHCHIK 05 + PHOENIX II | 330 | 81.2% |
| AZOV + ZAPRAVSHCHIK 05 | 324 | 77.5% |
This pattern suggests repeat pairing behavior consistent with a sustained operational relationship. The data does not confirm the commodity being transferred. The data does not confirm ownership direction, charter details, or end buyer. Those facts require external corroboration.
A high-quality workflow separates these layers:
- Observation: AIS behavior patterns, timing, location, and identity fields.
- Inference: Consistency with known evasion patterns or high-risk logistics.
- Allegation: Intent, sanctions violations, and state direction.
FleetLeaks publishes the first layer and labels the second. The third requires legal and evidentiary work outside AIS.
The enforcement question Europe has put on the table
Europe’s warning language reads like a shift toward practical friction for vessels that rely on ambiguity. The focus areas are identity, position integrity, and insurance documentation.
Enforcement can take many forms without crossing into escalation. Port state control can demand documentation and detain ships for non-compliance. Coastal states can increase scrutiny in traffic lanes where safety justifications are strongest. Warships can exercise limited rights of visit when nationality is genuinely in doubt, consistent with UNCLOS.
Recent reporting shows at least some movement toward action. France intercepted a tanker identified as Grinch in the Mediterranean in late January 2026, with reporting that it sailed under a possibly false Comoros flag.
Those incidents can become political tests. They demand proof, restraint, and repeatability. A single interception does not equal a policy.
Parallel hesitation: frozen assets and the implementation gap
European institutions have debated ways to use frozen Russian assets to support Ukraine, including proposals structured as loans collateralized by frozen assets. Reporting on that debate repeatedly highlights legal and financial risk as the limiting factor, including concerns about sovereign asset confiscation under international law and distribution of liability among member states.
The same structural tension shows up in maritime enforcement. Public statements can move faster than operational consensus. Legal authority exists in narrow spaces, yet each action carries diplomatic risk. The result can be a cycle of warnings, sporadic interventions, and slow institutionalization.
Europe’s new warning reads as an attempt to shorten that cycle. It frames evasion tactics as safety hazards. Safety hazards trigger processes that do not require a new sanctions package to begin.
What to watch next, and how to measure follow-through
FleetLeaks will treat follow-through as an observable pattern, not a press release.
Signals that indicate enforcement is becoming routine:
- A rising share of “documentation friction” incidents, including detentions, boardings, and forced diversions, linked to nationality ambiguity and insurance gaps.
- Consistent, published standards for what counts as inadequate nationality documentation in the Baltic and North Sea corridors.
- Repeat interventions against the same vessels or the same registries, tied to verifiable deficiencies.
Signals that suggest messaging outpaces action:
- High-volume warnings paired with limited case follow-up.
- Continued tolerance of opaque ownership chains without registry-level enforcement pressure.
- Safety language used without a measurable change in boarding, detention, or port access patterns.
FleetLeaks can support measurement through open event feeds and vessel pages that show identity history, flag history, and behavior signals.
Related: FleetLeaks AIS Events feed | Sanctioned vessel tracking map | Sanctions methodology
Sources
- Global Trade Review — European states take aim at shadow fleet as Russian sanctions tighten
- EUobserver — EU states expand grounds for seizing suspect Russian tankers
- Kyiv Post — Europe targets Putin’s ‘ghost tankers’ in oil crackdown
- IMO — Automatic Identification Systems (AIS) overview and operational expectation
- United Nations — United Nations Convention on the Law of the Sea (UNCLOS), full text
- United Nations — Convention on the High Seas (1958), flag rules and related provisions
- NOAA Ocean Service — Vessel nationality and jurisdiction explainer
- U.S. eCFR — AIS carriage/operation requirements (33 CFR Part 164, Subpart C)
- IALA — AIS guidance and documents
- Finnish Border Guard — GNSS interference and AIS spoofing reporting