FleetLeaks now includes an AIS Events layer that flags tanker behavior patterns and attaches inspectable evidence to each detection.
These are candidates for review—not proof of wrongdoing. The system is designed to shorten the distance between “something looks off” and “here are the coordinates, timestamps, counterparties, and supporting signals to examine.”
Here’s what’s new:
- AIS Events timeline tracking tanker movements across monitored zones
- Explainable scoring for ship-to-ship transfer candidates with component breakdowns
- Satellite corroboration badges when Sentinel-1 SAR imagery or VIIRS thermal anomaly indicators are available
- Weekly intelligence briefs summarizing repeat patterns, hotspots, and notable events
This post explains what the system does, how to use it, and—just as importantly—what it deliberately does not claim.
Who This Is For
FleetLeaks AIS Events serves four primary audiences, each with different needs:
Investigative journalists get timestamped, structured leads with evidence panels they can cite. When you’re writing about sanctions evasion, you need more than a tip—you need coordinates, timeframes, vessel identifiers, and reproducible methodology. This system provides that foundation.
NGOs and academic researchers gain access to pattern detection at scale. Instead of manually cross-referencing vessel tracks, you can query structured event data, examine repeat relationships between vessels, and identify behavioral clusters that warrant deeper investigation.
Compliance and risk teams receive early warning signals. If a vessel in your supply chain appears in an STS candidate event near a sanctioned terminal, that’s information worth having—even if it’s not a definitive judgment. The system surfaces risk indicators; your due diligence process evaluates them.
OSINT practitioners get what they’ve always wanted: show-your-work scoring. Every confidence number has a breakdown. Every event has a structured evidence panel. The methodology is documented and versioned. You can reproduce our findings and challenge our logic.
The Core Idea: Patterns → Candidates → Evidence
Maritime sanctions enforcement faces a fundamental problem: there’s too much data and not enough context. Thousands of tankers move through monitored waters every day. Most are conducting legitimate operations. Some are not. Distinguishing between them requires systematic pattern detection, not manual surveillance.
FleetLeaks AIS Events works in layers:
Layer 1: Watch tanker AIS behavior. We ingest AIS position broadcasts and run detection primarily within defined monitoring zones—Russian oil export terminals, known STS hotspots, and strategic chokepoints. We filter for tankers (AIS ship types 80-89) because that’s where sanctions-relevant activity concentrates.
Layer 2: Detect defined patterns. The system looks for specific behavioral signatures: vessels entering monitored zones, AIS transmission gaps, loitering patterns, and proximity events consistent with ship-to-ship transfers. Each pattern has documented detection criteria and configurable thresholds.
Layer 3: Attach explainable scores and structured evidence. When a pattern triggers, the system generates an event record with a confidence score and an evidence bundle. For STS candidates, that includes distance measurements, speed profiles, duration calculations, and vessel identification data. The score isn’t a black box—every component is visible and weighted.
Layer 4: Add satellite corroboration when available. For high-priority events, we search Copernicus Sentinel-1 SAR archives and NASA FIRMS for VIIRS thermal anomaly indicators. If imagery or data exists for the right time and place, we attach it. If it doesn’t, we say so explicitly. Corroboration is an add-on, not a requirement—and it provides contextual signals, not vessel identification. Corroboration may appear later as background workers process events.
This layered approach means you can examine any event at the level of detail you need. Skim the summary, or dig into the raw evidence. Both paths are supported.
What FleetLeaks Uses (And What It Deliberately Ignores)
AIS data is noisy. Positions drift. Transponders malfunction. Vessels misreport their type or destination. Any system built on AIS must account for these realities.
FleetLeaks AIS Events reduces noise through deliberate filtering:
Tankers only. We focus on AIS ship types 80-89 (tankers of all sizes) because sanctions on Russian oil exports primarily affect crude and product carriers. Container ships, bulk carriers, and passenger vessels generate events in the raw data, but they’re filtered out before detection runs. This keeps the signal-to-noise ratio manageable.
Flag-based exclusions. Vessels flagged to EU member states, NATO countries, and Five Eyes nations are excluded from detection logic. This is a noise-reduction choice for the initial release, not a claim about vessel innocence. These flags have established regulatory oversight mechanisms, and excluding them reduces false positives without materially affecting detection of shadow fleet activity patterns.
Zone-based monitoring. Events are generated for vessels operating in defined monitoring zones—not the entire ocean. This geographic focus reflects the reality that sanctions evasion has geography: specific terminals, specific anchorages, specific transfer locations. We monitor where the risk concentrates.
What This System Will Miss
Honesty about limitations increases credibility. Here’s what FleetLeaks AIS Events cannot detect:
Vessels with AIS disabled. If a tanker turns off its transponder entirely, it disappears from the data. We can detect the gap when it reappears, but we cannot track dark vessels. This is a fundamental constraint of any AIS-based system.
Evolving evasion tactics. Sanctions evaders adapt. Today’s detection patterns may not match tomorrow’s techniques. We update methodology as we learn, but there’s always a lag between new tactics and detection capability.
Legitimate operations that match evasion patterns. Ships anchor near terminals for legitimate reasons. Vessels drift while waiting for berth assignments. STS transfers happen legally for lightering and bunkering. The system generates candidates based on behavioral patterns—human judgment determines whether those patterns indicate sanctions evasion or routine operations.
Spoofed or manipulated AIS. If a vessel broadcasts false position data, the system will process that data as if it were real. AIS spoofing detection is a separate discipline; we don‘t currently implement it.
These limitations don‘t invalidate the system. They define its scope. FleetLeaks AIS Events is a pattern detection and evidence assembly tool. It surfaces candidates for human investigation. It does not replace investigation.
Event Types: What We Detect and Why It Matters
The system currently detects four event types, each targeting a different behavioral signature.
Zone Dwell
What it detects: A tanker enters a monitored zone and remains there for a defined period, with speed below a threshold indicating the vessel is stationary or drifting rather than transiting.
Why it matters: Tankers don‘t linger near oil export terminals without reason. Extended presence in a zone—especially a sanctioned terminal zone—suggests the vessel is loading, waiting to load, or conducting other terminal-related operations. Zone dwell events create a record of which vessels spent time where.
Typical use case: Identifying tankers that called at Russian terminals during a specific timeframe, even when port call databases haven’t yet updated.
AIS Gap
What it detects: A vessel’s AIS transmissions stop for an extended period (default: 2+ hours), then resume. The system records the last known position, the first position after the gap, and the time elapsed.
Why it matters: AIS gaps can indicate transponder malfunction, satellite coverage issues, or—relevantly—deliberate signal suppression. Shadow fleet vessels sometimes disable AIS during sensitive operations (loading, STS transfers) to avoid detection. A gap that starts near a terminal and ends in open water is more suspicious than a gap in a known coverage dead zone.
Interpretation guidance: Not all gaps are suspicious. Coastal areas have spotty satellite coverage. Some vessels have poorly maintained equipment. The system flags gaps; analysts evaluate context. We’re now adding satellite corroboration to help—if SAR imagery or thermal anomalies appear during the gap window, that’s noted in the evidence panel.
Loitering
What it detects: A vessel moves slowly within a defined area for an extended period, without entering a port or anchoring at a designated anchorage. Speed remains below transit thresholds, but the vessel isn’t stationary.
Why it matters: Loitering patterns can indicate a vessel waiting for an STS rendezvous, avoiding port call records by staying offshore, or conducting covert operations away from terminal surveillance. Legitimate loitering happens too (weather delays, waiting for orders), but the pattern itself warrants documentation.
Where it matters most: STS hotspot zones—areas known for ship-to-ship transfers—are the primary focus. A tanker loitering in the Laconian Gulf or near Ceuta raises different questions than one loitering in a busy anchorage.
STS Candidate
What it detects: Two tankers in close proximity (default: within 500 meters), both moving slowly (under 2 knots), for an extended duration (30+ minutes). The system identifies the pair, calculates minimum distance, tracks duration, and assembles vessel identification data for both parties.
Why it matters: Ship-to-ship transfers are the primary mechanism for laundering sanctioned oil. Crude loaded at a Russian terminal transfers to a non-sanctioned vessel offshore, which then delivers to the end buyer with obscured origin documentation. Detecting STS candidates—even without confirming cargo transfer occurred—identifies the vessel pairs and timing that warrant further investigation.
Why “candidate” matters: Proximity and slow speed don‘t prove cargo transfer. Vessels anchor near each other. Tugs assist tankers. Bunkering operations involve close approaches. The system identifies behavioral patterns consistent with STS; it doesn’t confirm that oil moved between hulls. That confirmation requires documentation—bills of lading, cargo manifests, port records—that AIS cannot provide.
How to Use It: A Practical Walkthrough
This section explains how to work with FleetLeaks AIS Events as an analyst or researcher. The interface is designed for investigative workflows, not casual browsing.
Step 1: Start at AIS Events
Navigate to the Events page. You’ll see a filterable list of detected events, a map showing event locations with color-coded markers by event type, and tools to narrow results by type, zone, vessel, and timeframe.
Filtering matters. The default view shows recent events across all types and zones. For focused analysis, filter by:
- Event type: Show only STS candidates, or only AIS gaps
- Zone: Limit to a specific terminal or STS hotspot
- Date range: Focus on a particular timeframe
- Vessel identifier: Search for events involving a specific MMSI or IMO number
- Sanctioned vessels only: Filter to events involving designated vessels
The goal is reduction. Thousands of events exist in the database. Your investigation probably cares about dozens. Use filters aggressively.
Step 2: Read an Event Like an Analyst
Click any event to expand its evidence panel. Here’s what you’re looking at:
The confidence score indicates how strongly the behavioral pattern matches the detection criteria. For STS candidates, this is a 0-100 scale with visible component weights. Higher scores reflect stronger pattern match: closer proximity, longer duration, and steadier low-speed behavior.
The score is not a verdict. A 75/100 STS candidate isn’t “75% likely to be sanctions evasion.” It means 75% of the weighted detection indicators were present. A legitimate lightering operation with two slow tankers at close range for an hour will score high. The score reflects pattern match strength, not illicit intent.
Evidence fields vary by event type:
For STS candidates: minimum distance between vessels, duration of proximity, speed profiles for both vessels, vessel identification (name, IMO, MMSI, flag), zone context, and timestamp.
For AIS gaps: gap duration, last known position and timestamp, first position after gap, distance traveled during gap, and any satellite corroboration data.
For zone dwell: entry and exit times, duration in zone, average speed while in zone, and zone identification.
Read the breakdown before drawing conclusions. If an STS candidate scores high primarily on duration and low on proximity, that tells you something different than the reverse.
Step 3: Follow Links Correctly
Every event links to vessel profile pages. The linking logic matters:
If the vessel is in our sanctioned vessels database, the link goes to the full sanctions profile with designation details, ownership information, and historical tracking.
If the vessel isn’t sanctioned, the link goes to an observed vessel page showing detection history, basic AIS data, and any enrichment we’ve gathered from public sources.
This distinction keeps your investigative trail clean. When you cite a FleetLeaks event, the vessel link provides the supporting context appropriate to that vessel’s status.
Step 4: Interpret Satellite Corroboration Correctly
Some events display satellite corroboration badges. Here’s what they mean:
SAR: Pending — The system has queued a search for satellite imagery but hasn’t completed it yet. Check back later.
SAR: Not Available — No suitable satellite imagery exists for this location and time window. This does not mean the event didn’t happen—it means the satellites weren’t looking at the right place at the right time. Sentinel-1 coverage is not continuous. Not available means no suitable imagery in that window, not that the event didn’t occur.
SAR: Inconclusive — Imagery exists but is ambiguous, inaccessible due to archive constraints, or requires expert interpretation we haven’t completed.
SAR: Snapshot Available — Satellite data from the relevant time and location is attached:
- Sentinel-1 SAR: Radar snapshot showing returns consistent with vessel presence
- VIIRS (FIRMS): Thermal anomaly indicator attached. Thermal anomalies may come from industrial sources, flaring, fires, or other activity unrelated to ships.
Critical interpretation: “Snapshot available” means we have imagery showing something at the location around the time of the event. It’s supporting evidence, not confirmation. SAR can’t identify specific vessels—it shows radar returns that could be the vessels in question. VIIRS thermal anomaly indicators (FIRMS) provide contextual signals that activity may have occurred—they do not identify specific vessels.
Absence of imagery means nothing. If corroboration shows “not available,” that’s a data gap, not evidence against the event. Do not interpret missing imagery as exoneration.
Step 5: Use Weekly Briefs for Triage
If you don‘t have time to review individual events, start with the weekly intelligence brief.
The brief includes:
- Week-at-a-glance statistics: Total events, unique vessels, active zones
- Repeat activity: Vessels appearing in multiple events (potential bad actors or frequent shadow fleet operators)
- Hotspot zones: Which monitoring areas saw the most activity
- New entrants: Vessels appearing in monitoring for the first time that week
- Top STS candidates: Highest-scoring ship-to-ship transfer detections with summaries
- Corroboration highlights: Events where satellite imagery or thermal anomaly data is available
The brief is designed for the workflow: scan headlines, identify highest-signal items, click through to full evidence, then export or share what matters.
Evidence and Citation
FleetLeaks events are designed for citation. Every event includes a structured evidence panel and:
- A stable URL intended for citation
- Timestamped detection data
- Methodology version under which it was generated
- Structured evidence you can reference
Suggested citation format:
FleetLeaks AIS Events, Event #[ID], [Event Type], [Date] UTC. Methodology v[Version]. [URL]
Example:
FleetLeaks AIS Events, Event #753, AIS Gap, Jan 16 2026 19:20 UTC. Methodology v2026.01.18. https://fleetleaks.com/events/?event_id=753
When citing satellite corroboration, note the data source:
Sentinel-1 SAR snapshot available via Copernicus Data Space, [Scene ID], [Acquisition Time].
This format gives readers everything they need to verify your source, check the methodology, and examine the underlying evidence themselves.
What FleetLeaks Will Not Claim
A responsible OSINT platform states its limitations plainly. Here are ours:
Events are not proof of wrongdoing. An STS candidate event means two tankers were close together and moving slowly. It doesn’t prove cargo transferred. It doesn’t prove sanctions violation. It identifies a pattern warranting investigation.
Vessel identity isn’t certain in all cases. AIS data can be spoofed, misreported, or stale. We cross-reference where possible, but we cannot guarantee that the vessel broadcasting a particular MMSI is the vessel registered to that identifier.
Confidence scores aren’t verdicts. A high score means strong pattern match, not high probability of illicit activity. Legitimate operations can score high. Suspicious operations can score low. The score is one input to your analysis, not the conclusion.
Satellite corroboration is best-effort and coverage-limited. We search available archives. If imagery exists and is accessible, we attach it. Absence of imagery proves nothing—satellite coverage is opportunistic, not comprehensive. A “not found” result means no suitable data was available, not that nothing happened.
We don‘t have access to cargo documentation. AIS shows where vessels went and how they behaved. It doesn’t show what they carried or where that cargo originated. Confirming sanctions evasion requires documentation we don‘t have access to.
These guardrails aren’t disclaimers to protect us legally. They’re methodological honesty that makes the system more useful. Knowing what a tool can’t do helps you use it correctly.
What’s Next
FleetLeaks AIS Events will continue to evolve. Planned improvements include:
- Expanded satellite corroboration coverage as we integrate additional data sources and improve search algorithms
- Enhanced relationship mapping showing networks of vessels that repeatedly appear together in events
- Additional monitoring zones covering emerging STS hotspots and newly relevant terminals
- Refined scoring algorithms incorporating feedback from analysts using the system
- Improved vessel enrichment with ownership chains, historical flag changes, and class society data
We’ll document changes in the methodology changelog and version all updates so historical events remain reproducible under their original detection criteria.
Get Started
Explore AIS Events: Browse detected patterns, filter by type or zone, examine evidence panels. → fleetleaks.com/events/
Read the Weekly Brief: A regular summary of notable activity and highest-signal events. → fleetleaks.com/category/ais-intelligence/
Understand the Methodology: Full documentation of detection criteria, scoring logic, and satellite corroboration. → fleetleaks.com/methodology/ais-events/
Report Issues or Contribute: Found a false positive? Have zone suggestions? Want to collaborate? → Contact FleetLeaks through the site.
FleetLeaks AIS Events represents months of development aimed at one goal: turning raw vessel tracking data into structured, citable intelligence that supports sanctions enforcement. It’s not perfect—no OSINT tool is. But it’s documented, versioned, and built for the analysts who need to show their work.
Use it. Challenge it. Help us improve it.