AIS Events Methodology

Methodology Version: 2026.01.18

What Data We Use

FleetLeaks AIS Events system processes Automatic Identification System (AIS) broadcasts from vessels worldwide. AIS is a vessel tracking system mandated for most commercial ships, transmitting position, speed, course, and identity information.

Vessel Filtering

To focus on oil sanctions-relevant traffic and reduce noise, FleetLeaks applies the following filters:

Tankers Only

The system monitors only vessels broadcasting AIS ship type codes 80–89 (the ITU “Tanker” class). While these codes broadly indicate tanker vessels, AIS type codes alone do not reliably distinguish between crude carriers, product tankers, LNG/LPG carriers, or chemical tankers.

Corroboration: Vessel type classification is cross-referenced with external maritime databases (MarineTraffic, VesselFinder, Equasis) to confirm vessel characteristics and cargo capabilities. This dual approach—AIS filtering for real-time ingestion, database corroboration for accuracy—ensures we track vessels capable of transporting energy commodities relevant to sanctions enforcement.

Flag State Filtering

Vessels flagged to the following countries are excluded from event detection to reduce false positives from legitimate commercial operations under strong regulatory oversight:

• European Union (27): Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden
• NATO (non-EU): Albania, Canada, Iceland, Montenegro, North Macedonia, Norway, Turkey, United Kingdom, United States
• Five Eyes (non-NATO): Australia, New Zealand

Rationale: Vessels under these flags are subject to robust sanctions enforcement regimes and regulatory oversight, making them unlikely participants in deliberate sanctions evasion. Excluding them significantly reduces false positives while maintaining focus on higher-risk traffic.

Note: Shadow fleet vessels commonly register under flags of convenience (Panama, Liberia, Marshall Islands) or flags with minimal oversight (Cameroon, Gabon, Palau, Comoros, Togo). These remain in scope for monitoring.

Flag filtering is applied both at data ingestion and query time to ensure consistent filtering throughout the pipeline.

Data Sources and Limitations

• Coverage Gaps: AIS reception depends on satellite and terrestrial receiver coverage. Some ocean areas have sparse coverage.
• Transmission Gaps: Vessels may experience legitimate technical issues causing transmission interruptions.
• Spoofing and Falsification: AIS data can be manipulated. Vessels may transmit false positions, identities, or other information.
• Voluntary System: While mandated, AIS can be turned off (though doing so while underway may indicate evasive behavior).

Event Definitions

Events are algorithmically-derived indicators based on vessel movement patterns. Each event type represents a pattern that warrants scrutiny in the context of sanctions monitoring and evasion detection.

1. Geofence Enter/Exit

What it detects: Vessel crossing into or out of a defined geographic zone of interest (e.g., sanctioned terminal approaches, offshore transfer zones).

Why it matters: Tracks vessel traffic through sensitive areas and helps establish timelines for port calls and offshore activities.

Trigger: Vessel track crosses zone boundary.

2. AIS Gap Start/End

What it detects: Extended periods where a vessel stops transmitting AIS while underway (speed > 2 knots before gap).

Why it matters: While legitimate coverage gaps occur, extended gaps can indicate deliberate AIS shutoff to hide movements, particularly during ship-to-ship transfers, port visits to sanctioned terminals, or passage through monitored areas.

Trigger: No AIS position for ≥ 120 minutes while vessel was previously moving at > 2 knots.

3. Loiter Event

What it detects: Vessel remaining nearly stationary (speed ≤ 1.0 knot) for extended periods in open water.

Why it matters: May indicate anchoring, waiting, or preparation for offshore activities like ship-to-ship transfers. Contextually significant in known offshore transfer zones.

Trigger: Speed ≤ 1.0 knot for ≥ 90 minutes.

4. STS Candidate (Ship-to-Ship Transfer)

What it detects: Two tanker vessels remaining in close proximity at low speed for extended periods.

Why it matters: Ship-to-ship transfers are a common sanctions evasion technique. While legitimate STS operations occur, undocumented transfers in offshore locations can facilitate movement of sanctioned cargo, obscure origin/destination, and blend compliant and non-compliant cargoes.

Trigger: Two tankers within 500m, both ≤ 2.0 knots, duration ≥ 30 minutes. Events include both vessels’ identities, minimum distance achieved, duration, and speed summaries.

Confidence Scoring

Each event includes an explainable confidence score on a 0–100 scale, where higher scores indicate stronger pattern matches. The scoring methodology is deterministic, rule-based, and designed to be human-readable and defensible.

Storage: Scores are stored as score.value (0–100 integer for display) and the database confidence column contains the normalized 0.0–1.0 value for filtering and sorting.

STS Candidate Scoring Inputs

Ship-to-Ship transfer candidates are scored using six weighted factors (maximum 100 points):

Factor	Max Points	What It Measures
Distance Tightness	25	Minimum separation achieved. Under 100m scores highest; over 400m scores lowest.
Duration	25	Length of proximity period. 2+ hours scores highest; under 45 minutes scores lowest.
Speed Stability	20	Both vessels slow-moving with consistent speeds suggests deliberate station-keeping.
Distance Consistency	15	Low variance in separation distance indicates intentional parallel positioning typical of cargo transfer.
Isolation	10	Fewer nearby vessels suggests offshore meeting rather than anchorage crowding. (Neutral if data unavailable)
Context	5	Bonus for known STS zones; penalty for port/anchorage proximity where legitimate operations are common.

Score Interpretation

• 70–100: High confidence – strong pattern match across multiple factors
• 50–69: Moderate confidence – warrants review
• 30–49: Low confidence – limited indicators present
• <30: Marginal – may be false positive

Evidence packs show the full scoring breakdown including each component’s contribution and a human-readable summary explaining why the event received its score.

Known False Positives and Limitations

False Positives

• Anchorages: Legitimate anchoring can trigger loiter events. Crowding detection helps mitigate this.
• Port Operations: Vessels waiting for berth or pilot may appear as loiter or STS candidates.
• Technical Issues: Legitimate AIS equipment failures can trigger gap events.
• Search and Rescue: SAR operations may produce proximity events.
• Offshore Platforms: Vessels servicing platforms may appear as loiter events.

Limitations

• Context Required: Events must be evaluated with external context (vessel history, cargo, ownership, jurisdiction, known evasion networks).
• Not Proof: Events are indicators, not evidence of illegal activity. They serve as starting points for investigation.
• Coverage Dependent: System only detects patterns where AIS coverage exists.
• Evolving Tactics: Evasion techniques evolve. Event definitions must be periodically updated.
• Flag Filtering: Excluding EU/NATO/Five Eyes flags may miss edge cases where compliant-flagged vessels are involved in sanctions evasion through charter arrangements or ownership structures. However, such vessels remain subject to their flag state’s enforcement mechanisms.
• Flag Changes: Shadow fleet vessels frequently change flags. A vessel excluded today due to a Western flag may later reflag to a higher-risk jurisdiction. Historical data is retained to support longitudinal analysis.

Entity Graph and Top Facilitators

FleetLeaks maintains relationship tables tracking repeat STS encounters between vessel pairs and vessel activity patterns across monitoring zones. These enable “Top Facilitators” lists ranking vessels and locations by event frequency.

Evidence Exports and Weekly Briefs

FleetLeaks provides structured exports and automated intelligence summaries:

Evidence Pack Exports (JSON)

Each exported event contains:

• Core fields: Event type, timestamps (UTC), location coordinates, zone identification
• Vessel identities: MMSI, IMO, vessel name, flag, with links to vessel profiles
• Evidence payload: Full evidence_json including scoring breakdown, distance/duration metrics, speed summaries
• Citation snippet: Pre-formatted plain English summary suitable for reports and citations
• Methodology version: Version tag for reproducibility

Caching note: Exports reflect database state at time of generation. Cached for performance; may not reflect changes made in the last few minutes.

Weekly Intelligence Briefs

Automated weekly summaries are generated containing:

• Week-at-a-glance statistics (event counts by type, unique vessels, active zones)
• Repeat offenders: vessels with multiple events during the period
• Hotspot zones: locations with highest activity
• New entrants: vessels first appearing in monitoring
• Top STS candidates with confidence scores and summaries

Briefs are published only when minimum activity thresholds are met (≥10 events, and either ≥1 STS event or ≥5 unique vessels). This prevents publishing empty or low-value reports.

External Corroboration (Best-Effort)

FleetLeaks attempts to corroborate AIS events using satellite imagery and thermal anomaly sensors. This is a best-effort, supplementary layer—not a replacement for AIS-based detection, and not proof of illicit conduct.

Sentinel-1 SAR Imagery

For STS candidates and AIS gap events, the system searches the Copernicus Data Space catalog for Sentinel-1 SAR (Synthetic Aperture Radar) scenes covering the event’s location and time window.

Capabilities:

• Works day and night (active radar illumination)
• Penetrates cloud cover
• Can detect vessel-sized metallic returns
• Provides snapshots, not continuous tracking

Limitations:

• Orbital revisit times mean gaps in coverage (not every location is imaged at every time)
• Cannot identify specific vessels—only presence of radar returns consistent with vessels
• Cannot prove what cargo or activities occurred
• Image interpretation may be ambiguous without expert review

VIIRS Thermal Anomaly Detection (NASA FIRMS)

For AIS gap events, the system queries NASA FIRMS (Fire Information for Resource Management System) for VIIRS thermal anomalies in the gap corridor. FIRMS detects thermal hotspots—not general vessel lights.

What FIRMS Detects:

• Gas flaring from tankers or offshore platforms
• Active fires or combustion sources
• Industrial thermal signatures (hot machinery, exhaust)

What FIRMS Does NOT Detect:

• Dim vessel navigation lights
• Standard vessel deck lighting
• Low-intensity light sources

Limitations:

• Requires significant thermal emission—dim lights won’t register
• Coarse spatial resolution (~375m)—cannot pinpoint exact positions
• Can be confounded by offshore platforms, fishing fleets with flares, or natural fires
• A thermal detection does not identify a specific vessel

Interpretation: A VIIRS “signal” means a thermal anomaly (likely a flare or hot source) was detected in the corridor during the gap window. This is a supporting indication that activity may have occurred—not proof of a specific vessel’s presence.

Status Definitions

Events display corroboration status for each data source checked:

STS SAR Status (evidence_json.sar.status)

Status	Meaning
pending	SAR search queued but not yet processed
snapshot	SAR imagery attached showing radar returns at reported location/time window
confirmed	SAR imagery manually reviewed and verified to show vessel-consistent returns
inconclusive	Imagery exists but is ambiguous, or access was limited (auth required, rate limited)
not_found	No suitable SAR scene available for this AOI and time window
error	Technical error during search or retrieval (will be retried)

AIS Gap SAR Status (evidence_json.gap_enrichment.sar.status)

Status	Meaning
pending	Search queued
snapshot	SAR scene available during gap window in corridor—shows a snapshot in time, not vessel identification
inconclusive	Scene exists but preview unavailable or access limited
not_found	No SAR coverage in corridor during gap window
error	Technical error

VIIRS Status (evidence_json.gap_enrichment.viirs.status)

Status	Meaning
pending	Search queued
signal	Thermal anomaly (flare, hot source) detected in corridor during gap window—supporting indication only
inconclusive	Access limited or data ambiguous
not_found	No VIIRS detections in corridor during gap window
error	Technical error

Critical Warning: Absence of Evidence

Weekly Intelligence Briefs

FleetLeaks publishes automated weekly intelligence briefs summarizing AIS event activity. These briefs are automatically generated and include:

• Week-at-a-glance statistics (events, vessels, zones)
• Repeat offenders (vessels with most events)
• Hotspot zones (most active monitoring areas)
• New entrants (first-time vessels)
• Top STS candidates with confidence scores and summaries
• Corroboration Highlights: Events where SAR snapshots or VIIRS signals are available

Corroboration Highlights in Briefs

When imagery assets are available, briefs include a “Corroboration Highlights” section listing events with:

• 🛰️ SAR snapshot – Sentinel-1 imagery available
• 🔥 VIIRS signal – Thermal anomaly detected (flare/heat source)

Repeat offender and hotspot zone tables include corroboration counts where applicable.

Briefs are published only when minimum activity thresholds are met (≥10 events, and either ≥1 STS event or ≥5 unique vessels). This prevents publishing empty or low-value reports.

Zone Discovery

FleetLeaks monitors specific geographic zones for sanctioned vessel activity. Rather than watching the entire ocean, we focus on waters where sanctions evasion actually occurs—reducing data costs while maintaining detection coverage.

Zone Sources

Source	Description	Default Tier
OSINT Hotspots	Ship-to-ship transfer zones documented by public research (Kpler, Wisconsin Project, USNI, Vortexa)	Tier A
Russian Terminals	Export facilities and approaches (Primorsk, Ust-Luga, Novorossiysk, Kozmino, Sakhalin, etc.)	Tier A
Discovered	Algorithmically identified from sanctioned vessel behavior patterns	A or B

Discovery Process

The discovery system analyzes historical position tracks of sanctioned vessels to find where suspicious behavior clusters:

1. Behavior Extraction

From vessel position histories, we extract three behavior types:

• AIS Gaps: Signal loss exceeding threshold. Captures last-seen and first-seen positions around gaps.
• Dwell Episodes: Prolonged slow movement suggesting loading, waiting, or transfer operations.
• Loiter Patterns: Vessels circling in confined areas—waiting behavior near terminals or transfer zones.

Thresholds are tunable defaults. Different regions may warrant different parameters.

2. Spatial Clustering (DBSCAN)

Raw behavior points are clustered using DBSCAN (Density-Based Spatial Clustering). A single vessel drifting is noise, but multiple sanctioned vessels exhibiting suspicious behavior in the same area is a signal.

• Clusters require multiple distinct vessels (single-vessel activity is filtered)
• Haversine distance for spherical geometry
• Parameters tuned per region

3. Evasion Scoring

Each cluster is scored (0–100) on sanctions evasion indicators:

Factor	Signal
Distinct sanctioned vessels	More vessels = established pattern
Cumulative dwell hours	Longer stays = significant operations
AIS gap count	Potential transponder manipulation
Night activity fraction	Darkness as cover
Distance from major ports	Remote areas warrant scrutiny

4. Port Noise Filtering

Clusters near major commercial ports (Rotterdam, Singapore, Suez, etc.) are flagged as likely congestion and excluded—unless OSINT confirms evasion activity at that location.

Tiering and Governance

Tier A (Core Monitoring): Always active. Includes Russian terminals, OSINT-confirmed hotspots, and high-confidence discovered zones.

Tier B (Scout Zones): Trial monitoring for 14–30 days. Promoted to Tier A if sustained activity; dropped if no events after trial period.

Validation

The algorithm—given no geographic hints—independently identified known Russian terminals (Ust-Luga, Primorsk, Sakhalin) and OSINT-documented STS zones (Ceuta, Malta/Hurd’s Bank, Laconian Gulf). This validates the behavioral approach: clusters form where evasion actually occurs.

Integration With Detection

Zones feed directly into AIS streaming subscriptions:

1. Discovery script generates merged zone set (OSINT + Russia + Discovered)
2. Zones sync to WordPress database
3. Ingest daemon reads zones on startup
4. Subscription bbox calculated from enabled zone bboxes
5. Events detected within zones are flagged with zone_id

Goal: Monitor only waters that matter, reducing data volume while maintaining coverage of known evasion areas.

Zone Discovery Limitations

• AIS dependency: Vessels with disabled transponders don’t generate behavior points.
• Temporal bias: Recent activity weighted more heavily than historical patterns.
• Port proximity: Noise filter is blunt; some evasion near ports requires OSINT override.
• Parameter sensitivity: Clustering parameters affect results—too tight misses dispersed areas, too loose creates oversized bboxes.
• Coverage gaps: Regions with few sanctioned transits won’t generate discoveries.

OSINT Sources

Zone definitions incorporate public research from:

• Kpler (Aug 2024): Mediterranean STS shifts post-Greek enforcement
• Wisconsin Project (Nov 2024): Global STS location analysis
• USNI Proceedings (Jun 2024): Russian oil tradecraft patterns
• Vortexa/Newsweek (Nov 2024): Emerging Aegean activity

Each OSINT-sourced zone includes citations with source, date, and URL where available.

Update Cadence

Component	Frequency
Behavior extraction + clustering	Monthly (1st of month, automated)
OSINT review	Quarterly (manual research)
Tier promotion/demotion	Weekly (based on event activity)

Methodology Versioning and Changelog

All event records include the methodology version under which they were detected. This enables:

• Reproducibility of results
• Transparent updates to detection logic
• Comparison across methodology versions

Version Timestamps in Events

Each event stores:

• methodology_version: Detection rules version at event creation time
• evidence_json timestamps: Enrichment processes (SAR, VIIRS) record searched_at timestamps when they update evidence

This allows distinguishing between when an event was detected vs. when corroboration data was added.

Independent Evolution

Different system components may evolve at different rates:

• Detection rules: Core event detection logic (gap thresholds, proximity rules, etc.)
• Scoring algorithms: Confidence scoring inputs and weights may be refined independently from detection rules
• Corroboration layers: SAR/VIIRS status is added asynchronously and does not alter the underlying event or its confidence score
• Relationship tables: Entity graph aggregates (STS pairs, vessel-zone patterns) are derived summaries that update retroactively as new data arrives

When viewing historical events, the methodology version indicates the detection rules in effect at detection time. Scores and relationship data reflect current algorithm versions applied to stored evidence.

Current Version: 2026.01.18

Changelog:

• 2026.01.19 (Phase 8): Zone Discovery system. Automated extraction of monitoring zones from sanctioned vessel behavior patterns using DBSCAN clustering. Merged with OSINT hotspots and Russian terminal database. Tiered governance (A/B) with automated promotion/demotion. Interactive hotspot map shortcode.
• 2026.01.18 (Phase 7): AIS gap corroboration using SAR snapshots and VIIRS thermal anomaly detection (via NASA FIRMS). Gap events now show corridor search results with status badges. Weekly briefs include “Corroboration Highlights” section with per-vessel and per-zone corroboration counts.
• 2026.01.17 (Phase 6): Added SAR satellite corroboration for STS events. Asynchronous job queue searches Copernicus Sentinel-1 archive. Preview imagery attached where available. Status badges displayed on event cards.
• 2026.01.16 (Phase 5): Explainable scoring for STS candidates (0–100 scale with component breakdown). Entity graph tracks repeat STS encounters. JSON export API with citation snippets. Weekly automated intelligence briefs.
• 2026.01.10: STS detection using spatial-temporal bucketing. Two tankers within 500m, both <2 knots, for 30+ minutes.
• 2026.01.05: Tanker-only filtering (AIS types 80-89). Flag state exclusion for EU/NATO/Five Eyes vessels. MMSI-based flag inference at ingestion.

How to Use This Data

FleetLeaks AIS Events are designed to support:

• Investigative Journalism: Citeable, timestamped evidence for reporting on sanctions evasion.
• Compliance Officers: Risk signals for vessels in supply chains or counterparties.
• Regulators: Leads for enforcement investigations.
• Researchers: Structured data for pattern analysis and network mapping.

Best Practices:

• Always review evidence packs to understand supporting data
• Cross-reference with vessel ownership, flag, cargo manifests, port records
• Consider regional context and legitimate operational patterns
• Treat high-confidence events as priority candidates, not conclusions

---

For questions about methodology or to report issues, contact FleetLeaks.