AIS Manipulation: Detection Techniques and the Shadow Fleet Era

The manipulation of Automatic Identification Systems has evolved from a niche sanctions-evasion tactic into a maritime security crisis affecting global trade. This guide examines the current state of AIS manipulation, detection methodologies, and practical approaches for compliance professionals navigating an increasingly complex threat landscape.

The Scale of the Problem

The numbers are staggering. According to Windward’s 2024 analysis, approximately 588,000 lost AIS transmission events were recorded in the second quarter of 2024 alone. While not all represent intentional manipulation, the sheer volume reflects the challenge facing compliance teams.

Windward’s research estimates Russia’s shadow fleet has grown to between 1,100-1,400 vessels that routinely employ AIS manipulation techniques. This represents a dramatic expansion from the relatively small fleets operated by Iran and Venezuela in previous decades.

The practice isn’t new. Maritime security experts note that following the 2012 sanctions on Iran, cases of AIS spoofing rose drastically, with Iranian tankers changing flags and fraudulently entering ports. But the scale accelerated dramatically after Russia’s 2022 invasion of Ukraine.

A 2024 European Parliament briefing on Russia’s shadow fleet documented how these vessels utilize ship-to-ship transfers, AIS blackouts, spoofing of positions and ownership data, and even changes to vessel identity including IMO numbers.

Why AIS Was Never Designed for Security

Understanding AIS manipulation requires understanding why the system is vulnerable. As Windward explains, AIS was originally designed as a safety precaution to avoid collisions when developed under SOLAS (Safety of Life at Sea) regulations. The system was never intended as a tracking tool or security solution. AIS technology relies on radio frequency and manual data input, making it inherently prone to human error or intentional manipulation.

This design limitation is critical: AIS broadcasts on open VHF frequencies (161.975 MHz and 162.025 MHz) without authentication mechanisms, making manipulation technically straightforward for those with intent.

Regulatory Requirements

Under SOLAS Chapter V Regulation 19.2.4, AIS is mandatory for vessels of 300 gross tonnage and above on international voyages, cargo ships of 500 gross tonnage and above on domestic voyages, and all passenger vessels regardless of size. However, Global Fishing Watch notes that the regulation allows masters to disable AIS if “continual operation might compromise the safety or security of the ship.”

This exception, intended for legitimate security concerns like piracy zones, has been exploited by vessels engaged in illicit activities.

The Four Primary Manipulation Techniques

Research by Pole Star Global has identified four main typologies of AIS manipulation: location tampering, identity theft, AIS handshake, and shell companies.

1. Location Tampering (GNSS Manipulation)

Location tampering involves the intentional manipulation of a vessel’s AIS broadcast information to deceitfully change its reported position. Vessels transmit false coordinates showing them in one location while actually operating elsewhere—often in sanctioned ports or conducting ship-to-ship transfers.

2. Identity Theft

Identity theft occurs when one vessel adopts the identity of another vessel currently in operation, resulting in a duplication of transmitted identifiers. This technique is particularly effective when using “sister ships” with similar specifications.

Case Study: The Yuk Tung Incident

Windward documented a striking example from November 11, 2018. The Yuk Tung vessel spoofed its AIS, transmitting under a Panamanian flag using the vessel name Maika. The Hika, a Comoros-flagged vessel, had the same IMO number as the Maika—they were sister ships built in the same year by the same manufacturer with identical specifications. However, during this time, the Hika was actually over 7,000 miles away.

This case demonstrated how sophisticated actors had become at exploiting AIS vulnerabilities, using legitimate vessel data from sister ships to create credible false identities.

3. AIS Handshake

The AIS handshake is perhaps the most coordinated technique. According to multiple maritime security sources, it employs a decoy vessel as camouflage, where a “compromised” vessel assumes the identity of a “clean” vessel sailing in close proximity, while the authentic “clean” vessel operates discreetly toward its destination. Upon completion, the vessels reverse the switch.

This technique requires coordination between two vessels but allows sanctioned cargo to reach its destination while maintaining the appearance that the “clean” vessel followed a legitimate route.

4. Shell Companies and Ownership Obscuring

Shell companies are business entities established primarily to conceal the true ownership of vessels or cargo, facilitating illicit activities and evading sanctions. The European Parliament’s research found that Russia’s shadow fleet relies heavily on the involvement of shell companies registered in jurisdictions with lax transparency requirements to conceal ultimate beneficial owners.

Detection Methodologies: What Actually Works

Satellite-Based Cross-Referencing

Global Fishing Watch has developed multiple methods for detecting location spoofing: manually inspecting maps for vessel tracks that overlap with land, using information about the satellite that receives the AIS signal to calculate the distance between signal reception and vessel position, leveraging satellite imagery like Sentinel-1 to confirm suspected spoofing for large vessels, and using queries that remove specific known location spoofing patterns.

When a vessel’s AIS signal indicates it’s in the middle of Colorado or the signal reception point is significantly farther from the satellite than the reported position suggests, these are clear indicators of manipulation.

Synthetic Aperture Radar (SAR) Integration

Research published in MDPI Sensors demonstrates that combining AIS data with SAR imagery from sources like Sentinel-1 allows detection of vessels that are not reporting their positions. The approach attempts point-to-point and point-to-line correlations between SAR detections and AIS data, labeling unmatched SAR targets as potentially dark vessels.

SAR systems can detect vessels regardless of weather conditions or time of day, making them particularly effective for identifying vessels operating with disabled AIS in specific geographic areas.

TDMA Protocol Analysis

A 2023 study in Expert Systems with Applications developed a detection strategy that checks the compliance of sent AIS messages with the time-division multiple access (TDMA) communication protocol for every ship to detect message falsifications. The strategy uses a Kalman filter to track every ship and assess the consistency of their velocity data.

This technical approach identifies vessels whose AIS messages don‘t follow the expected TDMA slot allocation patterns, revealing manipulation at the protocol level.

Behavioral Pattern Analysis

Research on AIS-based maritime anomaly detection shows that machine learning techniques can build models from training data to perform predictions and classifications. With AIS data, vessel route patterns can be identified through density analysis, and deviations from those patterns can be treated as anomalous.

Advanced systems now use AI to establish normal behavioral patterns for specific vessel types and routes, flagging deviations that may indicate illicit activity. However, Windward’s analysis found that their AI-powered model flagged only 0.7% of lost transmissions as risky due to sanctions evasions despite the massive volume of AIS gaps.

This statistic underscores an important point: context matters immensely. Not all AIS gaps represent illicit activity, and sophisticated detection requires the ability to distinguish between legitimate operational reasons and intentional evasion.

Practical Guidance for Compliance Teams

Multi-Source Verification

Never rely solely on AIS data. Research demonstrates that individual technologies have distinct limitations, but when combined, they can provide a better view of what is happening at sea. Effective monitoring requires:

• AIS tracking data
• Satellite imagery verification (both optical and radar)
• Port call records
• Ship-to-ship transfer monitoring
• Ownership and flag state history
• Insurance and P&I club verification

Red Flags to Monitor

Vessel Behavior:

• Frequent AIS transmission gaps, particularly near sanctioned ports
• Sudden changes in reported position that would require impossible speeds
• AIS tracks showing vessels “traveling” over land
• Patterns of going dark before entering specific geographic areas

Identity Indicators:

• Recent flag state changes, especially to flags of convenience (Panama, Liberia, Marshall Islands)
• Inconsistent vessel information across different data sources
• Multiple vessels sharing the same IMO number during overlapping time periods
• Ownership structures involving shell companies in opaque jurisdictions

Operational Patterns:

• Ship-to-ship transfers in international waters, particularly in known “bunkering hubs” like the Laconian Gulf (as documented in Atlantic Council’s research)
• Vessels avoiding ports where inspections are likely
• Rapid aging of vessel fleets—Norwegian authorities noted crude oil tanker average age increased from 8.5 years in 2020 to 15 years by April 2024

Technology Investment

Manual analysis of AIS data at scale is impractical. As research on maritime anomaly detection makes clear, manually identifying patterns and anomalous behavior in massive volumes of data is impractical, requiring machine learning techniques.

Consider platforms that integrate:

• Real-time AIS monitoring with historical pattern analysis
• Satellite imagery access (SAR and optical)
• Automated anomaly detection algorithms
• Sanctions list screening
• Ownership and corporate structure analysis

The Context Imperative

Windward’s analysis emphasizes that simply screening for sanctions lists or detecting dark activity is insufficient. Detecting location manipulation without advanced technology is impossible.

Some AIS turn-offs are legitimate. Vessels may disable AIS to protect themselves from piracy or missile attacks in high-risk areas such as Somalia and the Red Sea. The key is distinguishing between legitimate security measures and illicit evasion—something that requires sophisticated analysis combining multiple data sources with maritime domain expertise.

Conclusion

AIS manipulation has evolved from a niche problem into a systematic challenge affecting global maritime trade, particularly in the sanctions enforcement context. The explosive growth of Russia’s shadow fleet since 2022 represents an inflection point, demonstrating both the scale of the problem and the sophistication of modern evasion techniques.

For compliance professionals, the path forward requires three elements: understanding the specific manipulation techniques being employed, implementing multi-source verification systems that don‘t rely solely on AIS data, and investing in technology platforms capable of analyzing patterns at scale while providing the context necessary to distinguish between legitimate operations and illicit activity.

The vessels using these techniques are getting more sophisticated, but so are the detection methodologies. Success requires staying current with both.