Maritime OSINT: Tracking Dark Ships & Shadow Fleets

Every day, thousands of oil tankers move through the world’s oceans. Most of them broadcast their position, their name, and their destination to anyone who wants to look. But some of them don’t. The ones that go quiet, like the Dark Ships, are the most interesting ones to follow. This is where maritime OSINT methods become essential.

This guide walks through how open-source intelligence (OSINT) methods can be used to track vessels that try to disappear, what tools are available for free or low cost, and how to piece together a picture when a ship deliberately cuts off its signal. The examples in this guide draw from the Persian Gulf region, where a significant share of the world’s oil moves through a narrow corridor and where the incentives to deceive are extremely high.

The Strait and the Stakes

The Strait of Hormuz is about 33 kilometers wide at its narrowest point. Roughly 20% of the world’s oil supply passes through it. When tensions rise in the region, shipping patterns change fast. Vessels reroute, go silent, transfer cargo at sea, and change their names. For anyone trying to understand what is actually happening, those behavioral changes carry enormous intelligence value.

Sanctions enforcement, insurance underwriting, commodities trading, and conflict monitoring all depend on knowing where ships actually are and what they are actually carrying. Open-source methods can fill that gap.

Two Types of Ships That Hide

Before getting into tools, it helps to understand the two categories of vessels that analysts spend the most time looking for.

Dark ships or dark fleets are vessels that have switched off their Automatic Identification System(AIS) transponder. Every commercial ship above a certain size is generally required under international regulations to broadcast AIS signals. When a ship goes dark, it has stopped doing that. This can happen for legitimate reasons like equipment failure, but it also happens deliberately when a vessel wants to avoid scrutiny.

The shadow fleet refers to something broader. These are ships owned through layers of shell companies, flagged in jurisdictions with minimal oversight, and specifically chosen because their ownership is difficult to trace. They do not necessarily go dark. They just make it very hard to connect them to a sanctioned entity or country. A ship in the shadow fleet might broadcast its position perfectly well while hiding the fact that its beneficial owner is subject to sanctions.

These two categories overlap frequently. A shadow fleet tanker will also go dark at critical moments, like when conducting a ship-to-ship transfer of sanctioned crude in international waters.

How AIS Works and Why It Can Be Manipulated

AIS was designed as a collision avoidance tool, not a surveillance system. Ships broadcast a signal containing their identity, position, speed, heading, and destination. Other ships and shore stations receive this signal. Aggregators like MarineTraffic collect all of this data and display it on a map.

The problem is that AIS operates on trust. A ship broadcasts whatever its crew enters into the system. There is no cryptographic verification. A vessel can broadcast a false position, a false name, or a false destination. This is called spoofing, and it happens regularly in the Persian Gulf region.

A common pattern is for a vessel to broadcast a position that puts it in international waters while sitting in an Iranian port. Analysts can catch this by cross-referencing AIS data with satellite imagery. If the AIS says a ship is moving south of Oman, but a satellite image shows it moored at Bandar Imam Khomeini, something is wrong with the AIS data.

The other manipulation technique is simply toggling the transponder off. A ship heading into sanctioned waters will go dark, complete the operation, then reappear somewhere else with a plausible story about equipment issues.

The Core Toolkit

MarineTraffic and VesselFinder

These are the starting points for almost any maritime investigation. Both platforms aggregate AIS data from shore stations and satellite receivers and display it on a live map. The free tiers give you enough to identify a vessel, see its recent track, and check its port call history.

The most important identifier to focus on is the IMO number. Every commercial vessel receives an IMO number when built, and that number stays with the hull for its entire lifespan. Names change. Flags change. Owners change. The IMO number does not. When a ship gets renamed to avoid detection, the IMO number is what connects the new identity to the old one.

The Mobile Maritime Service Identity (MMSI) number, which is what AIS actually uses for live transmission, can be changed. This is why cross-referencing MMSI against IMO records is an important step in any investigation.

Equasis

Equasis is a free database run by a consortium of European maritime authorities. It is probably the most useful single tool for ownership research. Enter an IMO number, and you get the registered owner, the manager, the flag state, and the inspection history.

The inspection history alone is valuable. A ship that has been detained multiple times for safety violations, changing flags frequently, and cycling through owners is a ship operating outside normal commercial practice.

Ownership in Equasis often leads to shell companies in places like the Marshall Islands, Panama, or the Comoros Islands. Following those chains requires additional research through corporate registries, but Equasis gives you the starting point.

TankerTrackers

TankerTrackers is a Maritime Intelligence company that uses satellite imagery to track tankers independently of AIS data. This matters because it can see ships that have gone dark. The team publishes regular reports on Iranian oil exports that are frequently cited by major news outlets and sanctions research organizations.

Free satellite imagery sources like Sentinel Hub and Google Earth can serve a similar function for analysts willing to do the work manually. The limitation is timing. You have to know roughly where to look and when a satellite passes over.

OFAC and Sanctions Lists

The US Treasury Department’s Office of Foreign Assets Control (OFAC) maintains a public list of sanctioned individuals, companies, and vessels. Searching a ship’s name, IMO number, or owner against this list is a basic step in any investigation.

The list also includes Specially Designated Nationals (SDN) entries for companies caught facilitating sanctions evasion. When you trace a ship’s ownership back through Equasis and find a company that appears on the SDN list, that is significant.

The EU, UK, and UN also publish their own sanctions lists. A vessel or entity might appear on one list but not others, depending on the political situation at the time sanctions were designated.

Shodan

Shodan is a search engine for internet-connected devices. In a maritime context, it is useful for finding exposed vessel management systems, satellite communication terminals, and port infrastructure accessible from the open internet.

This is more relevant to the cybersecurityside of maritime intelligence than to ship tracking directly. Very Small Aperture Terminal (VSAT) terminals on ships, port management systems, and cargo tracking platforms may all be discoverable on Shodan.

For more information and a hands-on guide, check out this demo video.

Extended OSINT Tools for Maritime Intelligence

Beyond the core toolkit, a range of specialized and general-purpose OSINT tools adds significant depth to maritime investigations. These tools cover satellite imagery, corporate research, financial tracking, and geospatial analysis.

Vessel and AIS Tracking

Global Fishing Watch was built to track illegal fishing, but its AIS gap detection and behavioral analysis tools apply directly to sanctions evasion research. The platform flags vessels with unusual movement patterns and makes its data publicly accessible.

CruiseMapper and PortWatch cover port traffic in near-real time and can help establish when a vessel entered or left a port, which is useful for filling in gaps that AIS track history leaves open.

Lloyd’s List Intelligence has a paid service. It provides voyage history, cargo details, and ownership data that go deeper than free platforms.

Satellite Imagery

Sentinel Hub gives free access to Copernicus satellite imagery updated every few days. The EO Browser interface allows you to search a specific geographic area and date range, which is the core workflow for verifying or contradicting AIS claims.

Google Earth Pro includes historical imagery going back decades in some areas. Useful for checking whether a vessel has a pattern of appearing at a specific anchorage.

NASA Worldview offers free access to near-real-time satellite data. Lower resolution than commercial options, but useful for monitoring large-scale fleet movements or major port activity.

Corporate and Ownership Research

OpenCorporates is the largest open database of company information globally. When Equasis points to a shell company in Panama or the Marshall Islands, OpenCorporates often has registration records, director names, and filing history.

ICIJ Offshore Leaks Database covers entities named in the Panama Papers, Pandora Papers, and other major financial leaks. Beneficial owners of shadow fleet vessels frequently appear in these datasets.

OpenSanctions aggregates sanctions lists from the US, EU, UK, UN, and dozens of other jurisdictions into a single searchable database. Faster than checking each list individually and updated daily.

Geospatial and Port Intelligence

Windward is an AI-powered maritime analytics platform that scores vessels by risk based on behavioral patterns, ownership opacity, and historical port calls. Used by financial institutions and government agencies for due diligence. Its dark activity detection specifically flags AIS manipulation.

Kpler tracks commodity flows, including crude oil, refined products, and LNG. When a tanker disappears from AIS and reappears elsewhere, Kpler’s cargo tracking can often identify what it was carrying and where the cargo ended up.

UN Comtrade publishes official trade statistics by country. If a country’s reported oil imports from a sanctioned source do not match Kpler’s vessel-level data, that discrepancy is analytically significant.

OSINT Frameworks and Supporting Tools

Maltego is a link analysis tool that lets you map relationships between entities, vessels, companies, and individuals on a visual graph. It has maritime-specific data transforms and integrates with several of the databases mentioned above.

SpiderFoot automates OSINT data collection across 200 sources. For maritime investigations, it can pull together company registration data, domain registration records, and sanctions hits in a single automated run.

Gephi is a free network visualization tool. When you are tracing a shadow fleet ownership structure with multiple layers of companies, Gephi helps you see the structure clearly and identify patterns that are not obvious in a spreadsheet.

OSINT Framework (osintframework.com) maintains a directory of OSINT tools organized by category. The maritime section is a useful starting point for tools not covered here.

Hunchly by Maltego is a browser extension that automatically captures and archives everything you view during a research session. For maritime investigations that span days or weeks, this kind of automatic documentation is essential for maintaining a clear audit trail.

Walking Through an Investigation

Here is a made-up scenario that shows how these tools work together.

A tanker with an unfamiliar name appears off the coast of Fujairah in the UAE. AIS shows it arriving from “at sea” with no prior port call recorded. The name is generic. The flag is a small island nation with minimal maritime oversight.

1. Initial detection

A tanker with an unfamiliar name appears off Fujairah in the UAE.

• AIS shows it arriving from open sea (“at sea”)
• No recent port call is visible
• The name is generic
• The flag is from a jurisdiction with limited oversight

This combination is a risk signal, not proof of wrongdoing.

2. Identify the vessel (IMO + registry check)

Pull the IMO number using a platform like MarineTraffic.

Then check the vessel in Equasis:

• Review name history
• Check flag changes
• Look at the registered owner and manager history

Frequent changes across jurisdictions can indicate risk.
But note: this does not confirm beneficial ownership.

3. Review AIS track history

Examine the vessel’s movement timeline:

• Identify gaps in AIS transmission
• In this case, an 11-day gap after the Gulf of Oman

This is important because AIS gaps may suggest:

• AIS disablement
• Signal manipulation
• Coverage issues

Treat gaps as indicators, not evidence.

4. Check satellite data during the gap

Use tools like Sentinel Hub to review historical imagery.

Focus on:

• Known anchorage areas
• High-risk zones (e.g., near Iranian export terminals)

If imagery shows:

• Two tankers stationary
• Positioned alongside each other

This is consistent with a ship-to-ship (STS) transfer.

Important:
Satellite data can suggest activity, but it may not confirm vessel identity with certainty.

5. Cross-reference the second vessel

If a second vessel is visible or identifiable:

• Check sanctions databases
• Review past activity and ownership
• Look for links to the Iranian oil trade

This step strengthens the analytical picture.

6. Sanctions screening (OFAC)

Search entities using Office of Foreign Assets Control:

• Vessel name history
• Past owners and managers

If a previous owner appears on the SDN list, it is a red flag.

But:

• Past ownership ≠ current sanctions violation
• Legal exposure depends on current ownership/control

7. Final assessment

Each step alone is not conclusive.
Together, they can show:

• Suspicious movement patterns
• Possible STS transfer
• Historical links to sanctioned entities

This produces a well-supported analytical assessment, not courtroom proof.

It is suitable for:

• Risk analysis
• Compliance review
• Further investigation

Going Deeper

Shipping data tracked consistently over time often moves ahead of political developments. Analysts who watch it closely sometimes have a clearer picture of what is about to happen than the people reading official government statements.

These are resources worth following for anyone who wants to build on the methods described here.

Rae Baker’s book Deep Dive covers open-source intelligence methodology broadly and includes strong sections on maritime research. Her work is the most accessible entry point into professional OSINT practice for this topic area.

The Bellingcat collective publishes maritime investigations using various resources, OSINT tools, and AIS analysis. Their methodology notes are as useful as the investigations themselves. They also conducted OSINT challenges, which produced fun Maritime OSINT investigation write-ups on Medium.

C4ADS has produced in-depth research on sanctions on sanctions evasion networks, including the maritime side of those networks, with documentation of how ownership structures are constructed, plus has a dedicated course for Maritime Intelligence.

The United Nations Panel of Experts reports on Iran sanctions, published annually, contain vessel-specific findings that are useful as reference points for cross-checking your own research.

A Note on What This Is For

Tracking ships through open sources is legal. All of the tools described here use publicly available data. The goal of this kind of analysis is transparency. Understanding how oil moves, who benefits, and whether sanctions are actually working is genuinely important for anyone trying to understand modern conflict and geopolitics.

This material is intended for research and educational purposes only.