How to build a risk tree to assess shadow fleet exposure in your network

The shadow fleet is no longer a peripheral concern for compliance teams. It has grown into a structural feature of global oil markets and the exposure it creates runs deeper than most organisations have mapped. The risk extends beyond vessels themselves. It reaches through counterparties, supply chains, port networks, and financial relationships in ways that standard sanctions screening workflows were never designed to catch.

Building a risk tree changes that. This methodology forces a structured, hierarchical view of how shadow fleet exposure enters your network, where it concentrates, and what signals indicate its presence. 

Drawing on Kpler data and analysis, this article explains how to build a maritime risk tree using a compliance platform approach.

‍

Understanding the shadow fleet

The industry uses "shadow fleet" inconsistently, and no single definition governs how it is applied in compliance frameworks. 

Kpler distinguishes between two categories:

• Shadow fleet: The broader category of vessels operating outside Western regulatory and insurance frameworks to move sanctioned cargo.
• Dark fleet: A subset of vessels that actively conceal movements and cargo through AIS manipulation, covert ship-to-ship (STS) operations, and systematic identity obfuscation.

A third category – the grey fleet – encompasses vessels with opaque ownership structures or trading patterns that warrant enhanced due diligence, but have not been formally designated. 

Understanding which category a vessel falls into shapes both the urgency of the response and the investigative methodology required.

‍

Why the scale matters

The shadow fleet is no longer a fringe phenomenon operating at the margins of global trade. By December 2025, Kpler's monitoring of more than 2,800 vessels confirmed it had become a durable parallel logistics system rather than a temporary sanctions workaround. Those vessels moved approximately 3,733 million barrels of oil across the year — around 6-7% of global crude flows.

Kpler also documented the expansion of the grey fleet:

• Activity has surged 2,800% since 2022
• It now accounts for up to 13% of global tanker capacity
• Sanctioned vessels rose from approximately 370 (July 2020) to roughly 1,650 (July 2025)
• Affected companies grew from around 60 to nearly 500 over the same period, with the steepest growth after mid-2024

Meanwhile, deceptive behaviours have scaled in direct proportion to enforcement pressure, with Kpler recording the following in 2025:

• AIS spoofing reached 212 incidents in May — 19% above the H2-2024 monthly average
• Dark STS transfers hit a single-month record of 316
• Dark STS transfers averaged approximately 224 per month across January to November — a 129% increase from the prior baseline

Among the 251 vessels loaded with sanctioned Iranian oil, the evasion picture is particularly acute:

• 96% conducted dark STS transfers
• 77% spoofed their vessel location
• 72% turned off location beacons for prolonged stretches

Rather than contracting under sanctions, the fleet has hardened — adapting through fragmented ownership networks, accelerated flag changes, self-insurance arrangements, and deepening reliance on permissive jurisdictions. The critical compliance implication is that behavioural signals consistently precede formal designation. Kpler identified 244 active shadow fleet vessels at elevated risk of future designation. 

The results since publication:

• 71 vessels (23.5% of the cohort) have since been sanctioned, confirming predictive accuracy
• A further 64 vessels are already scoring within critical risk ranges
• Vessels eventually sanctioned typically displayed false AIS positions, frequent reflagging, irregular STS activity, and opaque ownership structures weeks or months before enforcement action

Static watchlist matching will always lag this environment. This is the exposure your risk tree needs to map.

‍

Building a risk tree: The five primary branches

A risk tree for shadow fleet exposure works by decomposing the top-level risk — "my organisation has direct or indirect exposure to shadow fleet activity" — into discrete branches. Each branch represents a different pathway by which exposure can materialise. Each branch ends in observable indicators that can be screened, monitored, or escalated.

The root node is your organisation's risk appetite statement on sanctions and illicit maritime trade. Everything below it represents a way that exposure can enter despite that stated appetite.

‍

Branch 1: Direct vessel exposure

The most obvious branch covers vessels with which your organisation interacts directly — as charterer, operator, cargo owner, insurer, financier, or port service provider.

Standard indicators to screen:

• OFAC SDN designation
• EU, UK, and UN sanctions lists
• Paris and Tokyo MoU grey and black list flag states
• AIS gap history
• AIS spoofing events
• Prior port state control detentions

The risk tree branch for direct vessel exposure should include two distinct sub-branches:

• Designated status: A binary screen against watchlists
• Behavioural indicators: A continuous monitoring feed covering AIS anomalies, STS activity, and port call patterns

Vessels eventually sanctioned consistently displayed detectable behavioural signals — false AIS positions, frequent reflagging, irregular STS activity, and opaque ownership structures — weeks or months before formal enforcement action. Of the 302 vessels Kpler identified as high-risk, 42 (14% of the cohort) were subsequently sanctioned, confirming that the vast majority of the most active shadow tankers are not on any watchlist at the time of their voyages.

Detection methodology that relies exclusively on list-matching will always be reactive. Screening for AIS spoofing — comparing predicted vessel positions against AIS-reported positions to identify fabricated location data — and for dark STS transfers confirmed via satellite imagery moves the detection window materially earlier.

‍

Branch 2: Counterparty exposure

The second branch covers entities, not vessels, that sit within your commercial network. This is where shadow fleet exposure is most frequently underestimated.

Shell company structures are the primary mechanism for concealing vessel ownership and beneficial interests. Many shadow fleet vessels are operated by single-purpose entities with no track record of ship management, often registered in jurisdictions with minimal oversight. 

Kpler's analysis of deceptive shipping practices identifies ownership opacity as one of five core risk dimensions — alongside behavioural indicators, geographic risk, associative risk, and cargo risk — precisely because it generates exposure even in the absence of other red flags.

Key indicators at this branch:

• Newly established management companies with no prior shipping history
• Managers or owners based in identified shadow fleet hubs
• Corporate networks where multiple vessels share ownership or management structures already subject to designation
• Frequent changes in vessel name, flag, or registered owner

The IMO number is immutable. However, vessel name, flag, and registered owner change frequently. Tracking those changes over time reveals evasion patterns that a point-in-time check will miss.

Ultimate beneficial ownership (UBO) analysis is the tool most compliance teams underinvest in at this branch. Tracing through layered corporate structures to identify whether a sanctioned individual or entity has a controlling interest requires:

• Access to corporate registry data across multiple jurisdictions
• Analytical capacity to link entities that do not obviously appear related

This is not a process that automated list-screening was designed to perform.

‍

Branch 3: Supply chain and cargo origin exposure

The third branch addresses how shadow fleet activity can introduce sanctioned cargo into otherwise legitimate supply chains, without the vessels carrying it ever appearing on a watchlist.

The mechanism is cargo laundering via STS transfer. The process works as follows:

• A vessel loads sanctioned crude
• It transits to an offshore STS zone — the waters off Malaysia's Eastern Outer Port Limit, the Laconian Gulf off Greece, or the Kalamata STS area
• The vessel disables AIS
• Cargo transfers to a second vessel with a cleaner compliance profile
• That vessel delivers it as "origin unknown" or blended with other crude

The receiving vessel may never have called at a sanctioned port. The evasion networks maintain fleets of vessels specifically for this purpose — if some are sanctioned, others continue operating, making designation a cost of business rather than an existential deterrent.

For organisations operating in the physical commodity markets — refiners, trading houses, and commodity financiers — this branch represents the most material exposure.

Indicators to model:

• Cargo origin documentation inconsistent with declared voyage
• Port call sequences that do not match stated routing
• Prior STS events in the vessel's history even when absent from the current voyage
• Known blending or transshipment hubs associated with sanctioned crude laundering

The detection challenge requires cross-referencing AIS transmission history against satellite-detected vessel positions and correlating both against cargo documentation. No single data source is sufficient.

‍

Branch 4: Geographic corridor exposure

Not all shadow fleet risk is vessel-specific or counterparty-specific. Some of it is geographic. Operating in certain corridors materially increases the probability of indirect encounter with shadow fleet vessels, regardless of who your direct counterparties are.

High-risk corridors include:

• Danish and Turkish Straits
• Waters off Malaysia and Singapore
• Greek STS zones (including the Laconian Gulf)
• Gulf of Oman
• Baltic Sea and Eastern Mediterranean

Kpler identified the Eastern Mediterranean, Gulf of Oman, Black Sea, and transshipment hubs tied to Russian crude and LNG flows as the regions where enforcement actions concentrated most heavily in 2025, precisely because shadow fleet activity in those corridors is structurally dense.

Collision risk deserves its own node in the risk tree. A vessel repeatedly going dark in high-risk zones is not exhibiting a technical anomaly. It is exhibiting a behavioural pattern that generates direct exposure for any legitimate vessel sharing that corridor. 

By mid-2025, more than 400 oil tankers were estimated to be operating under opaque ownership without Western insurance, compounding the collision and pollution liability risk for compliant operators in the same waters.

The risk tree branch for geographic exposure should model:

• Historical density of shadow fleet port calls and STS events by region
• Flag state enforcement capacity in those corridors
• Your own vessel routing patterns relative to those hotspots

For marine insurers and P&I clubs, incorporating this spatial dimension into underwriting models is becoming a baseline expectation rather than a differentiator.

‍

Branch 5: Indirect financial and service exposure

The fifth branch is the most difficult to map and the most frequently absent from compliance frameworks. It covers exposure that arises not through direct commercial interaction with shadow fleet vessels, but through service providers, financiers, insurers, and agents that support them.

Sources of indirect exposure:

• Bunkering suppliers that service shadow fleet vessels
• Port agents that regularly facilitate calls by sanctioned vessels
• Correspondent banking arrangements with institutions that handle shadow fleet-related financial flows

Non-transparent financing and insurance arrangements are a defining structural feature of the shadow fleet. Self-insurance, non-IG P&I cover, and unregulated registries as the mechanisms that have allowed the fleet to sustain operations as traditional insurers, banks, and classification societies reduced exposure to high-risk tonnage.

Indicators at this branch:

• Known relationships between service providers and sanctioned entities
• Jurisdictional origin of insurance certificates
• Agent or broker networks that appear repeatedly in shadow fleet port call records

The financial stakes are considerable. Despite mounting enforcement pressure, exports from the most sanctions-affected suppliers remained broadly stable year-on-year in 2025 — enforcement didn't freeze commodity flows, it redirected them into less visible channels. The economic incentives sustaining that redirection are structural, so as long as sanctioned commodities command substantial premiums for sellers or discounts for buyers, operators will continue absorbing regulatory risk.

A single voyage carrying sanctioned cargo can generate profits equivalent to months of legitimate operations. For compliance functions with exposure to the indirect service layer, that arithmetic makes this branch commercially significant — not a compliance footnote.

‍

‍

Operationalising the risk tree

A risk tree is only useful if connected to live data and actionable thresholds. The practical implementation involves three layers. We integrate these data feeds into rules-based alerts and analyst workflows to make the tree operational.

‍

Layer 1: Continuous vessel monitoring

We anchor this layer on a combination of AIS data, satellite imagery, and watchlist feeds. The critical technical requirement is that AIS data must be cross-referenced against satellite-detected positions—not treated as ground truth in isolation.

Spoofed AIS is specifically designed to deceive systems that rely on it uncritically. Kpler's risk and compliance methodology verifies dark STS events through satellite imagery confirmation rather than relying on AIS transmission records alone — a distinction that matters considerably when vessels have disabled or manipulated their transponders. 

Given that dark STS transfers and AIS spoofing together generate hundreds of potentially deceptive signals every month, continuous monitoring has become a baseline requirement, not an occasional response.

‍

Layer 2: Entity resolution

The corporate ownership layer must be kept current because vessel ownership changes are a deliberate evasion tactic, not an administrative coincidence. Flag-hopping — moving a vessel between registries to reset its compliance profile — is routine across the shadow fleet. An entity that acquires a vessel post-designation is not automatically clean. The acquisition pattern itself — shell company, no prior management history, vessel age profile consistent with shadow fleet operations — is a signal worth escalating.

A change in beneficial ownership structure is one of the clearest predictors of elevated risk, particularly where that change involves a shift to opaque jurisdictions, additional shell company layers, or rapid reflagging. Shadow fleet operators routinely replace sanctioned vessels by purchasing tonnage from secondary markets and reregistering under obscure flag states.

‍

Layer 3: Analyst-in-the-loop escalation

Automated screening generates alerts. Human analysts with maritime intelligence expertise are required to interpret them. Flag-hopping sequences, layered identity manipulation, and complex multi-vessel STS chains require contextual judgement that rule-based systems cannot fully replicate.

Vessels eventually sanctioned typically move through a recognisable behavioural arc — early indicators such as repeated high-risk port calls and onset of AIS spoofing, followed by an escalation phase involving multiple dark STS events and sustained signal manipulation, before reaching peak illicit activity. Identifying where a vessel sits within that arc requires an analyst capable of reading the pattern, not just matching it against a list.

The risk tree should define:

• Which combinations of indicators trigger escalation to a named analyst
• What documentation is required before a commercial decision proceeds

‍

The compliance argument for acting now

Sanctions enforcement is accelerating on multiple fronts. What changed in 2025 was not just the volume of designations — it was the shift in regulatory focus from individual vessels to the entire architecture enabling circumvention — improper AIS usage, shell-company ownership structures, weakly verified insurance certificates, and trades brokered through lightly regulated intermediaries

‍

Recent regulatory developments

• In April 2025, the EU adopted new rules requiring vessels transiting European waters to provide insurance details, with boarding authority for non-compliant vessels
• Sixteen European states have committed to coordinated disruption of shadow fleet operations
• The US executed three major sanctions waves in January, May, and October 2025 — each expanding beyond individual vessels to target entire facilitation networks including insurers, brokers, flag registries, and service providers
• The January 2025 package alone designated over 180 shadow fleet tankers alongside major Russian producers

Current designation counts (mid-2025)

‍

Enforcement mechanisms remain fragmented enough to leave significant jurisdictional gaps that sophisticated operators continue to exploit. These gaps are expected to drive risk migration rather than risk reduction in 2026 — with diversion pathways tightening and growing more sophisticated, particularly around the Eastern Mediterranean, Southeast Asia, and the Gulf of Oman.

For compliance functions, the question is not whether shadow fleet exposure exists somewhere in your network. At the scale the fleet now operates, the question is whether that exposure has been mapped, scored, and actively monitored across all five branches.

A risk tree built on vessel behaviour, counterparty ownership, cargo origin, geographic corridor, and service provider relationships provides the framework to answer that question with confidence rather than assumptions.

The cost of building it is analytical. The cost of not building it is regulatory.

‍

Frequently asked questions

What is the difference between a dark fleet and a shadow fleet?

The shadow fleet is the broader category encompassing all vessels engaged in sanctions evasion or illicit maritime trade. The dark fleet is a subset—vessels that actively conceal movements and cargo through AIS manipulation and covert operations. The grey fleet refers to vessels with opaque ownership that warrant enhanced due diligence but have not been formally designated.

How quickly can a vessel's risk profile change?

Vessel risk profiles can change within days. Flag-hopping, ownership transfers to shell companies, and name changes are common evasion tactics. We recommend continuous monitoring rather than periodic screening to catch these changes.

What data sources are essential for shadow fleet monitoring?

No single source is sufficient. Effective monitoring requires AIS data, satellite imagery, watchlist feeds, corporate registry data, and port call records. Cross-referencing these sources is essential because spoofed AIS is designed to deceive systems that rely on it alone.

How do I prioritise which branches of the risk tree to build first?

Start with your organisation's primary exposure pathway. Charterers and cargo owners should prioritise direct vessel exposure and cargo origin branches. Insurers should focus on geographic corridor and counterparty exposure. Financial institutions should emphasise indirect financial and service exposure.

What triggers should escalate an alert to human review?

We recommend escalation for: multiple concurrent risk indicators, AIS gaps exceeding 24 hours in non-coastal waters, ownership changes to newly established entities, and any connection to previously sanctioned corporate networks.