AIS spoofing: The fast track to sanctions

Every ship broadcasts its position through the Automatic Identification System (AIS), but what happens when that signal is falsified?

AIS spoofing, once rare, has now become a core tactic in global sanctions evasion. It's simple, effective, and, as Kpler's data shows, one of the most reliable early indicators of enforcement action.

Our recent analysis of nearly 1,000 sanctioned vessels found that 80.1% of ships caught spoofing were sanctioned within a year, with most designations occurring just 3–9 months after their first incident. This stark contrast with dark STS transfers—where only 32% face sanctions within a year—reveals how differently regulators treat digital deception versus physical evasion tactics.

‍

Understanding AIS: The maritime digital infrastructure

AIS was developed in the early 2000s and became mandatory under the International Maritime Organization's Safety of Life at Sea (SOLAS) convention in 2004. The system requires vessels over 300 gross tons on international voyages to continuously broadcast information via VHF radio frequencies.

An AIS transmission includes:

• Static information: Ship name, IMO number, call sign, dimensions, and ship type
• Dynamic information: Position, course, speed, navigational status, rate of turn
• Voyage-related information: Destination, estimated time of arrival, cargo type, draught

The original purpose was safety—collision avoidance, search and rescue, traffic management. But AIS quickly became essential for commercial operations, environmental monitoring, and security including sanctions enforcement.

The system's openness—designed for safety transparency—creates its vulnerability. AIS data isn't encrypted or authenticated, making manipulation relatively straightforward for those with the technical capability and intent.

‍

The data behind enforcement

Between January 2024 and July 2025, Kpler identified 261 vessels that spoofed their AIS before being sanctioned—the largest single behavior category among all deceptive practices.

The pattern is striking:

• 61 vessels sanctioned between 3–6 months after spoofing
• 59 vessels within 6–9 months
• Sharp drop-off after one year, with only a handful sanctioned later

This acceleration shows how spoofing acts as a short-term enforcement trigger. Once a vessel falsifies its position, it enters a period of intense scrutiny—one often ending in official designation.

Why the concentration in these early months?

• Detection speed: Unlike dark STS transfers that require satellite confirmation and contextual investigation, AIS spoofing can be detected almost immediately through algorithmic analysis. When a vessel's AIS position contradicts satellite imagery or shows physically impossible movements, automated systems flag the anomaly within hours or days.
• Clear intent: Accidental AIS errors do occur—equipment malfunctions, incorrect data entry, software glitches. But sustained, systematic position falsification demonstrates intentional deception. Regulators don't need to determine if the behavior was accidental; the pattern proves intent.
• Sanctions program priorities: Major sanctions authorities like OFAC, the EU, and the UK's OFSI explicitly identify AIS manipulation as a key evasion indicator in their enforcement guidance. When detection is straightforward and policy priority is high, enforcement accelerates.
• Intelligence value: Early spoofing detection allows authorities to monitor the vessel's subsequent activities—where it actually goes, what cargoes it loads, which entities it works with. This three-to-nine-month window between detection and sanction isn't just bureaucratic delay; it's intelligence gathering that often reveals broader evasion networks.
• Deterrent signaling: Rapid sanctions following spoofing detection send clear market signals. Vessel operators, charterers, and counterparties learn that AIS manipulation carries swift consequences.

The data shows that if a vessel hasn't been sanctioned within 12 months of spoofing, it probably won't be sanctioned solely for that incident. But the critical risk window is clearly that first year, particularly months 3-9.

‍

Why AIS spoofing raises red flags

Unlike GNSS jamming or signal loss, which can be accidental or caused by external interference, AIS spoofing is an intentional act by the vessel to deceive.

GNSS jamming occurs when external radio frequency interference disrupts GPS signals near conflict zones or military exercises. Ships experiencing jamming may show position errors or gaps, but this isn't the vessel's choice.

Signal loss can result from equipment failure, antenna damage, or electrical problems. These create gaps in the AIS track but don't involve false data.

AIS spoofing is fundamentally different. The vessel's equipment actively broadcasts false information. This requires either manual data entry of incorrect position information or sophisticated software that manipulates the GPS input to the AIS transponder. This is always intentional.

Common tactics include:

• Broadcasting false locations: A tanker might broadcast a position showing it in international waters while it's actually loading Iranian crude in the Persian Gulf. More sophisticated operations create plausible movement patterns—the false AIS track shows the vessel transiting at realistic speeds along shipping lanes, while the actual vessel operates elsewhere.
• Identity masking: Broadcasting under another ship's name or IMO number. This "identity theft" allows a sanctioned or high-risk vessel to appear as a different, clean vessel.
• Pattern resets and "jumping": The AIS trail suddenly "jumps" across regions, showing physically impossible movement. These serve tactical purposes like resetting tracking algorithms or creating confusion about which AIS track belongs to which physical vessel.
• Hybrid approaches: Sophisticated operators broadcast real position data for most of their voyage, then spoof during the crucial period when they enter sanctioned waters or meet with sanctioned counterparties, then resume accurate broadcasting. This selective manipulation attempts to minimize obviously fraudulent data points while obscuring critical activities.

These manipulations aim to obscure cargo origin, ownership, or trading route—concealing sanctioned origin, obscuring destination, evading port state control, enabling insurance fraud, or facilitating other crimes like drug trafficking or illegal fishing.

‍

The spoofing–sanction timeline

The AZURE VOYAGER (flagged to Aruba) spoofed its AIS signal three times in nine months across Malaysia, Brazil, and the Caribbean—all before its March 2025 designation by OFAC.

The vessel's spoofing occurred across three continents—Southeast Asia, South America, and the Caribbean. These regions represent different nodes in illicit cargo networks. Malaysia sits near key transshipment zones for Iranian and Russian oil heading to Asia. Brazil borders Venezuelan waters where sanctioned crude loads. The Caribbean includes transshipment points for Venezuelan oil.

Three spoofing events in nine months demonstrates systematic operational pattern rather than one-off violation. Multiple incidents across different regions over months demonstrate willful, continued evasion.

The spoofing events aligned with sanctioned cargo movements, concealing when and where the vessel loaded or discharged sanctioned commodities.

From the first spoofing incident to OFAC designation was approximately nine months—exactly within the high-probability window the data identifies. If tracked in real time, these patterns would have flagged the vessel's sanction probability within 12 months. Any counterparty conducting thorough due diligence after the second spoofing incident should have classified this vessel as high-risk and avoided engagement.

This case exemplifies a broader truth: sanctions don't come from nowhere. They follow evidence trails that sophisticated compliance programs can detect before regulators act.

‍

Technical detection

Understanding how spoofing is detected illuminates why it triggers such rapid enforcement:

• Satellite cross-referencing: Comparing AIS broadcasts with satellite imagery immediately reveals discrepancies. If AIS says a vessel is in Location A but satellite imagery shows it in Location B, spoofing is confirmed.
• Impossible movement patterns: Algorithms detect physically impossible behaviors—speeds exceeding what the vessel type can achieve, instantaneous position changes, movements over land, or tracks that violate physics.
• Data consistency checks: Modern analytics platforms automatically check whether a vessel's stated speed matches position changes over time, flagging inconsistencies across thousands of vessels continuously.
• Pattern libraries: Machine learning systems train on known spoofing cases, building pattern libraries of manipulation signatures. When new instances matching these signatures appear, they're flagged immediately.
• Intelligence fusion: Commercial intelligence firms, national intelligence agencies, and sanctions authorities share information about spoofing vessels, multiplying scrutiny once any entity identifies manipulation.

The technology overwhelmingly favors detection. While spoofing tactics evolve, detection capabilities evolve faster.

The compliance lesson

AIS spoofing is no longer a niche technical issue—it's a compliance signal that demands immediate attention.

Spoofing = immediate watchlist review

Any instance of confirmed AIS spoofing should trigger enhanced due diligence. Until proven otherwise through thorough investigation, treat spoofing as indicating serious sanctions risk. This isn't excessive caution; it's a proportionate response to data showing 80% of spoofing vessels face sanctions within a year.

Multiple spoofing events = predictive sanction risk

A single incident requires investigation. Multiple incidents require action—discontinuing any business relationship with the vessel or its operators until sanctions status is clarified. Repeated spoofing is among the strongest predictors of imminent sanctions.

Association with sanctioned cargo = compounded exposure

Spoofing combined with involvement in sanctioned commodity trades creates severe risk concentration. The combination proves both means (deceptive practices) and motive (evading sanctions).

Compliance teams should implement tiered alert systems:

• Yellow flag: Single spoofing incident—requires investigation and enhanced monitoring
• Orange flag: Multiple spoofing incidents or single incident combined with other risk factors—requires senior compliance approval and likely should be avoided
• Red flag: Repeated spoofing combined with sanctioned cargo involvement—immediate blacklist, termination of existing relationships

Modern sanctions enforcement increasingly targets networks. If your company engaged with a spoofing vessel, even for seemingly legitimate purposes, that relationship creates records that regulators may review and may trigger enhanced scrutiny of your broader operations.

By monitoring spoofing behaviors alongside cargo and ownership networks, stakeholders can transition from reactive compliance to predictive defense, reducing exposure to enforcement waves.

‍

Moving from detection to prevention

Kpler's maritime intelligence software connects AIS patterns, satellite imagery, and sanction timelines to quantify vessel-level risk. Practical implementation of predictive compliance includes:

• Real-time monitoring dashboards: Systems that continuously track vessel AIS data, automatically flagging spoofing incidents and categorizing risk levels, integrating with broader compliance workflows.
• Risk scoring models: Quantitative models assigning risk scores based on multiple factors—spoofing incidents, operational zones, counterparty associations, ownership transparency, flag state, vessel age, and historical compliance record.
• Automated sanctions screening: Systems that check vessels against sanctions lists, watchlists, and internally generated risk databases before each transaction, automatically updating when new sanctions are imposed.
• Compliance training: Ensuring commercial staff understand spoofing indicators and compliance implications, enabling them to detect red flags like unusual client requests, pricing discrepancies, or routing anomalies.
• Incident response protocols: Pre-established procedures for responding when a counterparty vessel is identified as spoofing or sanctioned, covering contract termination, regulatory reporting, evidence preservation, and communication strategies.

‍

The bottom line

Spoofing isn't just a signal loss—it's a signal of intent. When a vessel deliberately falsifies its AIS broadcast, it demonstrates willingness to deceive authorities and counterparties. This intent predicts future sanctions with remarkable reliability: 80% probability within a year, concentrated in months 3-9.

For maritime industry participants, this data provides actionable intelligence. Spoofing is an early warning that precedes formal sanctions by months—a window for protective action. Companies that monitor for spoofing, investigate incidents promptly, and adjust their risk appetite accordingly will avoid the substantial costs that come with unknowingly doing business with soon-to-be-sanctioned entities.

The compliance landscape has fundamentally changed. What was once reactive—responding to published sanctions lists—must now be predictive. The vessels that will be sanctioned next month are likely spoofing today. The question is whether your compliance program can identify them before regulators do, or whether you'll discover the sanctions only after engaging with them.

In maritime compliance, as in maritime navigation, the most dangerous risks are those you see too late to avoid. AIS spoofing provides clear, early signals. The data shows what follows. The choice is whether to act on that intelligence or remain reactive, waiting for sanctions announcements to dictate your compliance posture.

The future belongs to organizations that treat compliance as intelligence—analyzing patterns, predicting risks, and acting on data before enforcement arrives. In a world where vessel behavior forecasts regulatory action with 80% accuracy, there's no excuse for being caught off guard.

‍