National Cyber Warfare Foundation (NCWF)

Cyber-Enabled Maritime Sanctions Evasion
0 user ratings		2026-06-11 13:57:10
milo
Blue Team (CND)
Discover how Iranian and Russian shadow fleets use a vast network of fake maritime websites and fraudulent documents to evade international sanctions

Executive Summary


Iranian and Russian shadow fleet vessels, along with multiple sanctions evasion networks (SENs), are using online infrastructure likely designed to facilitate sanctions evasion. The infrastructure consists of inauthentic websites impersonating ship registries, national maritime administrations, seafarer training and certification organizations, protection and indemnity (P&I) clubs, and ship classification societies, effectively replicating key layers of the maritime compliance stack. The websites are likely being used to circumvent maritime compliance mechanisms by generating and corroborating false documents and certificates.


The online infrastructure is consistent with a service-provider model in which threat actors offer reusable digital infrastructure, documentation, and identities, rather than operating as centrally coordinated, country-specific networks. Three identified clusters of online activity –– designated as Alpha, Bravo, and Charlie for the purposes of this report –– have several technical overlaps, suggesting these clusters may form a broader, loosely connected ecosystem of online infrastructure supporting multiple SENs. This activity also aligns with prior reporting by Bellingcat and Lloyd’s List and demonstrates potential links between the two reports across these three clusters.


This infrastructure blends established sanctions evasion practices, such as exploiting weak jurisdictional oversight in under-resourced jurisdictions to conduct fraudulent ship flag registrations, with increasingly cyber-enabled tactics such as automated document generation and layered infrastructure to produce fraudulent documents and credible front companies, complicating detection and enforcement.


Cyber-enabled SENs almost certainly undermine sanctions compliance mechanisms by developing credible but fraudulent maritime organizations, increasing the risk of due diligence failures and regulatory exposure. Organizations in the maritime and shipping sectors should integrate independent verification and cyber threat intelligence into compliance workflows to proactively identify fraudulent online infrastructure. Governments whose authorities are regularly impersonated by SENs and associated service providers should prioritize coordinated identification and disruption of fraudulent infrastructure, particularly where threat actors claim multi-jurisdictional legitimacy.


Key Findings



  • SENs tied to the Iranian and Russian shadow fleets are likely using over 36 inauthentic websites in three distinct clusters. Insikt Group identified explicit connections between these websites and seventeen vessels, the majority of which have already been sanctioned by the United States (US) Department of the Treasury (USDT)’s Office of Foreign Asset Control (OFAC) and by other countries.

  • Inauthentic websites identified as part of these clusters routinely impersonate national maritime administrations and ship registries from countries such as the Comoros and Benin, as well as Bhutan, Cameroon, Chad, Equatorial Guinea, Gambia, Haiti, Malawi, Nicaragua, and Zambia.

  • Other websites also aim to establish fictional ship classification societies as credible registered organizations (ROs), in addition to several websites acting as fictional seafarer training and certification organizations and P&I clubs.

  • One website impersonates the Benin Maritime Administration and provides a self-service tool to generate fraudulent seafarer documents from the governments of Benin, the Comoros, and Nicaragua.

  • Attribution for at least two of the clusters documented in this report includes Cluster Alpha, which is likely to have been at least partially developed by an Indian web development company, Oceaniek Technologies. Cluster Bravo is linked to two Syrian nationals, one of whom has previous historical involvement in illicit activity. Cluster Charlie remains unattributed, although it shares technical and design characteristics with Cluster Bravo.


Background


Three partially overlapping clusters of online infrastructure are likely being used by both the Iranian and Russian shadow fleets to evade sanctions (Figure 1). The three clusters (designated Alpha, Bravo, and Charlie) are connected through shared infrastructure, consistent domain registration patterns, and recurring operational security (OPSEC) mistakes.


The activity described in this report also overlaps with two previously unconnected activity clusters described by Bellingcat and Lloyd’s List –– the first tied to Indian web development company Oceaniek Technologies, and the second to a cluster of fraudulent ship registries centered around the domain marinegov[.]net. This activity also aligns with prior reporting from independent researcher Christian Panton, who collaborated with both Bellingcat and Lloyd’s List.


Unlike traditional intrusion sets, these websites enabling maritime fraud and sanctions evasion form a complex network involving front companies, individuals, and vessels. However, Insikt Group has established initial attribution to one of the clusters to two Syrian nationals, with one individual having a record of previous involvement in illicit activities.





diagram showing three partially overlapping clusters—labeled Alpha, Bravo, and Charlie



Figure 1: Clusters identified by Insikt Group (Source: Recorded Future)




Source: RecordedFuture
Source Link: https://www.recordedfuture.com/research/cyber-maritime-sanctions-evasion

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Blue Team (CND)


Copyright 2012 through 2026 - National Cyber Warfare Foundation - All rights reserved worldwide.