maritime AIS · sanctions / dark vessel — methodology
maritime AIS forensics is not GPS tracking. the automatic identification system is self-reported by each vessel — a transponder the vessel controls. sanctions evasion exploits this: actors turn off AIS, inject false positions, or operate under obfuscated beneficial ownership chains with flag-of-convenience rotations timed around sanctioned port calls. the methodology here correlates three independent AIS feeds — marinetraffic, vesselfinder, and spire satellite — to surface spoofing, dark periods, and STS transfers before the report is assembled. vessel tracks stay local.
what evidence exists and how fast it dies
| artifact | volatility | time to loss |
|---|---|---|
| marinetraffic position-history CSV | persistent if exported | historical data may be paywalled or purged after 12–24 months |
| spire satellite AIS feed | persistent | commercial API; export before subscription lapses |
| IMO ownership + flag-state records | persistent | beneficial owner records may be updated or obscured; snapshot at triage time |
| port authority arrival / departure records | persistent | access varies by jurisdiction; may require formal request |
| satellite imagery (SAR / optical) | persistent if purchased | commercial archives; cost scales with resolution and recency |
| LRIT data (flag-state transmissions) | controlled | only accessible via flag-state or IMO; not available to private parties |
the first 10 minutes
- export the marinetraffic position-history CSV for the target MMSI — full history, not just recent.
- export the VesselFinder vessel track CSV for the same MMSI and overlapping date range.
- pull the spire maritime satellite AIS feed if available — satellite coverage is the tier-breaker.
- note the vessel's current flag state, name, and callsign — these change; snapshot now.
- pull IMO ownership records and the flag-state history log.
- identify the date range of the alleged incident — narrow your CSV exports to ±14 days.
- do not rely on a single AIS provider — feed disagreement is itself evidence.
- document your data sources with timestamps and export metadata before analysis begins.
- begin the path below.
the path
1. marinetraffic AIS export forensic analyzer
drop the marinetraffic position-history CSV for the target MMSI. produces a track timeline, gap map, and port-call cluster.why first: the marinetraffic export is usually the first artifact you have. it establishes baseline track continuity before you layer in other feeds.
2. vesselfinder vessel track export forensic analyzer
drop the VesselFinder CSV. cross-correlates position, speed, and heading against the marinetraffic baseline to surface receiver disagreements.why second: receiver disagreements between two independent AIS feeds are the first signal of spoofing or feed manipulation.
3. spire maritime AIS CSV forensic analyzer
spire maritime CSV — satellite AIS feed. satellites capture transmissions that terrestrial receivers miss, exposing dark periods at sea.why third: satellite coverage closes the gap where terrestrial towers don't reach. dark periods that appear in terrestrial-only data often resolve here — or become more suspicious.
4. AIS spoofing detection from receiver
multi-receiver AIS log. scores each MMSI position report for GNSS-jump, impossible-speed, and heading-vs-COG anomalies.why fourth: spoofing detection requires comparing simultaneous receiver observations. you need all three feeds loaded before this makes sense.
5. ship-to-ship transfer detection from AIS
merged track CSV from all three feeds. flags vessel rendezvous, drift convergence, and simultaneous position anomalies consistent with STS operations.why fifth: STS transfers are the primary sanctions-evasion mechanism. the merged track from the first four tools is what this engine needs to correlate proximity events.
6. vessel ownership obfuscation chain detector
IMO ownership records + flag-state change log. maps beneficial-owner hop chain, flag-of-convenience switches, and name-change cadence.why sixth: even a clean AIS track can belong to a sanctioned beneficial owner. ownership obfuscation is the second layer of sanctions evasion.
7. case report generator
all outputs from the six engines above. assembles them into a timeline-sorted report with chain-of-custody attestation and honest-limits language.why last: the report is only as good as the evidence underneath it. generate it after all six engines have run.
dark vessel indicators
- AIS transponder off for more than 24 hours in open ocean — in coastal or port approaches, brief outages are normal; in open ocean they are not.
- position reports from terrestrial-only receivers in coverage-dark zones — if marinetraffic shows a fix but spire satellite does not, the fix may be injected or relayed.
- heading / COG / SOG inconsistencies across simultaneous receiver observations — a vessel cannot be on two headings at once; disagreements across feeds at the same timestamp are a spoofing signal.
- MMSI or name mismatch across AIS feeds — vessels sometimes operate under cloned or recycled MMSIs; a mismatch at the same position is a hard red flag.
- flag-state change within 30 days of a port call in a sanctioned country — flag-hopping timed to a port visit is a documented evasion technique; check the ownership chain for each flag.
what maritime AIS forensics can and cannot tell you
we can tell you:
- documented AIS track gaps — timestamps where position reports ceased across corroborated feeds
- impossible maneuvers — speed, heading, or positional jumps that exceed the vessel's physical capability
- multi-feed disagreements — correlated receiver observations that conflict, consistent with spoofing or feed manipulation
- ownership obfuscation chains — beneficial-owner hops, flag-of-convenience rotations, and name-change cadence relative to sanctioned port calls
we cannot tell you:
- actual cargo — AIS is positional data; cargo manifests require port authority or customs records, not available here
- legally-admissible GNSS fix independent of the vessel's own transponder — the AIS position is self-reported; independent corroboration requires satellite imagery or port authority logs
- official LRIT data — long-range identification and tracking is flag-state controlled and not accessible to private parties through this toolset
- substitute for port-state control inspection records — PSC records are the authoritative physical inspection record; browser analysis of AIS exports does not replace them
important: AIS data is self-reported by vessels. always cross-reference findings with LRIT, port authority records, and satellite imagery where available before drawing evidentiary conclusions.
common false leads
- a gap in marinetraffic = the vessel went dark — terrestrial receiver coverage is uneven; a gap in one feed that spire satellite fills is routine, not evasion.
- a clean AIS track = a clean vessel — spoofing can produce a plausible-looking terrestrial track while the vessel is physically elsewhere; satellite feed disagreement is the tell.
- a flag-state change = sanctions evasion — vessels reflag for commercial and regulatory reasons; context (timing relative to sanctioned port calls, ownership chain changes) is required before drawing an evasion inference.
- STS proximity = confirmed transfer — two vessels at close range is consistent with STS but also with convoy operations, rescue, and routine anchorage; corroboration from cargo and port records is required.
handing it off
- sanctions compliance / OFAC counsel: AIS gap map, spoofing score output, STS event log, ownership chain export, and flag-state change timeline with dates relative to sanctioned port calls.
- insurance (marine P&I): track continuity report, gap periods with feed-by-feed attribution, and case report generator output with honest-limits attestation.
- law enforcement (OFAC / DOJ / coast guard): raw CSV exports with SHA-256 hashes, analysis outputs, data-source metadata, and chain-of-custody log.
- outside counsel: preservation log — what you exported, from which provider, at which timestamp, with hash verification. do not clean or filter the raw CSVs before handoff.