Fake Signals and American Insurance: How a Dark Fleet Moves Russian Oil


HomeHome / News / Fake Signals and American Insurance: How a Dark Fleet Moves Russian Oil

Mar 21, 2023

Fake Signals and American Insurance: How a Dark Fleet Moves Russian Oil

Visual Investigations By Christiaan Triebert, Blacki Migliozzi, Alexander

Visual Investigations

By Christiaan Triebert, Blacki Migliozzi, Alexander Cardia, Muyi Xiao and David BottiMay 30, 2023

In February, an oil tanker transmitted a signal showing it was sailing west of Japan.

But the tanker's path was highly unusual. Over the course of a day, its signals showed erratic behavior as the ship rapidly changed position.

A satellite image, taken during this time, deepened the mystery: There was no ship there at all.

The Cathay Phoenix was sending a fake location signal. This is known as "spoofing."

In reality, the ship was 250 miles north loading oil at the Russian port of Kozmino, part of a journey to China that likely caused a breach of U.S. sanctions.

The Cathay Phoenix is not a lone rogue ship, but one of at least three tankers identified by The New York Times taking extraordinary steps to hide their true activity, a practice that helps them to elude U.S. government oversight and puts their American insurer at risk of violating recent sanctions on Russian crude oil.

For years, ships wanting to hide their whereabouts have resorted to turning off the transponders all large vessels use to signal their location. But the tankers tracked by The Times go beyond this, using cutting-edge spoofing technology to make it appear they’re in one location when they’re really somewhere else.

During at least 13 voyages, the three tankers pretended to be sailing west of Japan. In reality, they were at terminals in Russia and shipping oil to China.

The vessels are part of a so-called dark fleet, a loose term used to describe a hodgepodge array of ships that obscure their locations or identities to avoid oversight from governments and business partners. They have typically been involved in moving oil from Venezuela or Iran — two countries that have also been hit by international sanctions. The latest surge of dark fleet ships began after Russia invaded Ukraine and the West tried to limit Moscow's oil revenue with sanctions.

"The type of spoofing we are seeing is uncommon and sophisticated," said David Tannenbaum, a former sanctions compliance officer at the U.S. Treasury, referring to the tankers identified by The Times. "It definitely looks like evasion on all parts."

To date, it's been rare to prove the true location of a ship pretending to be somewhere else. But a Times analysis of publicly available shipping data, satellite imagery and social media footage helped clearly establish that the tankers were not where they claimed to be.

The ships most likely sell their Russian oil to China above a price limit set by the sanctions. Since neither country recognizes the sanctions, the tankers themselves are not in violation by spoofing or carrying the oil.

But the tankers still have motive to spoof: to maintain their insurance coverage, without which they cannot operate in most major ports. The only insurers financially able to cover tankers are mostly based in the West and bound by the sanctions. If a client ship were to carry Russian oil that's sold above the price limit, the Western insurer would be in violation of the sanctions and must drop its coverage.

"It's significant when you look at dollar terms," said Samir Madani, co-founder of TankerTrackers.com, which monitors global shipping, who first alerted The Times to several of the suspicious ships. "It's around $1 billion worth of oil that is going under the radar while using Western insurance, and they’re using spoofing in order to preserve their Western insurance."

In addition to the three tankers transporting oil, Times reporters tracked another three vessels spoofing while off the coast of Russia, though it's unclear what cargo they carried.

All six tankers are insured by a U.S.-based company, the American Club. The Times provided the company with the names of the tankers, as well as details about the voyages on which they spoofed.

In an emailed response, Daniel Tadros, the American Club's chief operating officer, said he could not comment on any potential investigations because of legal and privacy requirements. "Insurance cover is automatically excluded in the event of sanctions’ violations," he said.

The U.S. has also created so-called safe harbor provisions to protect insurers from liability if they inadvertently cover ships violating sanctions. As of May 30, a regularly updated list of American Club's clients posted on its website showed the company is most likely still insuring the six tankers.

There has been at least one change since The Times approached the company with evidence of spoofing. The website had said the Cathay Phoenix's current policy would expire in February 2024. But recently, the expiration date suddenly shifted much earlier to June 2023. The company would not comment on the reason for the change.

(After this story was published, the coverage expiration for another tanker The Times found spoofing, Eternal Peace, was also changed to June from February 2024.)

The three tankers known to carry crude oil began their 13 journeys at the Russian port of Kozmino, even as they pretended to be off the coast of Japan. Satellite and social media imagery, along with customs data, shows that the tankers loaded cargo from a terminal used solely for crude oil from the Eastern Siberia–Pacific Ocean pipeline known as ESPO. They offloaded the oil in China.

The sanctions began in December with crude oil, and eventually included other products like fuel oil. For crude specifically, there is a price cap of $60-per-barrel to limit Russia's revenue from sales.

The price of specific shipments is not public, but ESPO's average price has stayed well above the limit — about $73-per-barrel — according to a Times analysis of customs and export data. This suggests the tankers carried oil that sold above the price cap. That act alone may have put the American Club in breach of the sanctions, although the safe harbor rules make any penalty unlikely.

While the total number of tankers violating the cap is unknown, U.S. officials insist that it remains effective. "The price cap is achieving its dual goals: restricting Russia's oil revenues while keeping Russian oil flowing, and markets stable and well-supplied," a U.S. Treasury spokesperson told The Times. Some analysts argue that the price data cited by the U.S. is flawed, and that the cap is not as effective as it may seem.

To carry out their deception, the tankers can use military-grade equipment, or software, that is now commercially available. This technology makes it possible to manipulate a vessel's reported location, which is broadcast by an automatic identification system, or AIS. The signals communicate a ship's identification, location and route over a radio frequency picked up by other vessels, ground stations and satellites.

For all the sophistication of the spoofing technology, there can be telltale signs for when it is being used, among them, odd geometric patterns in a ship's AIS data — like the course seemingly carved by the Cathay Phoenix off Japan. Experts believe this may at times be the software's attempt to mimic a vessel at anchor.

The U.S. Treasury's Office of Foreign Assets Control has repeatedly warned American companies to watch AIS signals for evidence of deceptive behavior. In 2020, O.F.A.C. specifically advised insurers to research a vessel's AIS history before providing coverage to avoid violating sanctions on various countries.

An even starker warning came in April, with an alert that spoofing around Kozmino, in particular, was most likely related to Russian sanctions evasion. It advised American companies, including insurers, to use "maritime intelligence services" to detect suspicious activity.

Maritime compliance experts say it can be difficult to detect spoofing among a large number of ships, but the specificity of O.F.A.C.'s alert narrows down where insurers should focus. "Now they have a reason to know this conduct occurs, and if they don't act on it they run the risk of being out of compliance," said Mr. Tannenbaum.

Mr. Tadros, the American Club executive, would not specify the tools used by the company to try to identify spoofing, but said it relies on "a robust framework of systems and controls, including monitoring services."

The warning signs also exist on publicly available ship tracking websites, The Times found. A single journey by the Cathay Phoenix exemplifies several clear anomalies that reveal a tanker is spoofing.

On March 8, the Cathay Phoenix leaves China signaling it's headed to South Korea.

During the trip, the tanker changes its AIS to signal a new destination: the port of Niigata, Japan. This is the moment it begins spoofing.

On March 24, the ship's fake signal comes to a stop just beyond the limit of Japanese jurisdiction, 70 miles from the port.

Inexplicably, the ship broadcasts over AIS that it's taking on more cargo despite never entering Niigata. This signal is received at a ground station nearly 400 miles away, near the port of Kozmino.

This type of ground station only has a 40-mile radius. It's further evidence that the Cathay Phoenix is nowhere near its supposed location off the coast of Japan.

A closer look at the Russian port hints at the truth. Several tug boats show they’re bringing a ship into port — but no AIS signal is being broadcast from where the ship should be.

A photo posted to Instagram by one of the tugboat's crew shows what's really there: the Cathay Phoenix.

Beyond monitoring for AIS abnormalities, O.F.A.C. also advises insurers to investigate the corporate histories of vessels in high-risk areas for sanctions evasion. The agency warns that ship owners may try to avoid scrutiny by using "complex business structures, including those involving shell companies."

Mr. Tannenbaum said a good time for insurers to look for warning signs was during the creation or renewal of a tanker's policy.

"These are all common, standard ‘know your customer’ practices that should be applied," he said. "This is your opportunity to see if this is a bad apple ahead of time or not."

According to the listings on the American Club's website, policies for the six tankers were renewed in February, after three of them had already started spoofing while carrying Russian oil.

Experts say the vessels exhibit characteristics that should raise questions. Most are owned by a shell company established less than three years ago — some only after Russia invaded Ukraine in February 2022. These companies are Chinese-run, registered in Hong Kong and own just a single aging ship which was recently purchased.

"While none of these factors are inherently problematic on their own — and are quite commonplace — taken altogether, they paint a picture of a group of vessels and companies that warrants further investigation," said Min Chao Choy, an analyst with C4ADS, a Washington-based nonprofit analyzing global security threats. She added that when factoring in that the tankers are also spoofing, they "fit a pattern commonly seen in maritime sanctions evasion activity."

A Times reporter visited addresses listed for the tankers’ owners in Hong Kong, and found only secretarial services occupying the offices — a common hallmark of shell companies. Four of the owners did not respond to letters from The Times requesting an interview.

A spokesperson for the owner of another tanker which visited Russia, the Ginza, told The Times by email that the ship was carrying a plant-based oil, and that the company was unaware the tanker's AIS signal was spoofing. The spokesperson also said the company lacked the technical knowledge to identify spoofing behavior.

The spoofing tankers using American insurance show that the practice is not limited to Russian oil alone. The Times found that five of the tankers pretended to be elsewhere while visiting ports in Iran or Venezuela — or receiving oil from those countries through a ship-to-ship transfer at sea. At least two ships, the Cathay Phoenix and Eternal Peace, carried crude oil, a potential breach of sanctions.

And the Ginza, too, faked its whereabouts last fall, pretending to be off the coast of Oman. The Times found its real location after discovering a crew member's Instagram video: The tanker was near an Iranian port. Satellite imagery also showed it docked at a berth for loading petrochemical products. The owner's spokesperson said the company was unaware of this behavior, too.

The U.S. Treasury official told The Times that in the case of Russian crude, if a U.S. entity learns that it is providing cover to price-cap evaders, coverage must be dropped.

Earlier this year, the American Club removed at least 15 vessels owned by an India-based company from its website, according to a report by Lloyd's List. The company, Gatik Ship Management, owns a fleet of 50 newly acquired tankers dedicated to the Russian oil trade, the report said. The American Club declined to explain its reasoning for the decision to The Times.


The Times obtained publicly available AIS data through MarineTraffic and Spire Global. The two platforms show live locations of ships around the world, and keep records of their past voyages.

Four of the six spoofing ships were first identified by Samir Madani. The ships were not broadcasting an AIS signal but Mr. Madani found them using medium-resolution satellite imagery.

Times reporters used high-resolution satellite imagery to confirm the identities of each ship by measuring their dimensions, and noting other visible features such as the hull and deck colors. They further confirmed the tankers’ presence in Russia after finding social media footage of the ships docked in the country.

Another ship, the Ginza, was first identified by Bjorn Bergman, a data analyst working for Global Fishing Watch and SkyTruth, two nonprofit organizations focused on the environment and fisheries. The Times corroborated Mr. Bergman's findings with satellite imagery and additional social media footage. The location of the Instagram video posted from the Ginza was verified by matching the mountain ridge seen in the background with topographical data of Iran's coast.

The Times reviewed both Chinese customs data and Russian trade data which listed oil exports. Both sources confirmed that, since the sanctions came into effect, the average price of crude oil shipped from Russia to China is about $73-per-barrel. This per-barrel price was also independently confirmed in a study conducted by the Kyiv School of Economics.

The Times further confirmed the origin points of the spoofing tankers using trade flow data from Refinitiv, a provider of global financial market data. The Times then looked for inconsistencies between the reported origins and destinations of thousands of oil shipments traversing Russia, and the AIS locations the ships purportedly transmitted.

Information on the tankers’ owners, managers and insurers was obtained through the databases of Equasis and the International Maritime Organization, as well as company registries from jurisdictions in which the companies were founded. Times reporters also referenced the American Club's own website, which maintains a freely accessible database of the ships it insures.

Tiffany May, Hiroko Tabuchi, Karan Deep Singh, Anatoly Kurmanaev, Malachy Browne and Aaron Krolik contributed reporting. Additional production by Jon Huang.