Full Report
Discover how Iranian and Russian shadow fleets use a vast network of fake maritime websites and fraudulent documents to evade international sanctions
Analysis Summary
# Threat Actor: Iranian and Russian Sanctions Evasion Networks (SENs)
## Attribution & Identity
* **Identified Actor:** A loosely connected ecosystem of Sanctions Evasion Networks (SENs) and digital service providers supporting the Iranian and Russian "shadow fleets."
* **Associated Groups/Entities:**
* **Cluster Alpha:** Likely developed by **Oceaniek Technologies**, an Indian web development company.
* **Cluster Bravo:** Linked to two **Syrian nationals** (unnamed in the summary, but noted for historical illicit activity).
* **Cluster Charlie:** Unattributed, but technically mirrors Cluster Bravo.
* **Previously Reported Entities:** Links to activity documented by Bellingcat and Lloyd’s List regarding fraudulent flag operations.
## Activity Summary
Recent operations involve the deployment of over 36 inauthentic websites designed to impersonate the global maritime compliance stack. These sites facilitate the movement of sanctioned oil and goods by providing "legal" cover for shadow fleet vessels. The infrastructure has been explicitly linked to at least 17 vessels, most of which are sanctioned by the US (OFAC) or UK for ties to Iranian and Russian state interests.
## Tactics, Techniques & Procedures
* **Impersonation of Authorities:** Creating fake domains for national maritime administrations and ship registries.
* **Fraudulent Document Generation:** Using automated "self-service" tools on websites to generate fake seafarer certificates and ship documentation.
* **Shadow Registry Creation:** Establishing fictional ship classification societies (Recognized Organizations - ROs) and Protection and Indemnity (P&I) clubs to simulate insurance and safety compliance.
* **Exploitation of Under-resourced Jurisdictions:** Targeting countries with weak maritime oversight to claim fraudulent flag registrations.
* **Service-Provider Model:** Operating as a "reusable" digital infrastructure where technical actors build the tools used by various independent smuggling networks.
## Targeting
* **Sectors:** Maritime shipping, global oil trade, marine insurance, and regulatory bodies.
* **Geography:**
* **Impersonated Jurisdictions:** Comoros, Benin, Bhutan, Cameroon, Chad, Equatorial Guinea, Gambia, Haiti, Malawi, Nicaragua, and Zambia.
* **Operational Origins:** India (Cluster Alpha) and Syria (Cluster Bravo).
* **Victims (Sanctioned Vessels identified using this infrastructure):**
* **Iranian Shadow Fleet:** HANSON, KATSUYA.
* **Russian Shadow Fleet:** DIANCHI, BAISHA, SERENA, PRS OCEAN.
* **Entities of Interest:** MAKMUR, TIS 520, SERANO II, BURAAQ.
## Tools & Infrastructure
* **Website Clusters:** Alpha, Bravo, and Charlie.
* **Primary Infrastructure:**
* marinegov[.]net (Core domain for fake registry cluster)
* Inauthentic maritime training portals and P&I club websites.
* Automated document generation scripts.
## Implications
These cyber-enabled SENs present a systemic risk to global maritime security. By creating a digital "parallel reality" of fraudulent but credible-looking organizations, they undermine the due diligence processes of banks, insurers, and port authorities. This complicates the enforcement of international sanctions and allows for the continued funding of sanctioned states through illicit trade.
## Mitigations
* **Enhanced Due Diligence:** Maritime organizations should not rely solely on digital certificates provided by ship operators; independent verification via official government contact channels is required.
* **Cyber Threat Intelligence (CTI):** Integrate monitoring for newly registered maritime-themed domains that impersonate sovereign registries.
* **Inter-Governmental Cooperation:** Authorities in the impersonated nations (e.g., Benin, Comoros) should coordinate with international bodies like the IMO to issue formal alerts and seize fraudulent domains.
* **Cross-Sector Data Sharing:** Linking vessel tracking data (AIS) with infrastructure analysis to identify "ghost" vessels using fraudulent credentials.