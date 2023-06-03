In February, an oil tanker transmitted a signal showing it was sailing west of Japan.

But the tanker’s path was highly unusual. Over the course of a day, its signals showed erratic behavior as the ship rapidly changed position.

A satellite image, taken during this time, deepened the mystery: It showed there was no ship in the area at all.

The Cathay Phoenix was sending a fake location signal. This is known as “spoofing.”

In reality, the ship was 250 miles north, loading oil at the Russian port of Kozmino, part of a journey to China that likely caused a breach of U.S. sanctions.

For years, ships wanting to hide their whereabouts have resorted to turning off the transponders all large vessels use to signal their location. But the tankers tracked by The New York Times go beyond this, using cutting-edge spoofing technology to make it appear they’re in one location when they’re really somewhere else.

Advertising

During at least 13 voyages, the three tankers pretended to be sailing west of Japan. In reality, they were loading oil in Russia and shipping it to China.

The vessels are part of a so-called dark fleet, a loose term used to describe a hodgepodge array of ships that obscure their locations or identities to avoid oversight from governments and business partners. They have typically been involved in moving oil from Venezuela or Iran — two countries that have also been hit by international sanctions. The latest surge of dark fleet ships began after Russia invaded Ukraine and the West tried to limit Moscow’s oil revenue with sanctions.

“The type of spoofing we are seeing is uncommon and sophisticated,” said David Tannenbaum, a former sanctions compliance officer at the U.S. Treasury, referring to the tankers identified by the Times. “It definitely looks like evasion on all parts.”

To date, it’s been rare to prove the true location of a ship pretending to be somewhere else. But a Times analysis of publicly available shipping data, satellite imagery and social media footage helped clearly establish that the tankers were not where they claimed to be.

The ships most likely sell their Russian oil to China above a price limit set by the sanctions. Since neither country recognizes the sanctions, the tankers themselves are not in violation by spoofing or carrying the oil.

But the tankers still have motive to spoof: to maintain their insurance coverage, without which they cannot operate in most major ports. The only insurers financially able to cover tankers are mostly based in the West and bound by the sanctions. If a client ship were to carry Russian oil that’s sold above the price limit, the Western insurer would be in violation of the sanctions and must drop its coverage.

Advertising

“It’s significant when you look at dollar terms,” said Samir Madani, co-founder of TankerTrackers.com, which monitors global shipping, who first alerted the Times to several of the suspicious ships. “It’s around $1 billion worth of oil that is going under the radar while using Western insurance, and they’re using spoofing in order to preserve their Western insurance.”

In addition to the three tankers transporting oil, Times reporters tracked another three vessels spoofing while off the coast of Russia, though it’s unclear what cargo they carried.

All six tankers are insured by a U.S.-based company, the American Club. The Times provided the company with the names of the tankers, as well as details about the voyages on which they spoofed.

In an emailed response, Daniel Tadros, the American Club’s chief operating officer, said he could not comment on any potential investigations because of legal and privacy requirements. “Insurance cover is automatically excluded in the event of sanctions’ violations,” he said.

The U.S. has also created so-called safe harbor provisions to protect insurers from liability if they inadvertently cover ships violating sanctions. As of May 30, a regularly updated list of American Club’s clients posted on its website showed the company is most likely still insuring the six tankers.

There has been at least one change since the Times approached the company with evidence of spoofing. The website had said the Cathay Phoenix’s current policy would expire in February 2024. But recently, the expiration date suddenly shifted much earlier, to June 2023. The company would not comment on the reason for the change.

Advertising

The three tankers known to carry crude oil began their 13 journeys at the Russian port of Kozmino, even as they pretended to be off the coast of Japan. Satellite and social media imagery, along with customs data, shows that the tankers loaded cargo from a terminal used solely for crude oil from the Eastern Siberia-Pacific Ocean pipeline known as ESPO. They offloaded the oil in China.

While the total number of tankers violating the cap is unknown, U.S. officials insist that it remains effective. “The price cap is achieving its dual goals: restricting Russia’s oil revenues while keeping Russian oil flowing, and markets stable and well-supplied,” a U.S. Treasury spokesperson told the Times. Some analysts argue that the price data cited by the United States is flawed, and that the cap is not as effective as it may seem.

To carry out their deception, the tankers can use military-grade equipment, or software, that is now commercially available. This technology makes it possible to manipulate a vessel’s reported location, which is broadcast by an automatic identification system, or AIS. The signals communicate a ship’s identification, location and route over a radio frequency picked up by other vessels, ground stations and satellites.

For all the sophistication of the spoofing technology, there can be telltale signs for when it is being used, among them, odd geometric patterns in a ship’s AIS data — like the course seemingly carved by the Cathay Phoenix off Japan. Experts believe this may at times be the software’s attempt to mimic a vessel at anchor.

The U.S. Treasury’s Office of Foreign Assets Control has repeatedly warned American companies to watch AIS signals for evidence of deceptive behavior. In 2020, OFAC specifically advised insurers to research a vessel’s AIS history before providing coverage to avoid violating sanctions on various countries.

An even starker warning came in April, with an alert that spoofing around Kozmino, in particular, was most likely related to Russian sanctions evasion. It advised American companies, including insurers, to use “maritime intelligence services” to detect suspicious activity.

Sponsored

Maritime compliance experts say it can be difficult to detect spoofing among a large number of ships, but the specificity of OFAC’s alert narrows down where insurers should focus. “Now they have a reason to know this conduct occurs, and if they don’t act on it they run the risk of being out of compliance,” said Tannenbaum.

Tadros, the American Club executive, would not specify the tools used by the company to try to identify spoofing, but said it relies on “a robust framework of systems and controls, including monitoring services.”

According to the listings on the American Club’s website, policies for the six tankers were renewed in February, after three of them had already started spoofing while carrying Russian oil.

Experts say the vessels exhibit characteristics that should raise questions. Most are owned by a shell company established less than three years ago — some only after Russia invaded Ukraine in February 2022. These companies are Chinese-run, registered in Hong Kong and own just a single aging ship which was recently purchased.

“While none of these factors are inherently problematic on their own — and are quite commonplace — taken altogether, they paint a picture of a group of vessels and companies that warrants further investigation,” said Min Chao Choy, an analyst with C4ADS, a Washington-based nonprofit analyzing global security threats. She added that when factoring in that the tankers are also spoofing, they “fit a pattern commonly seen in maritime sanctions evasion activity.”

A Times reporter visited addresses listed for the tankers’ owners in Hong Kong, and found only secretarial services occupying the offices — a common hallmark of shell companies. Four of the owners did not respond to letters from the Times requesting an interview.

Advertising

A spokesperson for the owner of another tanker which visited Russia, the Ginza, told the Times in an email that the ship was carrying a plant-based oil, and that the company was unaware the tanker’s AIS signal was spoofing. The spokesperson also said the company lacked the technical knowledge to identify spoofing behavior.

The U.S. Treasury official told the Times that in the case of Russian crude, if a U.S. entity learns that it is providing cover to price-cap evaders, coverage must be dropped.

Earlier this year, the American Club removed at least 15 vessels owned by an India-based company from its website, according to a report by Lloyd’s List. The company, Gatik Ship Management, owns a fleet of 50 newly acquired tankers dedicated to the Russian oil trade, the report said. The American Club declined to explain its reasoning for the decision to the Times.