Fake Signals and American Insurance: How a Dark Fleet Moves Russian Oil

Fake Signals and American Insurance: How a Dark Fleet Moves Russian Oil



The Cathay Phoenix is not a lone rogue ship, but one of at least three tankers identified by The New York Times taking extraordinary steps to hide their true activity, a practice that helps them to elude U.S. government oversight and puts their American insurer at risk of violating recent sanctions on Russian crude oil.

For years, ships wanting to hide their whereabouts have resorted to turning off the transponders all large vessels use to signal their location. But the tankers tracked by The Times go beyond this, using cutting-edge spoofing technology to make it appear they’re in one location when they’re really somewhere else.

During at least 13 voyages, the three tankers pretended to be sailing west of Japan. In reality, they were at terminals in Russia and shipping oil to China.

The vessels are part of a so-called dark fleet, a loose term used to describe a hodgepodge array of ships that obscure their locations or identities to avoid oversight from governments and business partners. They have typically been involved in moving oil from Venezuela or Iran — two countries that have also been hit by international sanctions. The latest surge of dark fleet ships began after Russia invaded Ukraine and the West tried to limit Moscow’s oil revenue with sanctions.

“The type of spoofing we are seeing is uncommon and sophisticated,” said David Tannenbaum, a former sanctions compliance officer at the U.S. Treasury, referring to the tankers identified by The Times. “It definitely looks like evasion on all parts.”

To date, it’s been rare to prove the true location of a ship pretending to be somewhere else. But a Times analysis of publicly available shipping data, satellite imagery and social media footage helped clearly establish that the tankers were not where they claimed to be.

The ships most likely sell their Russian oil to China above a price limit set by the sanctions. Since neither country recognizes the sanctions, the tankers themselves are not in violation by spoofing or carrying the oil.

But the tankers still have motive to spoof: to maintain their insurance coverage, without which they cannot operate in most major ports. The only insurers financially able to cover tankers are mostly based in the West and bound by the sanctions. If a client ship were to carry Russian oil that’s sold above the price limit, the Western insurer would be in violation of the sanctions and must drop its coverage.

“It’s significant when you look at dollar terms,” said Samir Madani, co-founder of TankerTrackers.com, which monitors global shipping, who first alerted The Times to several of the suspicious ships. “It’s around $1 billion worth of oil that is going under the radar while using Western insurance, and they’re using spoofing in order to preserve their Western insurance.”

In addition to the three tankers transporting oil, Times reporters tracked another three vessels spoofing while off the coast of Russia, though it’s unclear what cargo they carried.

All six tankers are insured by a U.S.-based company, the American Club. The Times provided the company with the names of the tankers, as well as details about the voyages on which they spoofed.

In an emailed response, Daniel Tadros, the American Club’s chief operating officer, said he could not comment on any potential investigations because of legal and privacy requirements. “Insurance cover is automatically excluded in the event of sanctions’ violations,” he said.

The U.S. has also created so-called safe harbor provisions to protect insurers from liability if they inadvertently cover ships violating sanctions. As of May 30, a regularly updated list of American Club’s clients posted on its website showed the company is most likely still insuring the six tankers.

There has been at least one change since The Times approached the company with evidence of spoofing. The website had said the Cathay Phoenix’s current policy would expire in February 2024. But recently, the expiration date suddenly shifted much earlier to June 2023. The company would not comment on the reason for the change.

Tankers that The Times found spoofing since December

Satellite images revealed the true locations of spoofing ships, which shared similar traits like age, ownership and insurer.

Alma – IMO: 9235892*

Age: 20 years old

Owned: Irish company

Insured: American Club

Cargo: Crude oil

Spoofed location: Sea of Japan

Found location: Kozmino oil terminal, Russia

Cathay Phoenix – IMO: 9249324

Age: 22 years old

Owned: Hong Kong company

Insured: American Club

Cargo: Crude oil

Spoofed location: Near Niigata, Japan

Found location: Kozmino oil terminal, Russia

Eternal Peace – IMO: 9259745

Age: 19 years old

Owned: Hong Kong company

Insured: American Club

Cargo: Crude oil

Spoofed location: Near Niigata, Japan

Found location: Kozmino oil terminal, Russia

Ginza – IMO: 9220926

Age: 22 years old

Owned: Hong Kong company

Insured: American Club

Cargo: Unknown

Spoofed location: Near Varna, Bulgaria

Found location: Taman, Russia

Lady Ella – IMO: 9252436

Age: 20 years old

Owned: Hong Kong company

Insured: American Club

Cargo: Unknown

Spoofed location: Niigata Port, Japan

Found location: Near Kozmino, Russia

Snow Lotus – IMO: 9259733

Age: 19 years old

Owned: Hong Kong company

Insured: American Club

Cargo: Unknown

Spoofed location: Near Niigata, Japan

Found location: Near Kozmino, Russia

Sources: Planet Labs, Copernicus Sentinel-2, Maxar Technologies, MarineTraffic, Spire Global, Equasis, American Club

Note: The International Maritime Organization issues an IMO number, a permanent identification number, that remains associated with vessels throughout their lifetime, unlike a ship’s name, which can change frequently.

The three tankers known to carry crude oil began their 13 journeys at the Russian port of Kozmino, even as they pretended to be off the coast of Japan. Satellite and social media imagery, along with customs data, shows that the tankers loaded cargo from a terminal used solely for crude oil from the Eastern Siberia–Pacific Ocean pipeline known as ESPO. They offloaded the oil in China.

The sanctions began in December with crude oil, and eventually included other products like fuel oil. For crude specifically, there is a price cap of $60-per-barrel to limit Russia’s revenue from sales.

The price of specific shipments is not public, but ESPO’s average price has stayed well above the limit — about $73-per-barrel — according to a Times analysis of customs and export data. This suggests the tankers carried oil that sold above the price cap. That act alone may have put the American Club in breach of the sanctions, although the safe harbor rules make any penalty unlikely.

Price of Russian ESPO blend oil since the start of the Ukraine war

Source: Refinitiv

While the total number of tankers violating the cap is unknown, U.S. officials insist that it remains effective. “The price cap is achieving its dual goals: restricting Russia’s oil revenues while keeping Russian oil flowing, and markets stable and well-supplied,” a U.S. Treasury spokesperson told The Times. Some analysts argue that the price data cited by the U.S. is flawed, and that the cap is not as effective as it may seem.

To carry out their deception, the tankers can use military-grade equipment, or software, that is now commercially available. This technology makes it possible to manipulate a vessel’s reported location, which is broadcast by an automatic identification system, or AIS. The signals communicate a ship’s identification, location and route over a radio frequency picked up by other vessels, ground stations and satellites.

For all the sophistication of the spoofing technology, there can be telltale signs for when it is being used, among them, odd geometric patterns in a ship’s AIS data — like the course seemingly carved by the Cathay Phoenix off Japan. Experts believe this may at times be the software’s attempt to mimic a vessel at anchor.

The U.S. Treasury’s Office of Foreign Assets Control has repeatedly warned American companies to watch AIS signals for evidence of deceptive behavior. In 2020, O.F.A.C. specifically advised insurers to research a vessel’s AIS history before providing coverage to avoid violating sanctions on various countries.

An even starker warning came in April, with an alert that spoofing around Kozmino, in particular, was most likely related to Russian sanctions evasion. It advised American companies, including insurers, to use “maritime intelligence services” to detect suspicious activity.



The U.S. government has identified the Russian oil-loading port of Kozmino as a possible location of sanctions violations.

Konstantin Zavrazhin/Getty Images

Maritime compliance experts say it can be difficult to detect spoofing among a large number of ships, but the specificity of O.F.A.C.’s alert narrows down where insurers should focus. “Now they have a reason to know this conduct occurs, and if they don’t act on it they run the risk of being out of compliance,” said Mr. Tannenbaum.

Mr. Tadros, the American Club executive, would not specify the tools used by the company to try to identify spoofing, but said it relies on “a robust framework of systems and controls, including monitoring services.”

The warning signs also exist on publicly available ship tracking websites, The Times found. A single journey by the Cathay Phoenix exemplifies several clear anomalies that reveal a tanker is spoofing.


Beyond monitoring for AIS abnormalities, O.F.A.C. also advises insurers to investigate the corporate histories of vessels in high-risk areas for sanctions evasion. The agency warns that ship owners may try to avoid scrutiny by using “complex business structures, including those involving shell companies.”

Mr. Tannenbaum said a good time for insurers to look for warning signs was during the creation or renewal of a tanker’s policy.

“These are all common, standard ‘know your customer’ practices that should be applied,” he said. “This is your opportunity to see if this is a bad apple ahead of time or not.”

According to the listings on the American Club’s website, policies for the six tankers were renewed in February, after three of them had already started spoofing while carrying Russian oil.

Experts say the vessels exhibit characteristics that should raise questions. Most are owned by a shell company established less than three years ago — some only after Russia invaded Ukraine in February 2022. These companies are Chinese-run, registered in Hong Kong and own just a single aging ship which was recently purchased.

“While none of these factors are inherently problematic on their own — and are quite commonplace — taken altogether, they paint a picture of a group of vessels and companies that warrants further investigation,” said Min Chao Choy, an analyst with C4ADS, a Washington-based nonprofit analyzing global security threats. She added that when factoring in that the tankers are also spoofing, they “fit a pattern commonly seen in maritime sanctions evasion activity.”

A Times reporter visited addresses listed for the tankers’ owners in Hong Kong, and found only secretarial services occupying the offices — a common hallmark of shell companies. Four of the owners did not respond to letters from The Times requesting an interview.

A spokesperson for the owner of another tanker which visited Russia, the Ginza, told The Times by email that the ship was carrying a plant-based oil, and that the company was unaware the tanker’s AIS signal was spoofing. The spokesperson also said the company lacked the technical knowledge to identify spoofing behavior.

The spoofing tankers using American insurance show that the practice is not limited to Russian oil alone. The Times found that five of the tankers pretended to be elsewhere while visiting ports in Iran or Venezuela — or receiving oil from those countries through a ship-to-ship transfer at sea. At least two ships, the Cathay Phoenix and Eternal Peace, carried crude oil, a potential breach of sanctions.

And the Ginza, too, faked its whereabouts last fall, pretending to be off the coast of Oman. The Times found its real location after discovering a crew member’s Instagram video: The tanker was near an Iranian port. Satellite imagery also showed it docked at a berth for loading petrochemical products. The owner’s spokesperson said the company was unaware of this behavior, too.

The Times verified the location and timeframe of a video and photo collage posted by a Ginza crew member to Instagram, with a location sticker that read “Iran.”

Source: Instagram

Note: Faces have been blurred to protect the poster’s anonymity.

The U.S. Treasury official told The Times that in the case of Russian crude, if a U.S. entity learns that it is providing cover to price-cap evaders, coverage must be dropped.

Earlier this year, the American Club removed at least 15 vessels owned by an India-based company from its website, according to a report by Lloyd’s List. The company, Gatik Ship Management, owns a fleet of 50 newly acquired tankers dedicated to the Russian oil trade, the report said. The American Club declined to explain its reasoning for the decision to The Times.

Check Also

America is Losing the Race to Protect a Key Resource: Time

America is Losing the Race to Protect a Key Resource: Time

The United States and China are locked in a new race, in space and on …

Leave a Reply