[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-usuG9B03_MYi7PMwQxV45ePUOqRQbuwrQpDBB1P85o":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":26,"category":27,"article_tags":31},"1a4dac16-f281-462f-b0d5-f23d544a7bc7","Cyber-Enabled Maritime Sanctions Evasion","cyber-enabled-maritime-sanctions-evasion-031fd9","Discover how Iranian and Russian shadow fleets use a vast network of fake maritime websites and fraudulent documents to evade international sanctions","Iranian and Russian shadow fleets are employing a network of over 36 inauthentic websites to evade international sanctions. These sites impersonate legitimate maritime organizations to generate fraudulent documents and certificates, complicating compliance and enforcement efforts. The activity is organized into three clusters, suggesting a service-provider model for reusable digital infrastructure.","Iranian and Russian shadow fleets use fake websites to evade sanctions.","Cyber-Enabled Maritime Sanctions Evasion Executive Summary Iranian and Russian shadow fleet vessels, along with multiple sanctions evasion networks (SENs), are using online infrastructure likely designed to facilitate sanctions evasion. The infrastructure consists of inauthentic websites impersonating ship registries, national maritime administrations, seafarer training and certification organizations, protection and indemnity (P&I) clubs, and ship classification societies, effectively replicating key layers of the maritime compliance stack. The websites are likely being used to circumvent maritime compliance mechanisms by generating and corroborating false documents and certificates. The online infrastructure is consistent with a service-provider model in which threat actors offer reusable digital infrastructure, documentation, and identities, rather than operating as centrally coordinated, country-specific networks. Three identified clusters of online activity –– designated as Alpha, Bravo, and Charlie for the purposes of this report –– have several technical overlaps, suggesting these clusters may form a broader, loosely connected ecosystem of online infrastructure supporting multiple SENs. This activity also aligns with prior reporting by Bellingcat and Lloyd’s List and demonstrates potential links between the two reports across these three clusters. This infrastructure blends established sanctions evasion practices, such as exploiting weak jurisdictional oversight in under-resourced jurisdictions to conduct fraudulent ship flag registrations, with increasingly cyber-enabled tactics such as automated document generation and layered infrastructure to produce fraudulent documents and credible front companies, complicating detection and enforcement. Cyber-enabled SENs almost certainly undermine sanctions compliance mechanisms by developing credible but fraudulent maritime organizations, increasing the risk of due diligence failures and regulatory exposure. Organizations in the maritime and shipping sectors should integrate independent verification and cyber threat intelligence into compliance workflows to proactively identify fraudulent online infrastructure. Governments whose authorities are regularly impersonated by SENs and associated service providers should prioritize coordinated identification and disruption of fraudulent infrastructure, particularly where threat actors claim multi-jurisdictional legitimacy. Key Findings SENs tied to the Iranian and Russian shadow fleets are likely using over 36 inauthentic websites in three distinct clusters. Insikt Group identified explicit connections between these websites and seventeen vessels, the majority of which have already been sanctioned by the United States (US) Department of the Treasury (USDT)’s Office of Foreign Asset Control (OFAC) and by other countries. Inauthentic websites identified as part of these clusters routinely impersonate national maritime administrations and ship registries from countries such as the Comoros and Benin, as well as Bhutan, Cameroon, Chad, Equatorial Guinea, Gambia, Haiti, Malawi, Nicaragua, and Zambia. Other websites also aim to establish fictional ship classification societies as credible registered organizations (ROs), in addition to several websites acting as fictional seafarer training and certification organizations and P&I clubs. One website impersonates the Benin Maritime Administration and provides a self-service tool to generate fraudulent seafarer documents from the governments of Benin, the Comoros, and Nicaragua. Attribution for at least two of the clusters documented in this report includes Cluster Alpha, which is likely to have been at least partially developed by an Indian web development company, Oceaniek Technologies. Cluster Bravo is linked to two Syrian nationals, one of whom has previous historical involvement in illicit activity. Cluster Charlie remains unattributed, although it shares technical and design characteristics with Cluster Bravo. Background Three partially overlapping clusters of online infrastructure are likely being used by both the Iranian and Russian shadow fleets to evade sanctions (Figure 1). The three clusters (designated Alpha, Bravo, and Charlie) are connected through shared infrastructure, consistent domain registration patterns, and recurring operational security (OPSEC) mistakes. The activity described in this report also overlaps with two previously unconnected activity clusters described by Bellingcat and Lloyd’s List –– the first tied to Indian web development company Oceaniek Technologies, and the second to a cluster of fraudulent ship registries centered around the domain marinegov[.]net. This activity also aligns with prior reporting from independent researcher Christian Panton, who collaborated with both Bellingcat and Lloyd’s List. Unlike traditional intrusion sets, these websites enabling maritime fraud and sanctions evasion form a complex network involving front companies, individuals, and vessels. However, Insikt Group has established initial attribution to one of the clusters to two Syrian nationals, with one individual having a record of previous involvement in illicit activities. Figure 1: Clusters identified by Insikt Group (Source: Recorded Future) Summary of Tactics, Techniques, and Procedures (TTPs) The online activity investigated in this report uses TTPs that likely reflect efforts by highly adaptive service providers and SENs to improve their flexibility and resilience following international sanctions and other enforcement actions. Overlapping and notable TTPs observed across these clusters include the following: Exploiting weak jurisdictional oversight: Networks consistently target countries with weaker maritime oversight to conduct flag fraud. Inauthentic websites flagged by Insikt Group in this report have repeatedly impersonated the governments of the Comoros and Benin, as well as those of Bhutan, Cameroon, Chad, Equatorial Guinea, Gambia, Haiti, Malawi, Nicaragua, and Zambia. Fraudulent ROs often claimed to be associated with multiple jurisdictions at once to build credibility and complicate enforcement. Typosquatting and identity spoofing: Inauthentic websites from all three clusters typosquat or impersonate legitimate national maritime administrations and ship registries to appear credible. Impersonation attempts also included reusing document templates from legitimate ship registries and impersonating specific staff email addresses (Cluster Alpha), or stealing visuals from maritime technology companies (Cluster Bravo). Automated document forgery: Cluster Alpha contained a self-service seafarer certificate generation tool to produce PDF documents and QR codes, impersonating documents from three jurisdictions. QR codes very likely facilitate the presentation and verification of documents during inspections to circumvent enforcement. Building social media brands: Cluster Bravo websites posing as ship classification societies set up social media accounts on mainstream platforms with consistent brand identities, likely to establish themselves as credible and legitimate organizations. Mutual endorsements: Cluster Charlie uses websites posing as national maritime administrations and ship registries to certify other websites within the same cluster, which in turn pose as classification societies and official ROs. The supposed ROs also link to each other as “partners” and link back to the purported ship registries for validation. This creates a mutual endorsement and validation loop designed to build credibility and manipulate search engines. Initial Investigation Based on reporting by Lloyd’s List on the Iranian shadow fleet, Insikt Group identified several inauthentic websites claiming to be administrators of Beninese flags and impersonating the Benin Maritime Administration (beninmaritime[.]org, beninmaritime[.]co, beninmaritime[.]net), not included in Lloyd’s original investigation. Research on ","https:\u002F\u002Fbit.ly\u002F4e4qKMf","https:\u002F\u002Fwww.recordedfuture.com\u002Fresearch\u002Fmedia_12cb79eec13b6af7520af3c1ae6768c0f4b25e945.gif?width=1200&format=pjpg&optimize=medium","2026-06-12T18:24:12+00:00","2026-06-12T19:00:14.901+00:00",7,[18,21,23],{"name":19,"type":20},"Iranian shadow fleet","threat_actor",{"name":22,"type":20},"Russian shadow fleet",{"name":24,"type":25},"Oceaniek Technologies","vendor","6cbdd207-aaa1-4176-9534-e156b125e917",{"id":26,"icon":28,"name":29,"slug":30},null,"Nation-state","nation-state",[32,34,39],{"category":33},{"id":26,"icon":28,"name":29,"slug":30},{"category":35},{"id":36,"icon":28,"name":37,"slug":38},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",{"category":40},{"id":41,"icon":28,"name":42,"slug":43},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[]]