6 Tips For Investigating Maritime Vessels

7 min readApr 12, 2021

Monitoring ships and OSINT sources for anomalous patterns may lead you to vessels that are violating sanctions, smuggling drugs, trafficking humans, performing navy maneuvers, and engaging in illegal fishing. Understanding the pattern of life within maritime activity will enrich your data collection and overall investigation.

It can be tricky to determine what vessels deserve a deeper look without having experienced consistent monitoring of vessel traffic. I have compiled a few key activities that may help you narrow down your search.

Monitor reflagging of vessels


Reflagging is when a vessel changes its flag from its home country to the flag of another country. There are good reasons for reflagging a ship like resale to another region or shifting to a “flag of convenience.”

Cruise ships sail under a flag of convenience for cheaper labor, fewer taxes, and fewer restrictions

A flag of convenience is when a ship uses a flag to exploit a country’s legal loopholes to escape sanctions and make it difficult to trace a vessels’ ownership. Reasons to hide ownership include smuggling, espionage or covert government work, illegal fishing, or shipbreaking. Shipbreaking is the act of scrapping and stripping ships of parts and raw materials. After being stripped, the concern becomes the environmental issues created through toxic materials leaking from the vessel. If the owner is known, they are held liable for any issues so they often reflag to avoid traceback and reduce costs.

If you note that a ship is reflagging often and switching to countries like Panama or Malta it may be an indication of an attempt to hide ownership.

Watch for A divergence from normal tracks

For the most part, vessels sail to make money. Moving cargo, fishing, transporting oil… when a vessel suddenly makes a change in its destination that disregards economical gain then it is worth investigating. These route changes could be the result of a legitimate event, but if a ship has a known pattern of traveling from China to Argentina and then heads off course to Iran, that is an indication to look deeper.

If investigating this ship reveals other suspicious criteria it is worthwhile to continue to track it while adding OSINT tools to cast a wider net. Unfortunately, historical tracks are pretty hard to come by for free. If you need to track a ship historically, it would be worthwhile to purchase access through a site like Marine Traffic. Alternatively, it is possible to track ships in their current position and then manually monitor them daily for changes, meetings, or port calls.

Keep an eye on strange or dark AIS activity


Most vessels are equipped with AIS (Automatic Identification Systems), these systems track speed, position, and course and are used for things like tracking, rescue, and prevent collisions.

AIS didn’t seem to help the Ivy Alliance and the Rich Rainbow when they collided 4/9/2020

For ships over 300 GT in weight, AIS is required by the International Maritime Organization. Even though AIS is implemented for safety, there are ways to log into the system and turn it off. Navy vessels may turn it off to hide a mission or a meeting, fishing vessels may turn it off to hide illegal fishing, Smugglers may want to hide when they go off course to transfer a shipment. Additionally, AIS can be manipulated to falsify speed and position. Luckily, AIS activity is easy to track in real-time on sites like Marine Traffic where you have the ability to see inclusive vessel movements. The downside is that if you want historical AIS data you will most likely have to pay for access.

Take note of meetings


Vessels often participate in “transshipment” activity where refrigerated cargo vessels meet up with smaller fishing boats at sea to refuel, unload product and transfer crew. Sometimes vessels meet up for more nefarious purposes that they attempt to obscure as a transshipment like smuggling thousands of pounds of drugs. Taking note of meetings may help to determine whether illegal activity may be taking place. A meeting alone does not equal criminal activity but perhaps a vessel that has shut off off their AIS and then met with another ship out in international waters could be. These meetings can be tracked through historical AIS data which is usually held behind a paywall on sites like Marine Traffic or Vessel Finder. If you don’t want to pay for a service, a good place to find ship meetings is following people on twitter who do track ships on their own pay services and post updates. This method is great if you are tracking more high profile ships from heavily sanctioned countries.

Check on weight changes


Weight is indicated by draft (draught) on a ship which is the vertical measurement from waterline to hull. Draft can indicate the weight of the cargo by how low the hull sinks when it is filled. If we know the normal draft for the vessel and shipment and then suddenly see a change in draft after meeting with a fishing vessel we would want to know why. A sudden change in draft could signify that cargo has been removed from the vessel. Matching this up with other indicators such as dark AIS activity, meetings, reflagging, and/or divergence of normal patterns can help to verify clandestine activity. I have had decent luck finding these numbers for free on Fleetmon. You can see below the min draught is 5.0 and the max is 9.8 and the current reported is 8.1. This tells me that this cargo ship is near max capacity and if it suddenly dropped to 5.0 in the middle of the ocean I would be concerned.

Min/Max/ and Avg Draught

Another potential way to monitor cargo is through ship spotting photographs. Ships are often photographed entering and exiting ports and we are sometimes able to determine whether the cargo matches what is being reported. A good site to use for this is Shipspotting.com but you can also find these types of photos through Marine Traffic and other vessel tracking sites.


Look for frequent name or MMSI changes

The Maritime Mobile Security Identity (MMSI) is a 9-digit number assigned to the vessel’s AIS unit. It is kind of like a cell phone number for the AIS and once assigned it is sent to the Coast Guard distress database for emergencies. If a ship reflags its MMSI must change to match the 3 Maritime Identification Digits assigned regionally.

Because AIS is a self-reporting system, it is prone to the reporting of incorrect information or “spoofing”. Chinese vessels have been known to report the first three digits of the country code followed by 6 zeros (412000000). This practice leaves several ships in the ocean sailing with the same MMSI number making them very hard to track. You can see in this picture below how two separate ships (in red) look like they jump impossibly back and forth all over the sea as a single ship (in green).


When this spoofing activity is paired with additional intelligence and other anomalous behaviors we can narrow down what is really going on. Criminals are not the only ones who spoof MMSI numbers as we can see in this thread by

about the HMCS Toronto (unsuccessfully) spoofing an MMSI of 999999999.


This same thread gives a great example of how a ship may adjust the ship-type on AIS to pretend it is a cargo ship versus advertising itself as a warship.


The key takeaway here is that while tracking ship activity it is a best practice to ask a few questions:

  1. What is the normal pattern of life is for the vessel?
  2. Does anything appear out of character for the voyages?
  3. Does the true identity of the ship match what they are advertising?
  4. Have they had any meetups and is the cargo lighter or heavier afterward?

The answers to these questions paired with additional intelligence such as corporate reconnaissance can help you create a great profile on your target vessels.




@wondersmith_rae | OSINT Analyst | @OSINTCurious Advisory Board | @QuizTime | http://Tracelabs.org | http://safeescape.org | Speaker and @Wiley Author