Banner: People on a pier look at the stern the Russian tanker Volgoneft 139 at Russia’s southern port of Kavkaz, November 16, 2007. (Source: Reuters/Alexander Natruskin)

When Russia dramatically escalated its war against Ukraine in 2022, the West responded with new sanctions meant to minimize the war’s global economic impact and discourage Moscow from continuing the conflict. But these regulations did not stop the illicit Russian oil trade, which continues to this day through a fleet of shadow ships.

Russian oil movements at sea proved to be convoluted, sophisticated, and well organized enough to partially outcompete the current Western sanctions regime. Authorities in the United Kingdom and European Union have been essentially unable to stop it, or even slow it down appreciably.

Understanding the overarching idea behind the Russian maneuvers is not difficult in its conception: laundering the oil through multiple transshipments between different vessels at sea. One notable example was exposed by the BBC in early 2024, when Russian crude oil was reportedly sold to third-parties’ refineries and then re-sold to the UK market. This clever scheme is not the only ruse in the Russian inventory, and it is a common economic operational tactic employed by other sanctioned state actors including Iran, Venezuela, and North Korea. The objective is to move the oil in such a way as to disguise its origin, its price, and the way in which it was acquired, moved, and sold.

How is this Russian ‘shadow fleet’ moving oil and how it can be stopped? Part of the answer involves strengthening the ability of open-source intelligence (OSINT) to track these ships as a complement to secret intelligence, maritime authorities, due-diligence firms, and related entities.

A few months after the full-scale invasion of Ukraine in February 2022, Russia assembled a fleet of aging tankers for the purpose of maintaining their oil trade in the face of international sanctions. The media dubbed it a ‘shadow fleet,’ a loose term identifying a vague set of ships, operators, and management companies related to Russia whose operations are purposefully hard to scrutinize. These old tankers were already active in the first weeks after the full-scale assault on Ukraine, reportedly carrying “around 1.4 million crude oil barrels per day (M-BPD) each month post-invasion (March 2022-April 2024).” The number of ships in the so-called shadow fleet can vary, but estimates range from 400 to 1200 or more. This is a significant number, considering that the UN Panel of Experts on North Korea reported that only a dozen foreign tankers were involved in the illicit movement of oil in the East China Sea in 2023, including the now famous UNICA (IMO: 8514306). The fleet’s staggering size makes it very hard for insurance companies, due-diligence professionals, national intelligence agencies, and open-source intelligence analysts to disentangle what is a very intricated net of criminal operations in the middle of the sea.

Tracking illicit movements of goods at sea is an analytic specialty that requires a significant capacity in terms of data acquisition, collection, and analysis. It also requires highly specific methodologies, such as the Methodology for Analyzing Russian Oil Naval Exchanges (MARINE) scheme, which we recently described in a conference paper. Tracking these illegal activities requires an all-source intelligence approach. The good news is that under appropriate circumstances and with teamwork, sanctions evasion can be detected and stopped.  

However, this game is still ongoing and shows no sign of stopping soon. For instance, it has been pursued near Malta and Ceuta among many others. The strategic selection of these areas suggests a clear understanding of how to maximize ship-to-ship (STS) operations. Indeed, the authors recently discovered that Russia is using the Mediterranean Sea and the Black Sea as quiet lakes on which to move its oil, much of it under strict sanctions from the Western countries. The movement of oil at sea is based on multiple transshipments between tankers, reshuffling the oil and making it challenging to track its provenance and price. Current sanctions put a cap on the price of Russian oil at $60 a barrel; to say whether or not this policy is working requires government and other specialists to know where and for how much Russian oil is sold.

Although the movement of oil is across multiple regions of the world—starting in Russia, passing through India or other intermediary countries, and even reaching back into some Western countries—it is mainly concentrated in parts of the Mediterranean Sea. There are at least five different areas in the Mediterranean where Russia moves petroleum products, including the Laconian Gulf (near Greece, though now perhaps deterred by the Hellenic Navy), off the Egyptian coast not far from the Suez Canal, Ceuta (an autonomous Spanish city near the Strait of Gibraltar), Hurd’s Bank (near Malta), and Constanța, outside Romanian territorial waters. Analysts claim that these areas are not the only ones in the Mediterranean where these activities take place, although they remain among the most important, and there are many more areas in the Black Sea. To track the illicit traffic of oil at sea is a complex operation across multiple analytic layers: the ships, the oil, the companies, the money, and awareness of the sanctions regime and the overall geopolitical environment. Only by understanding the interaction between these layers can analysts identify sanctions evasion and differentiate it from legal maritime traffic.

Russia needs to move oil; other nations are interested in acquiring it. These are the most important conditions for a massive black market for Russian oil. Regulators have long tried to prevent this market from operating, with little success. Western governments are long overdue in realizing that rules and regulations do not imply compliance and that without law enforcement, rules are merely aspirational. Lack of strict sanctions enforcement is quite possibly what allowed Russia to assemble a new shadow fleet of vessels for transporting liquefied natural gas, complementing its shadow fleet of oil tankers. Fortunately, Western policymakers have multiple ways in which to respond—but they require sufficient will to act consistently and in a united fashion.

Russia’s game is extremely clever, having proven to work for more than two years, and it will keep going and expanding until they are stopped. The workflow must be organized at the very top of the Russian governmental hierarchy and by the best brains left in Russia, which is historically strong in science, technology, engineering, mathematics, and intelligence. Acquiring a fleet of several hundred tankers takes an incredible amount of work, economic resources, and political will. According to an estimate made by the United Nations Conference on Trade and Development (UNCTAD), the cost of a 40000 DWT tanker was estimated at $42 million in 2006. Even before accounting for inflation, this provides a crude assessment of the shadow fleet’s acquisition and maintenance costs, which must run far into the hundreds of billions of dollars. This sum is only justifiable because of the political importance of the overall operation.

Shipping is complicated. Ships need a crew, a captain, insurance, registration under a nation’s flag, logistical support, ownership, administrative management, technical managers, and multiple other technical arrangements. It is easier to operate a fleet under a single ownership and management company, but if the entities involved are caught in any illegal activities, the entire criminal organization falls apart. North Korea learned this hard lesson after the fall of Ocean Maritime Management.

Today’s ruses are much more complex: a segmentation of the tankers’ ownership and management through a myriad of companies, flag states, and shell companies, with a multitude of different stakeholders to the point of having no more than one or two tankers per company, in a shadow fleet of hundreds. This scheme decreases the losses and overall impact in case any single ship gets exposed (e.g., if the ownership is divided amongst three shareholders with 49%, 49% and 2% ownership, then if one vessel gets sanctioned, more than 50% of the ship’s ownership is still unsanctioned, thus saving the vessel from being fully stopped). Another way is to acquire foreign-flagged tankers to be used as shadow ships; a ship is always registered within the jurisdiction of a recognized state (the flag state). The ship must abide by international law and by the regulations of the flag state, which enforces its regulations. “Weak flags” (that is, flags belonging to states without resources for law enforcement or with high levels of corruption) offer a high likelihood of impunity and the ability to circumvent checks from maritime authorities. However, managing a jungle of companies, actors, and shadow ships is not bureaucratically or logistically ideal, offering myriad opportunities for mistakes that can be effectively tracked and exploited. Compounding the difficulty of running a shadow fleet, conscientious flag states such as Panama and the United Kingdom are starting to crack down on vessels using their flag to cover illegal or sanction-evasion activities.

Taking care of a single ship is already difficult enough, let alone the estimated 400 to 1200 vessels in the shadow fleet. This enterprise requires hundreds of experts and maritime workers. In fact, even under the assumption that the owners and managers are not careful about following international regulations for navigation security at sea, such as the International Convention for the Prevention of Pollution (MARPOL) and the International Convention for Safety of Life at Sea (SOLAS), they still need to ensure some minimal level of safety for their businesses. This has not been enough to prevent some ships from being lost because of their age, lack of maintenance, or insufficient security measures. Still, evidence suggests that the shadow fleet is still capable of moving millions of dollars of oil products each day. We don’t know yet the dimension of the ‘jungle’ beneath the shadow fleet, but it must be significant to support hundreds of STS transfers macros the Mediterranean Sea.

This is not a simple criminal endeavor; enormous time and expertise was required to set it in order, requiring the cooperation of owners, managers, and captains. The establishment and operation of the shadow fleet began too quickly after the full-scale invasion of Ukraine for it to be a coincidence. It is highly likely that Moscow laid the groundwork for this fleet in anticipation of Western sanctions.

The “static” dimension of the shadow fleet—i.e., the human, logistical, and administrative assets required to maintain it—is significant on its own merit. The “dynamic” dimension—i.e., all the actions that need to be undertaken for the success of the operation—is at least as massive, if not even more significant.

First, two companies, one buyer and one seller, must agree on the trade of oil. They have to organize the trade and agree on a price for a given quantity of oil (which, according to the sanctions, cannot go beyond the threshold of $60 per barrel for crude oil). A transaction has to be arranged but only after the exchange is done at sea, because for technical reasons the real amount of oil is known only after the exchange is actually done. The exchange must happen at sea to obscure the origin of the oil. Once the two parties agree, they must organize one or more STS transfers in the middle of the sea. To do that, they need to know many details in advance such as the place and time of the meeting(s), the speed to maintain in order to arrive at the STS transfer window(s), and how long the transfer(s) will take. Hence, they have to agree on a common plan and schedule for the whole workflow, and this has to be recorded by both companies. It is a complicated business, which requires care and specific seamanship to be done in a sufficiently safe manner. Finally, once the exchange of oil is completed, the ship that is transporting the oil has to know what to do next: where should it go for another transshipment or to discharge its cargo? The system is multilayered with some ships involved in multiple STS transfers at sea without ever going into port; these vessels are used only to redistribute the cargo to other ships and so launder the oil.

Countering this entire operation requires resources, expertise, regulations, enforcers, and significant political will. A series of measures could support the authorities (e.g. due-diligence checks by law enforcement and international organizations) as they perform their complicated work. As a result, it is necessary to start monitoring and analysis at the ships, as they move the oil and are clearly identifiable. Once the ships are known, they need to be tracked for an extended period of time. Their management must be scrutinized along with a check on the transactions intended to ascertain the price of the crude oil. This work requires multiple, distinctive kinds of analyses, which include the ships’ activities, their network and management, and price checks.

An all-source intelligence approach is optimal, because it can merge data from ship trackers, port authorities’ documents, corporate data on management companies, and the like. However, even nailing down a single ship is intensive work because it must be proven beyond doubt that the ship and its management is systematically breaking the law. This can be very challenging considering the opacity of the trade: it involves multiple deceptive tactics, from physical disguises to a convoluted ecosystem of companies. No matter how thorough and compelling the analytical process might be, this alone will not stop the traffic. Instead, a series of measures is required to facilitate the work of banks, due-diligence firms, investigators, maritime authorities, and law enforcement operators.

We offer several recommendations on ways to combat illicit trade in Russian oil, which can also apply to other similar criminal maritime activities around the globe. First, we need better cooperation at the intersection of open-source and secret intelligence and between investigators and the private sector.  The shadow fleet is probably the single most expansive operation of its kind in history; only an ecosystem composed of many actors can nail down all the aspects of this complicated business.

Secret intelligence and OSINT work in different ways but they are weaker when employed alone. Secret intelligence can use the leverage of state security agencies while OSINT can shape common awareness, public debate, and, ultimately, the political agenda. Moreover, OSINT is an informational-enabler that gives power to due-diligence firms and private institutions—even individuals unaffiliated with any official or unofficial organization—so that they can also cooperate in their checks and investigations. Creating an intelligence ecosystem that more fully integrates secret and open-source intelligence should be a priority of Western nations; this includes establishing appropriate means of information sharing between actors practicing the two disciplines.

This is exemplified by UK intelligence, which releases regular briefings on the war in Ukraine, proving that there are channels through which the information can flow. Specific arrangements can be put in place to facilitate stronger processes for accountability and transparency. Our remaining recommendations expand upon this renewed appreciation for a more integrated relationship between open and secret intelligence.

Second, an internationally disclosed list of ships should be shared through appropriate means, such as an open-source, dedicated international website for investigators to identify grey and black vessels with a unified categorization scheme, nomenclature, and reference to international law. Ontologies for investigators such as Follow The Money and websites such as OpenSanctions and RUSI-DPRK Reports Database demonstrate precedent for such a site; Ukrainian institutions also recently published a website to facilitate the monitoring of sanctioned goods into Russia’s war machine. Moreover, maritime authorities can update such a list with the names of owners, managers, technical operators, and captains proven to be involved in the shadow fleet operation. Disclosing information or helping international institutions should be rewarded.

Third, a far better monitoring system can be devised by Western navies. An early-warning system could monitor the listed ships through different means and send an alert when they move to and from ports, perhaps using an automatic message to a mailing list. This alert should be fully open source so that investigators do not lose time waiting for official paperwork and can immediately follow the vessels with appropriate means, such as satellite imagery or Automatic Identification System (AIS) monitoring. AIS is a SOLAS-mandated maritime situational awareness system whereby ships continuously broadcast their position, speed, bearing, course, and other voyage-related information, allowing maritime authorities, ports, and other ships in the area to be aware of their presence. These transmissions are generally recorded by terrestrial and satellite receivers, and stored in databases that allow authorities and analysts to follow a ship’s entire voyage in near-real time. However, given illicit deception tactics such as identification laundering, AIS spoofing, or just going dark by turning off a ship’s AIS transceiver, AIS data alone is not always sufficient for tracking illicit vessels. For that reason, satellite imagery and records of maritime radio traffic can be used to ascertain if the AIS is reliable or where the ship is located during periods of spoofing or darkness. Such ventures can be supported by the development of algorithms and artificial intelligence tools which can help in identifying ships from remote sensing networks, and sending alerts on suspicious alterations of AIS ship movements and the like.

There are several ways to leverage less high-tech tools and community practices, too. A newsletter alert could be another means of spreading knowledge within the community. At the same time, a coalition of state-actors and institutions should be formed for systematic monitoring of activities in the Mediterranean and Black Seas. It is also possible to exploit the technicalities of STS operations. Since STS transfers require careful logistical planning, careful scrutiny of the books and signed agreements between companies governing the conduct of the operation can expose important details. A proactive study could be conducted to identify possible locations for illicit operations at sea as there are geographic areas that are more appealing than others depending on the position of territorial waters and international waters, currents, and average wavelength. Not all geographic areas are equally suitable for this business so using data from past and present operations can help predict additional spots where future activities might take place. Mapping these areas and proactively sharing the cartographic findings through open-source platforms and systems could save time and allow for early warning.

Once the specific areas where the shadow fleet operates in the Mediterranean Sea and Black Sea are known, national and international authorities could coordinate a system of patrols with airplanes, unmanned aerial vehicles (UAV, aka drones), and coast guard or military vessels. Similar patrols are already in place in the East China Sea for monitoring DPRK sanctions evasion activities; they can be easily replicated in the Mediterranean. The cheapest and most effective solution would be the systematic employment of sea drones, such as those used by Ukraine in the Black Sea, for intelligence and reconnaissance operations. Recently, the US Navy has been experimenting with new undersea unmanned vessels (UUV), and these kinds of operations could be the ideal test case. The US Navy has already proven the concept by employing a drone to follow the Russian cargo ship SPARTA IV. In addition, even the known presence of drones would put pressure on the crews and captains of the ships, forcing them to operate under the constant threat of being followed, tracked, and identified. In fact, the shadow fleet still needs to operate in a relatively quiet and undisclosed way to be protect against the intrusion of investigators and international authorities. More direct interventions by military vessels sent to the areas have already proved effective, as the ‘closure’ of the Laconian Gulf hub has already demonstrated. Finally, the ships officially listed as part of the shadow fleet or black fleet should be simply banned from entering the territorial waters and exclusive economic zones of all the countries that are sanctions-compliant.

Third, bureaucratic, administrative, and ‘paper’ hurdles could be judiciously employed to slow criminal behavior. The first step could be to change the legal status of oil products to be equate them with a ‘dual-use’ technologies. This would mean that anybody involved in the movement of that oil would have the duty to be informed about the end-user and its reliability, reputation, and overall compliance with the sanctions regime. A similar approach was partially responsible for the discovery of the major illicit actors in the black oil market in East Asia.

Once owners and managers are required to know all of their customers up to the end of the chain, their liability and accountability is increased. Because all STS operations have to be pre-planned and the operation has to be coordinated between the two captains, authorities should be able to request and check the documents of such operations, and scrutinize them with care once the ships come to port or are boarded for inspection. Indeed, captains who knowingly engage in such illegal operations should have their Masters credentials revoked or suspended. The international coalition could also put in place further oversight requirements for any ships on the blacklist, they receive special scrutiny when they enter any port including, when appropriate, a complete analysis of the captains’ books. As the captains are responsible for the ships, authorities could interview them formally or informally as a complement to what is registered in the STS planner and captains’ logs. When necessary, the crew could also be interviewed.

These steps could materially impact the operation of the shadow fleet including illicit operations in the Mediterranean Sea generally and sanctions evasion globally. Creating a full listing system; establishing a structured taxonomy; open information-sharing through newsletter alerts and websites; developing an early warning system; deploying patrols, UUVs, UAVs, or other similar systems; increasing bureaucratic scrutiny on multiple levels; and fostering a far more integrated, better intelligence ecosystem all seem to be reasonable and feasible steps. In fact, any one of these steps would significantly hamper the shadow fleet’s overall scheme. For once, the question is not about how to do the job, how much it costs, or how feasible it is, but about the political will of the West to meaningfully enforce its laws and back up its stated intentions.

Dr. Giangiuseppe Pili is an Assistant Professor at the Intelligence Analysis Program, James Madison University. He is a Senior Associate Fellow with NATO Defence College and an Associate Fellow with the Proliferation and Nuclear Policy research group at RUSI. He can be contacted at piligx@jmu.edu.

Dr. Gary C. Kessler is a Non-Resident Senior Fellow at the Atlantic Council and independent consultant/researcher in the maritime cybersecurity space. He is co-author of Maritime Cybersecurity: A Guide for Leaders and Managers, 2/e and a co-founder/director of the Maritime Hacking Village. He can be contacted at gkessler@atlanticcouncil.org or gck@garykessler.net.

Alessio Armenzoni is Associate Fellow at the London-based Open Source Centre. He studied at the Centre for Higher Defense Studies (CASD) of the Italian MoD. He can be contacted at alessio@opensourcecentre.org.

Dr. Giangiuseppe Pili, Dr. Gary C. Kessler, and Alessio Armenzoni, “Oil laundering at sea: defeating Russia’s shadow fleet in the Mediterranean,” Digital Forensic Research Lab (DFRLab), December 20, 2024, https://dfrlab.org/2024/12/20/oil-laundering-russia-osint/.