You are currently viewing AIS Exploitation: When the System Designed for Safety Becomes a Weapon

AIS Exploitation: When the System Designed for Safety Becomes a Weapon

Maritime Cyber Threat Briefing #2

AIS was designed for safety. It was never designed for security. In today’s threat environment, that gap is being exploited for surveillance, sanctions evasion, and potentially targeting. In this second “Maritime Cyber Threat Briefing”, I examine how AIS exploitation is evolving in the context of the Iran conflict and what operators need to change now.

The Automatic Identification System was built to improve safety at sea. Under SOLAS, it gives ships, ports, and coastal authorities real-time visibility of vessel identity, position, speed, and course. For collision avoidance and search and rescue, it remains essential.

But AIS was never designed to be secure. It was built for visibility, not trust. And in today’s threat environment, that design choice is being exploited for surveillance, deception, compliance evasion, and potentially targeting.

AIS exploitation now operates on two distinct but related axes:

  1. the use of AIS data as adversarial intelligence to support targeting
  2. the manipulation of AIS signals to deceive vessels, authorities, and commercial counterparties

Both are accelerating. The Iran conflict that escalated on February 28, 2026 has pushed both dynamics to a scale and intensity rarely seen in commercial shipping.


How AIS Works — and Why It Is Vulnerable

AIS became mandatory for vessels over 300 gross tons on international voyages under the SOLAS convention in 2004, requiring continuous broadcast of vessel identity, position, speed, and destination over VHF radio frequencies. The original purpose was safety, collision avoidance, search and rescue, and traffic management.

The system’s vulnerability is structural. AIS data is not encrypted or authenticated, making manipulation relatively straightforward for those with the technical capability and intent. The openness that makes AIS effective for safety is precisely what makes it exploitable. Any actor with appropriate equipment can receive, read, and in certain scenarios manipulate AIS transmissions. The system was built for transparency. It has no mechanism to verify that what it broadcasts is true.

These distinctions matter operationally.

  • AIS exploitation can mean simply collecting broadcast vessel data for intelligence purposes.
  • AIS spoofing involves falsifying or simulating AIS messages to create a misleading track, identity, or position.
  • GNSS/GPS jamming or spoofing can also corrupt the position information later transmitted through AIS, creating false locations even when the AIS transponder itself has not been directly manipulated.

AIS as a Targeting Tool

The most serious dimension of AIS exploitation is its documented use as an intelligence feed to support physical attacks on vessels.

Prior to the current conflict, Iran-linked cyber actors were already using AIS positional data for targeting reconnaissance. Research by Amazon’s threat intelligence team documented a case in which Iran-linked hackers accessed and mapped AIS tracking data for a specific commercial vessel in the Red Sea. Within days, that vessel was targeted in a missile strike attempt by Houthi forces. The cyber collection preceded the kinetic action and strongly suggests that AIS-derived reconnaissance can support real-world targeting decisions.

The pattern has been observed at the fleet level too. As of March 1, 2026, AIS data showed commercial operators actively broadcasting defensive messaging in their destination fields transmissions including phrases such as “ALL MUSLIMS ON BOARD” and “NO IL LINK” in an attempt to signal neutrality and reduce perceived targeting exposure. In effect, some operators were repurposing a safety broadcast into a deterrence message aimed at unknown hostile observers. This behavior illustrates how AIS has become an active signaling mechanism in a live threat environment where perceived affiliation may influence targeting decisions.

This is a significant operational development. Crews are modifying how they use AIS not for navigational purposes, but as a self-protection measure against adversarial actors they believe are monitoring their transmissions. The assumption that AIS is a neutral safety broadcast no longer holds in contested waters.


The Iran Conflict: AIS Exploitation in a Broader Electronic Warfare Environment

Not every false AIS position originates in AIS spoofing alone; in many cases, GNSS disruption contaminates the position data vessels transmit through AIS, while in other cases the AIS layer itself may be manipulated, suppressed, or exploited. The scale of electronic interference affecting maritime navigation since the outbreak of the conflict is among the most severe ever documented in commercial shipping.

Within 24 hours of the first US-Israeli strikes on Iran, more than 1,100 vessels experienced GPS and AIS disruption across the Middle East, with false vessel positions showing ships located inland at a nuclear power plant, at airports, and deep within Iranian territory.

Windward’s analysis identified injection zones where manipulated signals cause vessels to broadcast incorrect positions and denial zones, where AIS transmissions disappear entirely. Synthetic aperture radar satellite imagery confirmed that in injection zones, vessels were physically present at locations entirely different from their AIS-reported coordinates.

By March 7, more than 1,650 vessels were experiencing GPS and AIS interference [a 55% increase from the previous week] with at least 30 jamming clusters identified across Saudi Arabia, Kuwait, the UAE, Qatar, Oman, and Iran. Signal displacement patterns had evolved from circular distortions into zig-zag disruptions, throwing vessels’ AIS positions across multiple locations within a single 24-hour period.

Senior maritime intelligence analysts described the situation as “extremely dangerous for maritime navigation,” noting that when vessels are thrown onto land or thousands of nautical miles across the sea on digital charts, the foundational purpose of AIS “collision avoidance” is completely undermined.

U.S. MARAD’s Maritime Alert 2026-001A remained in force, advising vessels to avoid the wider Hormuz/Gulf of Oman/North Arabian Sea area where possible, while the Joint Maritime Information Center assessed the regional threat level as Critical after confirmed attacks on commercial vessels.

The operational consequences have been severe. Commercial transits through the Strait of Hormuz fell to near-standstill levels, with many operators suspending or deferring passage as attacks and electronic interference intensified. By March 4, only five vessels had crossed Hormuz in seven days, against a normal baseline of far higher volumes. Commercial shipping through the Strait reached its lowest level of the conflict on March 8, with only two outbound transits recorded and no inbound crossings observed.


AIS Spoofing: Sanctions Evasion and the Compliance Dimension

AIS exploitation is not only a wartime navigation problem; it is also a compliance and sanctions intelligence problem.

Beyond the conflict environment, AIS has been systematically exploited for sanctions evasion across Iranian, Russian, North Korean, and Venezuelan-linked fleets.

AIS spoofing involves the deliberate falsification of AIS messages, misleading vessels and maritime authorities about a ship’s true location and identity. Malicious actors can create ghost ships, obscure true vessel movements, or simulate fleet movements, creating significant security and compliance vulnerabilities.

For charterers, insurers, financiers, and compliance teams, AIS behavior is no longer just operational telemetry; it is now a due-diligence signal.

Between January 2024 and July 2025, Kpler identified 261 vessels that spoofed their AIS before being formally sanctioned, the largest single behavior category among all deceptive shipping practices tracked. Data shows that 80% of vessels confirmed to have spoofed their AIS face formal sanctions within a year of detection.

For commercial counterparties, financiers, insurers, and charterers AIS spoofing behavior detected in a vessel’s history is now treated as a leading indicator of sanctions risk. Any instance of confirmed AIS spoofing should trigger enhanced due diligence. Treat spoofing as indicating serious sanctions risk until proven otherwise through thorough investigation.

The current conflict has added another layer. Evidence indicates that at least one commercial tanker may have completed a transit through the Strait of Hormuz with AIS disabled, remaining dark for approximately five days before its signal reappeared suggesting some operators are still attempting passage under highly atypical operating conditions. The commercial pressure to move cargo is creating AIS management decisions that will have post-conflict compliance implications.


What Operators Need to Change Now

  1. Cross-verify position using multiple sources. GPS and AIS alone are insufficient in contested waters. Radar, visual bearings, depth soundings, and NAVTEX must be actively used as cross-reference sources. When electronic inputs conflict, the bridge team must be trained to recognise spoofing indicators rather than defaulting to the digital display.
  2. Brief crews before entering high-risk areas. Bridge teams transiting the Persian Gulf, Strait of Hormuz, Gulf of Oman, and Red Sea require specific pre-voyage briefings on the current jamming and spoofing environment. This is not generic cyber awareness training. It is operationally specific navigation safety preparation.
  3. Establish a clear AIS management policy. Masters need company-level guidance on AIS transmission decisions in threat environments covering both the safety case for maintaining transmission and the security case for managing broadcast content and timing. The decision should be deliberate and documented, not improvised on the bridge.
  4. Integrate AIS behavior into commercial risk processes. Compliance, chartering, and operations teams should be monitoring AIS anomalies, dark periods, position jumps, and inconsistent voyage histories as part of vessel vetting and counterparty due diligence. The conflict environment is generating AIS behaviour that will require explanation long after the immediate crisis has passed.
  5. Treat AIS anomalies as both a safety issue and a security signal. A sudden position jump, unexplained dark period, inconsistent destination history, or improbable route pattern should not be treated as a data-quality nuisance alone. In the current environment, it may indicate spoofing, jamming, sanctions evasion, or a vessel operating under elevated threat conditions.

The Iran conflict has turned the Persian Gulf and Strait of Hormuz into one of the most intense electronic warfare environments ever encountered by commercial shipping. Over 1,650 vessels experiencing simultaneous AIS and GPS disruption is not a theoretical cyber risk scenario. It is the operational reality of maritime navigation in a live conflict zone today.

AIS was built on an assumption of good faith that vessels broadcasting their position were doing so accurately and for legitimate safety purposes. That assumption has been overtaken by events. State actors, sanctioned operators, and military forces have all demonstrated the capability and intent to exploit AIS for intelligence collection, sanctions evasion, and navigation disruption at scale.

The maritime industry cannot redesign AIS overnight. But operators can train crews to detect anomalies, implement multi-source navigation verification as standard practice, manage AIS transmission intelligently in threat environments, and integrate AIS behaviour into commercial and compliance risk processes.

A system designed to make vessels visible to those who need to find them must not become a tool that puts them at risk from those who intend to harm them.

In contested waters, visibility is no longer automatically a safety advantage. If unmanaged, it can become part of the threat surface.


Maritime Cyber Threat Briefing is an independent series covering cyber threats, vulnerabilities, and risk management across the global maritime industry. It is published by Alexandros Engelen, a Cybersecurity Strategist, specializing in maritime cyber risk.