A cyber solutions company has warned that being off the grid is a safety illusion. This comes as tracking data appears to show that there’s been a system in place for passing through the Strait of Hormuz.
Latest reports show that at least six ships – a fraction of the usual traffic – crossed the Strait of Hormuz in 24 hours spanning 28/29 April, while the USA and Iran remain head-to-head over coming to terms that could unlock the waterway.
“Despite the 8 Apr 2026 US-Iran ceasefire, commercial traffic remains limited, with constrained transits and continued routing uncertainty,” the US navy-led Joint Maritime Information Center said in its latest assessment report this week. Iranian officials have mooted charging ships a toll for sailing through the strait – over 20 vessels have been attacked since the war began (Iran effectively shut the Strait of Hormuz to most international shipping following the US-Israeli attacks on 28 February).
Now ship managers with assets sailing through high-risk waters are being warned that disabling a vessel’s Automatic Identification System (AIS) creates a false sense of security, as the vessel’s location and position can remain electronically visible. But some ships have devised a code which analysts say has led to access through Hormuz.
The false sense of security: disabling AIS at sea
In a recent Cydome research paper, the maritime cyber solutions company advises turning off AIS can actually increase the risk of attack.
“The crew believes they are hidden, while threat actors can still track and target the ship via its VSAT signature,” says Nir Ayalon, Cydome CEO and co-founder. “Deactivation does not cloak a vessel’s position.”
Ayalon says the technical challenge is that a vessel is never truly off the grid.
“While deactivating tracking is a recognised safety measure in high-risk zones, it does not silence the ship’s broader digital footprint, which could also disclose its location. Risk reduction must be approached through the lens of digital hygiene, minimising the discoverability of these background systems to ensure the vessel’s digital shadow does not provide a roadmap for adversaries.
“Many ship operators are not aware that the location remains publicly visible through the VSAT satellite communications devices which, unlike AIS, maintain continuous, internet-connected links between ship and shore.”
VSAT’s digital footprint
Cydome says that maritime VSAT infrastructure operating around the Hormuz Strait is extensively exposed, with management interfaces openly accessible from the internet, using default configurations, placing ships’ locations at risk of discovery.
“When a crew disables AIS to avoid detection, the VSAT terminal keeps on transmitting. The ship is invisible to coastal AIS stations, but the location remains visible to anyone with the right tools and knowledge of what to look for. This is not a vulnerability, but an actual design feature. Unfortunately, many operators are not aware of such risks and leave the ships exposed,” continues Ayalon.
The research highlights that an exposed VSAT interface is more than a tracking risk. As maritime communication hardware is often networked with onboard operational technology, a threat at the satellite gateway could open a path for unauthorised access to the vessel’s navigation, propulsion and power management controls, if the architecture is not segregated and secured, he notes.
The advisory follows a surge in reported AIS blackouts across the Persian Gulf, including the Strait of Hormuz, amid growing concern around so-called zombie ships that appear to vanish from tracking systems.
Only a limited number of vessels have used the waterway in recent months, and private yachts have largely stayed away. Since the conflict began on 28 February 2026, Iran has imposed strict limits on shipping through the strait, cutting daily traffic to a handful of vessels, mainly merchant ships. Before that, between 125 and 140 vessels would typically pass through each day. Earlier this week, MIN reported that a superyacht linked to Russian steel magnate Alexey Mordashov passed through the strait. The 142-metre Lürssen superyacht, Nord, left Dubai on 24 April 2026, crossed the strait on Saturday and reached Muscat, Oman, early on Sunday, according to AIS data. Valued at more than $500m (£370m), it is one of the largest yachts in operation worldwide. Public tracking data shows it travelled along a route close to Iran’s coastline.
Hormuz under observation: real-time vessel tracking
At the same time that some ships have been turning off systems, others have been using AIS to secure passage through the strait. Saleem Khan, chief data & analytics officer for Pole Star Global and Arsenio Longo, HUAX, have analysed vessel tracking data during April, examining how ships actually secured passage through the strait in real time.
The pair believe that an access regime was quietly operating in plain sight for nearly a week – prior to the system’s collapse on 18 April 2026. And the evidence of that collapse? The master of a crude oil tanker Front Gander (while transiting the Strait of Hormuz) broadcast a transmission: “You gave us clearance. You gave us clearance. We are second on the list.” His ship was under fire at the time.
Collecting data to reveal the system
When the US naval blockade entered its enforcement phase on 13 April, HUAX says it initiated a systematic observation of AIS destination-field activity across both the Strait of Hormuz and Bab al-Mandab. By combining open-source AIS behavioural methodology with Pole Star Global’s vessel-tracking infrastructure, Khan and Longo documented destination-field strings across hundreds of transits, partial transits and holding patterns over seven consecutive days.
They say that the combined data revealed a legible access architecture operating across two simultaneous enforcement frameworks. With Iranian corridor control on one side and US naval enforcement on the other, commercial operators found themselves caught in the middle, forced to adapt their AIS broadcasts in real time to signal compliance with whichever framework they believed controlled their next twenty miles.
AIS destination field: from port name to political signal
What makes that architecture more than anecdotal is its scale. In Pole Star Global transit data covering just over 900 Hormuz movements since the start of the conflict, 120 vessels, 12.9 per cent of all observed traffic, used the AIS ‘reported destination’ field not to identify a port, but to declare the nationality of the vessel’s owner or crew. Instead of broadcasting ‘Dubai’ or ‘Mumbai’, ships transmitted strings such as CHINA OWNER AND CREW, CHINESE OWNER&CREW, ALL CREW CHINESE, INDIA SHIP/INDIACREW, ALL CREW INDIAN, or OWNER FRANCE.
The pattern was not evenly distributed.
Chinese-linked declarations accounted for 79 cases, Indian-linked declarations for 23, French-linked declarations for 10, with smaller clusters tied to Oman, Russia and Syria.
Across 184 Iranian-flagged transits in the same dataset, not a single vessel used nationality declarations in the destination field. Iranian vessels did not need to explain who they were.
Others did.
That contrast strongly suggests the signalling was functional rather than decorative, says Khan (pictured) and Longo: an improvised identity layer for ships whose flags did not, on their own, communicate political alignment or operational acceptability.
A second cluster followed the same logic, but through declared cargo purpose rather than identity. Pole Star’s data shows another 32 transits using the field for messages such as FOOD FOR IRAN, SANTOS FOOD FOR IRAN or DISCHARGED FOOD BIK.
These were largely third-country bulk carriers effectively pre-declaring humanitarian or food cargo. Taken together, Iran-linked destination references and nationality-based signalling account for 315 transits, 33.9 per cent of all observed traffic, suggesting that for roughly a third of corridor movements, the AIS destination field had been repurposed into a live-access signalling channel.
Nationality, cargo and clearance: how ships communicate in the corridor
These signals evolved with almost linguistic logic say Khan and Longo. Early in the observation window, vessels broadcast simple nationality declarations like CHINA OWNER&CREW, INDIAN SHIP INDIANCREW, or RUSSIAN FLAG CREW. These morphed into composite signals attempting to address multiple variables simultaneously, including crew nationality, ownership identity, guard status and cargo category. Strings like CHINA CREW+ARM GUARD or KAZIQ began to appear, with the latter looking increasingly like a compressed composite consistent with both Iraqi-origin and KAZ-type exemption signalling. On 19 April, a vessel under EU and UK sanctions broadcast RUSSIAN CRUDE OIL. This was not a port or an owner, but a specific cargo-category assertion that appeared on the exact expiry date of the US sanctions waiver on Iranian oil, just two days after the surprise extension of General License 134B for Russian crude loaded before 17 April.
Each evolution points to active operator learning. Khan and Longo say they were watching a population of masters, charterers and operators updating their understanding of what the gatekeeper required, broadcasting their applications into a public field in real time.
Behavioural patterns: coherent signals vs contradictory ones
Pole Star Global’s tracking data supports a strong behavioural pattern during this period: vessels that broadcast coherent, single-addressee credentials tended to move more easily. Galaxy Gas, for instance, broadcast KAZIQ and was tracked safely deep inside the Persian Gulf within hours. Similarly, Agios Fanourios I, which had spent twelve days idling at anchor off Fujayrah, suddenly moved at fourteen knots under the string BASRAH IRAQTOVIETNAM. By offering a transparent routing chain with no identity signal, it spoke a language directly legible to the US enforcement framework and cleared the strait without incident.
Conversely, vessels broadcasting contradictory or multi-addressee signals tended to stall. Alraya, a fully loaded Norwegian-flagged supertanker, broadcast IRQ OWNR RUSSIA CREW, jamming three distinct national spheres into a single field without a clear addressee and remained at anchor off Umm Qasr for over thirty-five days.
The transmission: “We are second on the list” describes a hard operational reality that the AIS data had been reflecting for weeks before it ever became audible, believe Khan and Longo. Iran’s Ports and Maritime Organisation had quietly established a coordinated transit route, they say. Operators were effectively filing digital applications into a corridor access regime that issued clearances, maintained queues and communicated positions to waiting masters.
The AIS destination field, a twenty-character broadcast originally designed to carry a simple port name, had been repurposed into the intake form for this regime. What HUAX’s Longo (pictured) documented across seven days, and what Pole Star’s infrastructure corroborated through physical movement data, is that this underlying system functioned with enough consistency to be trusted and acted upon by commercial operators across multiple flag states, cargo types and ownership structures.
Lessons learned: managed access, digital hygiene and operational safety
On the morning of 18 April at 09:20 UTC, IRGC gunboats approached Front Gander without issuing a standard VHF challenge and opened fire. The master had obtained his clearance. He knew his precise position in the queue and he broadcast it frantically over the radio – illustrating a breakdown in communication within Iran.
Since then, vessels like CMA CGM Everglade (broadcasting OWNER FRANCE), Sanmar Herald (INDIA CARGO), and Desh Garima‘s (INIASHIP.INDIACREW) behaviour serve as evidence that operators have assessed the underlying access logic as materially unchanged, regardless of the political rhetoric.
The credential system appears to be real, and for a time it functioned with enough consistency that operators adapted to it. Broadcasting a coherent, legible AIS destination-field signal seems to have become a practical prerequisite for a meaningful share of transits through this contested corridor. However, the events surrounding Front Gander suggest that it was not, under all conditions, a sufficient guarantee of safety. The system remained vulnerable to override by actors operating inside the same framework that made it legible.
Khan and Longo note that seven days of behavioural observation, reinforced by Pole Star Global’s transit data, point to a clear conclusion: between 13 and 19 April, the Strait of Hormuz operated neither as an open sea lane nor as a fully sealed chokepoint. It functioned instead as a managed-access corridor, with the AIS destination field repurposed into an improvised signalling layer through which vessels disclosed identity, cargo purpose or political legibility in order to move.
The post The secret digital language of the Strait of Hormuz appeared first on Marine Industry News.