Exposing Russia’s Undersea Shadow War
Tracking Russia’s Hybrid Naval Threat in European Waters (Part 1)
From AIS-dark warships to disguised research vessels, Russia’s maritime operations in the North and Baltic Seas are pushing the boundaries of hybrid warfare. This type of analysis shows how OSINT and SIGINT-inspired tools can expose hidden movements, uncover intent, and help journalists, investigators, and analysts stay one step ahead at sea.
It’s March, 2025. Just before dawn off Ireland’s misty northeast coast, an Irish Air Corps patrol aircraft, Air Corps CASA 295 appears on ADS Exchange flight radar. It spotted the Russian-linked cargo vessel silently drifting in international waters.
The ship — sailing under a Caribbean flag — was not broadcasting AIS and appeared on no maritime chart. Hours later, surveillance footage confirmed it had dropped anchor directly above a vital submarine communications cable, prompting Irish Defence Forces to contact the vessel and order it away. While officials stated there was no distress call or explanation, the deliberate anchoring over the cable speaks to a broader Russian tactic of undersea probing.
This was far from an isolated incident. A similar pattern has emerged across the North and Baltic Seas, with unmarked or “AIS-dark” ships — often disguised as research or cargo vessels — loitering near naval bases, wind farms, pipeline networks, and data arteries. Just last November, the Russian auxiliary research vessel Yantar was trailed out of Irish waters after hovering near key internet cables south-west of the Isle of Man.
Elsewhere, Baltic nations have reported anchor-drag events and quick cable faults traced to vessels like the Eagle S and Yi Peng 3, stirring suspicions of sabotage. Their AIS signals often vanish during these sweeps, concealing intent and raising the specter of a shadow maritime war, where the seabed itself becomes a strategic front. For many of us western journalists and investigators, that was a starting point to dig deeper.
Russia’s Hybrid Naval Playbook in the North and Baltic Seas
Russia is increasingly treating the North and Baltic Seas not merely as transit zones, but as active frontiers in a hybrid contest against NATO’s western flank. What may appear on the surface as civilian maritime activity often serves more strategic, and at times covert, military ends.
Journalists and investigators are now paying closer attention to Moscow’s use of commercial vessels, shadow fleet tankers — flagged as such by institutions like the Kyiv School of Economics — and auxiliary research ships. These vessels, while sailing under scientific or commercial pretences, are increasingly integrated into the Russian military apparatus. Their missions often include surveying critical infrastructure, mapping data cable routes, identifying weak points in offshore energy production — such as Germany’s North Sea wind farms — and feeding intelligence into what defence analysts refer to as Russia’s “kill chain”: a matrix of pre-identified targets intended to cripple Europe in the event of open conflict.
While much of this activity operates in the grey zone of plausible deniability, open-source intelligence (OSINT) offers a powerful set of tools to investigate it. In this post, we explore how satellite imagery, ship-spotter reports from places like Kaliningrad, livestream cameras in European ports, AIS tracking data from sources like Global Fishing Watch, and other open tools can illuminate Russia’s maritime footprint — and help clarify what’s unfolding beneath the waves.
The thing with AIS tracking signals
Let’s start simple. Most observers have heard of AIS — the Automatic Identification System transponder signal that vessels over 300 gross tonnage are required to broadcast when navigating international waters. In high-traffic zones like the rough, often fog-bound North Sea, this isn’t just protocol — it’s a matter of maritime safety. But AIS has its blind spots. There is the source itself. Experts sources in my work revealed that MarineTraffic data can show gaps where there should be none, due to business related merging — rendering it not a “gold standard”. But appart from that, some of the more pressing gaps in AIS tracking is by military vessels who are exempt from any of these IMO rules, and Russia makes full use of that loophole.
Take the case of the Russian spy ship or more fomally called Russian signals-intelligence ship Yuri Ivanov. The case that took place in May is one example of many russian military vessel appears suddenly and without AIS broadcasts near sensitive European sites, raising alarm across NATO states.
A striking example occurred in May 2025, when the Russian signals-intelligence ship Yuri Ivanov was tracked loitering off the coast of the Outer Hebrides shortly after NATO’s Formidable Shield exercise. With no AIS signal and no prior warning, the vessel’s presence prompted the British Royal Navy to deploy the destroyer HMS Dragon and a Merlin Mk2 helicopter to monitor its activities, both potentially revealing the position of the Yuri Ivanov, even if its AIS is off.
Designed for intercepting radar and communications traffic, Yuri Ivanov exemplifies how Russia leverages unannounced naval movements to surveil Western military exercises, test response times, and map vulnerabilities in allied defense systems. Russian warships routinely travel dark, escort disguised merchant vessels, and appear near critical sea lanes or cable routes, allowing to pull intel with strong receivers.
As mentioned, digital tools can be great for investigators. Platforms like MarineTraffic (despite its datagaps), VesselFinder, and Global Fishing Watch provide free — often near real-time — AIS tracking data that can reveal escort or shadowing vessels, indirectly exposing the movements of AIS-silent military ships. While NATO and national coast guards have far more sophisticated capabilities, their tracking efforts often leave a trail that open-source researchers can follow — especially when Russian military vessels stir concern in European waters.
Near or even in German EEZ (exclusive zone) waters, the coast guard vessel Bamberg is frequently involved in monitoring activity and chasing after vessels. OSINT ship spotters often cite Bamberg as an early warning sign of Russian auxiliary fleet movements.
A notable example occurred in 2023, when the Russian research vessel Professor Logachev was shadowed — its AIS was still active at the time, allowing observers to track its movements. Since then, however, Russian vessels have increasingly gone dark, switching off AIS. In parallel, patrol checks on civilian ships have intensified, partly in response to drone sightings — an issue we will revisit later.
Shadowing vessels often become the key to detecting dark military activity — revealing the presence of AIS-silent warships through their own visible movements. German patrol ships such as the Potsdam (BP81), Bamberg (BP82), and Bad Düben (BP83), all built by the Fassmer Shipyard, are especially worth watching. As EU state-operated control vessels with active AIS, they can act as canaries in the coal mine — indirectly signaling the presence of Russian military assets in European waters.
Other such vessels to track are Bad Bramstedt-class (e.g., BP 24 Bad Bramstedt) that joined Danish and Swedish vessels in Kattegat to monitor Yi Peng 3, amid speculation of Russian involvement via hybrid operations, that followed suspected sabotage to the C‑Lion 1 cable between Finland and Germany, the German coast guard.
The Bramstedt was also involved after anchor-drag marks were found near the Estlink 2 cable and when Finnish authorities seized Eagle S. The Bad Bramstedt was among EU vessels monitoring follow-up operations. There are two more Bad Bramstedt-class vessels: the Bayreuth (BP 25), and Eschwege (BP 26) both are said to be regularly deployed near suspected undersea cable incidents, serving as the canary in the coal mine thanks to their visible AIS tracking and patrol capabilities.
While military vessels often travel dark, their escorts, supply ships, or past AIS logs can reveal indirect clues. Analysts also rely on ShipInfo, and open-access Copernicus Browser imagery to monitor movements and verify a ship’s last-known position.
Historical AIS data — even when partial — can expose patterns: loitering near infrastructure, shadowing other ships, or sudden, unexplained signal gaps.
As we spoke of shadowing vessels, the same applies to conspicious flight patterns of western military and patrol planes over baltic sea.
One examples occurred on 14 November 2024, when the French Navy’s maritime patrol aircraft Atlantique 2 (Br.1150 Atlantic) flew over the Baltic Sea, circling above a Neustrashimy-class Russian frigate returning from the Mediterranean.
The aircraft maintained sustained observation, relaying real-time intelligence to NATO forces and signaling that allied surveillance was fully aware of the vessel’s course and purpose. Were the platfroms such as adsbexchange to feature the signal of the Atlantique 2 (which I am rather sure it did), investigators can trail it, and find out roughtly the position of the freaking russian frigate.
In another incident recently, flight tracking platforms like ADS-B Exchange captured Western air assets responding as Russian Su-35S jets scrambled from Petrozavodsk to shield the shadow fleet tanker Jaguar, forcing Estonian forces to stand down just as they moved to seize the AIS-dark vessel in the Gulf of Finland.
Webcams and images taken of vessels
Port and Activity Monitoring
To verify the movements of vessels even when their AIS is turned off, port webcams — such as those in Kiel or Rostock (examples here or here )— can be surprisingly valuable.
For instance, the departure of the Russian Navy’s Admiral Gorshkov (Project 22350, hull number 454) from Cape Town, or the Admiral Golovko (456) and Steregushchiy-class corvette passing beneath Denmark’s Storebaelt Bridge, were all documented through screenshots from publicly accessible live webcams. These sources are not only useful for retrospective verification, but also offer investigators the chance to monitor key chokepoints in real time — if you’re quick and know what to watch for.
For everthing there is a facebook group. The Facebook channel Under Broen, translated as “under the bridge” shares webcam footage often on russian military vessels but also on russian submarines, what became a valuable tool for open source investigators.
Link to Facebook Group: https://www.facebook.com/groups/1525590020990772
Since we are frequently citing OSINT Twitter accounts, who often anonymiously push valuable evidence online, here are some of the most often cited accounts on this matter. Of something is up in north or baltic sea, these source will likely have picked up on it. Not always thought.
Vessel Spotters
In several investigations, I’ve found vessel spotters to be a valuable resource. With some luck, you can confirm the positions of suspicious Russian vessels — and more importantly, many of the images or videos they share are of such high quality that they offer real investigative value — for spotting what’s on the ship or what isnt, and later is or isnt.
Take the example of the HAV Dolphin: while no concrete evidence has linked it to espionage or other nefarious activity so far, the vessel illustrates how spotter footage can provide a deeper layer of insight into maritime behavior.
Before the vessel headed to the German coast — where it remained for more than eight days — it was docked in Kaliningrad. A ship spotter captured an image of it there on April 11, 2025. According to its owner, the vessel was undergoing repairs at the time, which aligns with the visible scaffolding on its bow. Afterward, it sailed to Latvia and then proceeded directly into Germany’s Exclusive Economic Zone.
Following its conspicuous stay near German waters, the HAV Dolphin transited through a German channel, where it was photographed again on May 10 by a ship spotter using a high-resolution DSLR camera. A direct comparison of the images revealed minor changes — nothing conclusive in this case, but potentially valuable if further investigation were warranted. While no drone equipment or suspicious modifications were observed, this kind of photographic evidence is worth collecting. Such images were shared across platforms like MarineTraffic, ShipSpotting.com, ship-spotting.de, and MyShipTracking.com, among others.
Spotting Suspicious Patterns in AIS Data
Did a vessel spoof its location — falsifying its position — or did its AIS signal appear in a place it physically couldn’t be?
To answer that, it helps to think outside the box. For instance, if AIS positions show up on land (unlikely for a 300-meter tanker) or indicate impossible speeds, something suspicious may be happening. One increasingly useful tool is an AI chatbot like ChatGPT, which can scan AIS data and flag unusual vessel behavior far faster than manual analysis — though any findings must still be cross-verified.
Take the already mentioned Jaguar (IMO: 9293002), a crude oil tanker flagged under Gabon and sanctioned by the UK’s Office of Financial Sanctions Implementation (OFSI).
When examined through platforms like MarineTraffic — or in this case, Windward — the ship displayed an abnormal AIS pattern: a near-perfect circle in open water that didn’t match known movement imagery, strongly suggesting spoofing or GPS manipulation.
To run an independent analysis, we can use data from Global Fishing Watch, which — despite its name — now includes AIS data for all vessel types, not just fishing ships.
Simply download AIS data for a specific period and vessel, then upload it to an LLM-powered chatbot ChatGPT4 with a targeted prompt like:
“Please fact-check the AIS locations of the shadow fleet tanker Jaguar and identify any inconsistencies or suspicious behavior.”
The chatbot will scan the CSV file line by line, calculating speed, time gaps, and positional anomalies to flag implausible patterns. In the case of the Jaguar, here’s what it found.
“Very short time intervals” of AIS pings and “geographic jumps” raise questions that later can be further investigated.
If you go a step further and feed the LLM not only AIS data but also the positions of European subsea cables — available, for example here, in CSV format from the Submarine Cable Map by TeleGeography — the model can compare defined loitering events (e.g., stationary positions longer than a few hours) with the proximity of known undersea infrastructure. This allows for automated analysis to flag potential espionage or sabotage behavior near critical cables.
With ChatGPT-4 and its Code Interpreter, you can upload AIS and subsea cable data, define loitering behavior, and automatically calculate and visualize overlaps — flagging suspicious activity near critical infrastructure — though precision is limited by simplified cable data, static input files, and dataset size constraints.
If you do that with the recent positions (2025) of the Jaguar and subsea cable maps from 2018, it suggests the vessel did not sail closer than 500m near the noted cable paths.
Here again another example. The infamous GUGI research vessel Yantar, its AIS signal overlayed and analysed over international submarine cable infrastructure.
Data for 2021 to 2025 shows multiple stopovers within 2 km of key submarine cable routes, notably near the Channel Islands (49.8°N, -2.9°E) and off the coast of Estonia near Tallinn (59.7°N, 24.3°E). These areas host critical Western communication infrastructure, suggesting Yantar may have been conducting cable surveillance or mapping activities under the guise of marine research (also mentioned here, here and here).
Russia understood decades ago that knowing, and in the event of need, disrupting or exploiting internet infrastructure could yield major strategic advantage.
Tracking russias electronic warfair signal interferences
Russia has installed powerful jamming systems along its Baltic Sea ports to defend against drone warfare and other aerial threats. However, these electronic countermeasures have an unintended side effect: they can interfere with AIS signals, disrupting the tracking of vessels.
A notable example offers again the HAV Dolphin, which sailed from Kaliningrad to Latvia in late April. During this transit, its AIS signal experienced a noticeable gap. An analysis of signal interference on that day (available via GPSJAM) confirmed elevated jamming activity along part of the route, likely contributing to the AIS disruption.
This kind of analysis helps determine whether a vessel intentionally disabled its transponder — an action far more significant for investigators — or whether it went dark due to external interference. In the case of the HAV Dolphin, the ship’s owner attributed the AIS gap to Russian jamming, which aligned with some of the recorded signal anomalies along the route.
A new russian playbook to turn off AIS transponders
But that this may not the case for other russian vessels or shadowfleet tankers, show talks with sources. One senior Finnish Coast Guard officer confirmed to me that Russian-linked vessels — particularly shadow fleet tankers — have increasingly exploited AIS signal gaps as a deliberate tactic since spring 2024, coinciding with the introduction of direct EU sanctions against these ships (something that was stressed before).
The officer reported up to ten such AIS blackouts per week, primarily occurring as vessels cross from the Russian Exclusive Economic Zone into Finland’s, creating significant navigational hazards in the shallow, congested sea lanes of the Baltic. Captains often respond to radio contact claiming they no longer know their exact location — despite continuing to navigate — and systematic Coast Guard measurements indicate these gaps typically last several hours, with AIS reactivated only once the vessels exit the Russian EEZ.
For him the jamming and spoofing isnt seperate, it’s compounding the risk, as GNSS spoofing and jamming — believed to be part of Russia’s electronic countermeasures against drone threats — caused ships to follow falsified navigation data while their AIS remains frozen.
While Finland and Estonia lack the authority to act against such vessels in international waters, this evolving playbook has already forced several near-accident interventions and highlights a broader strategy of obfuscation, evasion, and information denial at sea, he said.
Morse
Journalists and investigators can track Russian naval activity in the North and Baltic Seas also by monitoring high-frequency (HF) radio communications, particularly Morse code (CW) and STANAG signals still used by Russian vessels for long-range operations. If this doesnt tell you much, consider this. These are transmissions that often originate from military ships operating in remote or AIS-dark mode. They can provide indirect confirmation of presence, timing, and occasionally even intent.
Communities like the Utility DX Forum (UDXF) and Priyom.org document these patterns in real time, cataloging callsigns, frequencies, and signal types tied to specific naval units.
With a basic setup — such as a long-wire or magnetic loop antenna and software-defined radio (SDR) tools like SDR# or GQRX — even civilian investigators can intercept and decode these transmissions. These open networks act as passive surveillance layers, especially valuable in regions like the Baltic, where Russian communication habits remain rooted in traditional HF protocols.
How UDXF works
In December 2009, a UDXF contributor reported logging a Morse-mode naval command exchange between RMP (the Baltic Fleet HQ in Kaliningrad) and RFE76 — a Russian naval vessel — on the HF frequency 14,556 kHz. According to the logs, RMP signaled RFE76:
“RFE76 de RMP QTC 411 66 11 1607 411”
— likely relaying mission-specific instructions or scheduling signals. The detailed exchange was logged with timestamps and call-sign metadata, which helped operators at distant European listening stations — and later, OSINT analysts — pinpoint Baltic Fleet units operating in real time.
This was not an isolated case. Priyom.org documents that the Baltic Fleet’s station RMP (Kaliningrad) regularly transmits CW and digital signals to this day— including Monolith traffic — that have been consistently monitored across the Baltic region.
Through HF monitoring, skilled listeners can thus identify and track Russian naval operations long after a vessel’s AIS goes dark.
In fact, journalists from Süddeutsche Zeitung, NDR, WDR, and other international outlets used Morse signals in a 2024 analysis to track the movements of Russian auxiliary research vessels as part of a major cross-border investigation.
How does the decoding of the morse sigal work?
Russian tugboats can serve as valuable proxies for submarine activity — often revealing what stealthier vessels aim to conceal. Take the example of the Evgeniy Churov, a 70-meter-long Russian Navy tug with no active AIS signal.
While it may appear unremarkable on the surface, the Churov plays a key operational role: acting as the muscular escort and support unit for Russian submarines operating far from home waters. In at least one documented cases, it accompanied the submarine Krasnodar, a Kilo-class B-261 Novorossiysk, which had been stationed for several months in the Mediterranean Sea. With the submarine’s presence largely invisible to open-source tools, it was Churov’s radio trail that exposed the broader deployment and more specifically, its removal.
In particular, Morse code transmissions from the Evgeniy Churov — intercepted on 8345 kHz CW — have become a crucial data point for OSINT practitioners — though it disappeared briefly in February. A structured position and weather reports encoded in standard naval formats. One signal received at 0605 UTC and collected by X account te3ej reads:
RIW DE RMEV 01061 99555 10109 41497 71709 10153 40111 57018 70312 87?00 22252 20301 01013 BT AR RMEV K
Lets break down the most important parts, one by one.
RIW DE RMEV
- Translation: “RIW from RMEV”
- DE means “this is” in Morse.
- RMEV is the transmitting station’s callsign — in this case, the tug Evgeniy Churov.
- RIW is likely the receiving command station (Baltic Fleet HQ or regional naval command).
01061
- Date and time in military format
- 01 = day of the month (1st)
- 061 = time group, often read as 0601Z (UTC)
99555
- Standard filler or start of coded weather block (can sometimes indicate “no significant weather phenomena”)
10109: Latitude/Longitude
- 10 = code for 55°N
- 109 = 10.9°E
- (Together: 55.5°N, 10.9°E, location in the western Baltic Sea)
BT AR
- BT = Break Text (separator)
- AR = End of Message (common in Morse traffic)
RMEV K
- Repeats the sender call (RMEV), K = “Over” (waiting for response)
Most importantly is probably the part 10109. With 55.5°N, 10.9°E, we can place the vessel in the Baltic — despite its AIS silence — 18 km north of the Storebælt bridge.
With basic radio equipment, a long-wire antenna, and decoding tools like SDR# or Fldigi, journalists and investigators can monitor these transmissions from thousands of kilometers away.
Logged by open communities as the already mentioned Priyom.org and UDXF, they offer rare insight into the movement of Russian naval assets, especially when submarines themselves remain out of view.
Other means to identify dark vessels
Other means to find traces of vessels where there are no records are with slick tracking. One Slick Tracking website uses AI to record traces of slick on the water surface. This is great to spot polution but also to expose areas affected by age old russian tankers that sail though europe and have their AIS off.
In one instance, the tracing of oil slicks detected via satellite, fellow journalist investigators were able to link AIS-dark Russian shadow fleet tankers — like the Innova — to illegal crude shipments and environmental damage, revealing how physical pollution trails can unmask vessels deliberately hiding their location to evade sanctions.
Drones from vessels
OSINT techniques can reveal much about potential hybrid threats at sea, where as easily a drone can be flown as it was for the Ukrainian special units to get drones in conatiners close to russian air bases, attacking them with the opeation spiderweb.
One vessel, we dont say the name here, serverd here as a test case, which could, whose movements in spring 2025 warrant closer scrutiny. According to AIS tracking, the vessel departed the Latvian port of Liepāja on April 29 and sailed directly to the Bay of Kiel. Over 49 hours and 27 minutes, it covered 377.6 nautical miles at an average speed of only 7.6 knots.
This behavior suggests loitering. Officially it was “waiting”. What made for the authorities the the cargo vessel voyage suspicious was where it stopped. For over eight days, between May 1 and May 10, the vessel loitered in a maritime traffic zone just outside Germany’s 12-nautical-mile boundary, near 54.5288°N, 10.2569°E. This location lies close to Eckernförde, home to the German Navy’s submarine base and special operations forces. The vessel’s track showed tight circles and erratic maneuvers — a virtual holding pattern in an area not designated for anchoring.
By combining AIS data with maritime density maps from MarineTraffic, investigators confirmed that this loitering location is atypical: neither cargo ships nor transit traffic regularly stop there.
Using Overpass Turbo, we queried the closest German military installations within 40–50 kilometers of the loitering spot — the maximum range for standard commercial drones. The Marinefunkempfangsstelle Schwedeneck-Stohl (14km), Marinestützpunkt Eckernförde, and Kaserne Belvedere were all within drone flight range.
Had the vessel launched a drone toward critical infrastructure during its anchorage. We visualized these findings via interactive maps and verified the sensitive locations with Google Maps.
While nothing confirms an inspection or drone activity, OSINT methods — including AIS data analysis, Overpass Turbo queries, satellite verification, and vessel behavior tracking — allow to raise meaningful questions about hybrid naval threats. In combination, these tools illustrate how loitering vessels near military sites can become proxies for intelligence-gathering operations.
I got interested in further drone sighting cases across europe. ACLED did an exptensive study of Drone related cases. So we searched for those encoded in their database. Here are the results.
Since late 2022, European security services have documented a sharp increase in suspected Russian reconnaissance and sabotage activity via unidentified drones — often targeting critical infrastructure and military facilities across the continent.
The pattern intensified in 2024–2025, with drone sightings over strategic German sites like naval bases in Wilhelmshaven and Nordholz, gas facilities in Jemgum, and the port of Bremerhaven all in a single night (27 February 2025). Similar incursions were reported over Finland’s gunpowder factories, Sweden’s power plants, and Romanian military installations.
Notably, the NATO air base in Geilenkirchen entered high alert in January 2025 following foreign intelligence about a potential Russian drone-based sabotage plot. Overflight incidents over offshore oil platforms and gas fields — from Norway’s Sleipner and Melkøya to Denmark’s Roar field — suggest a coordinated campaign. While direct attribution remains difficult, Western intelligence agencies increasingly link these drone incursions to Russia’s evolving hybrid warfare strategy targeting European resilience.
And now it’s your turn!
