Crypto “safe passage” scams in the Strait of Hormuz: what changed and how to respond

Commercial ships transiting the Strait of Hormuz are being targeted by a new social‑engineering scam that demands cryptocurrency for “safe passage” and issues fake routing instructions. If acted upon, these messages can steer vessels into higher‑risk waters and potential interdiction. The short answer: do not pay, do not deviate, and immediately verify through official maritime security channels before taking any action.

What changed is the blending of classic maritime deception with crypto payment rails and convincing impersonation of trusted senders (e.g., security centers, naval liaisons, or even flag‑state notices). Who is affected: shipowners, operators, masters, charterers, P&I clubs, war‑risk underwriters, and platforms (exchanges, messaging apps, registrars) whose systems are being used to execute the fraud. The consequence: a single spoofed message can trigger operational, legal, safety, and insurance exposure.

What changed this week—and why it matters

• A credible-looking “safe passage” extortion message circulated to Gulf-bound ships, demanding a crypto payment and instructing a specific route purportedly outside interdiction zones. At least one vessel appears to have deviated toward risk after receiving such guidance and was subsequently boarded by a state actor.
• The novelty isn’t ransom; it’s the use of cryptocurrency to evade sanctions controls and the operational detail in the routing instructions that can alter a ship’s risk profile in minutes.
• Consequences compound fast:
  • Safety: Deviating from established traffic separation schemes (TSS) or recommended waypoints can put a ship into the path of military patrols or place it within territorial seas where a coastal state claims jurisdiction.
  • Legal: Paying a “toll” to a sanctioned actor can violate sanctions laws (e.g., OFAC/EU/UK), even if the payment was coerced.
  • Insurance: Unauthorized deviations or unlawful payments can prejudice P&I and war‑risk cover.

Who this is for

• Shipowners, technical managers, and Designated Persons Ashore (DPA)
• Masters, officers of the watch (OOW), CSOs/SSOs
• Charterers, cargo interests, brokers
• P&I clubs, war‑risk underwriters, brokers, and claims handlers
• Port agents, flag states, and classification societies
• Messaging platforms, domain registrars, and crypto exchanges/VASPs

How the scam works (anatomy of the play)

1. Targeting and timing

   • Vessels due to enter the Gulf or Hormuz corridor are identified via public AIS, fixtures reports, port agent chatter, and open-source schedules.
   • Attackers time messages for pre‑transit windows or watch changes, when decision fatigue is highest.

2. Impersonation vectors

   • Spoofed emails and lookalike domains (e.g., swapping a Latin character for a Cyrillic look‑alike) purporting to be from recognized maritime security entities.
   • Messaging apps (WhatsApp/Telegram/Signal) using profile photos and group names that mirror naval coordination cells or regional authorities.
   • Fake PDFs mirroring Notice to Mariners templates with doctored seals and routing charts.

3. Operational lure

   • “Urgent” routing instructions: new waypoints, corridors, or “temporary security lanes,” sometimes including lat/long and ECDIS screenshots to appear authoritative.
   • Claimed coordination with coast guards or “regional security committees,” plus threat of inspection or detention if ignored.

4. Payment rail

   • Crypto wallet addresses (often on high‑liquidity chains), QR codes, and one‑time “reference tokens.” The pitch: pay a modest sum for guaranteed deconfliction.
   • Short deadlines (“pay within 120 minutes”); claimed penalties for delay.

5. Reinforcement

   • Follow‑up calls or voice notes using synthetic speech to mimic English‑speaking liaison officers.
   • AIS or chart overlays shared as images that depict a false “clear corridor.”

6. The harm

   • Operational deviation brings the ship closer to territorial seas or areas of active patrolling.
   • Paying can constitute a sanctions breach and incentivize more targeting.

Immediate actions for ships and operators

If you receive any “safe passage” demand or routing change from a non‑routine source:

• Do not pay and do not alter course on the basis of that message.
• Elevate threat condition under your SSP/CSOP. Log the incident in the ship’s security log and notify your CSO.
• Verify through official channels:
  • United Kingdom Maritime Trade Operations (UKMTO) via your standing contact details
  • International Maritime Security Construct (IMSC/CMF) watch centers
  • Flag State ops center and your P&I hotline
• Cross‑check routing with established TSS, Admiralty charts, Navarea warnings, and your pre‑pilotage plan.
• Preserve evidence: headers, attachments, wallet addresses, call recordings, and screenshots. Do not interact with links.
• Report the wallet addresses to your flag state, insurer, and relevant financial intelligence unit (FIU). If your company uses a blockchain analytics vendor, request immediate screening and tagging.

The policy backdrop you should know

• IMO cyber obligations: Under MSC.428(98), companies must address cyber risk in Safety Management Systems (SMS) from 2021 onward. The consolidated IMO Guidelines on Maritime Cyber Risk Management (MSC‑FAL.1/Circ.3) emphasize social engineering and verification procedures—this event is squarely in scope.
• Sanctions compliance: Paying an entity reasonably believed to be linked to a sanctioned organization can trigger strict‑liability exposure under OFAC (US), as well as EU/UK regimes. Maritime‑specific advisories on deceptive practices (US interagency, 2023) warn against payments that facilitate illicit routing.
• FATF and VASPs: Crypto exchanges are obligated under FATF standards (Recommendation 15) to manage sanctions and AML risk. Tagged addresses linked to maritime extortion can and should be blocked or frozen by compliant exchanges.
• Platform accountability: Messaging platforms and registrars operate abuse processes. Rapid takedown of spoofed groups and lookalike domains reduces downstream harm, but these require precise, well‑documented reports from victims.

Operational guidance for the Strait of Hormuz (context and best practice)

• Geography and choke point dynamics

  • The Strait is narrow, with well‑known TSS and inshore traffic zones adjacent to territorial seas. Small deviations can cross jurisdiction lines.
  • State patrols, fast‑attack craft, and helicopter lift are common. Compliant transit behavior and predictable routing reduce boarding risk.

• Standard reporting and escorts

  • Register voluntary reporting with UKMTO prior to Gulf entry and maintain two‑way comms, including position updates.
  • Engage with IMSC/CMF as applicable for situational awareness. If your flag state offers liaison, ensure up‑to‑date contact rosters are on the bridge.
  • Avoid ad‑hoc “escort” offers from unverified craft or messages; only accept recognized naval escorts arranged through official channels.

• Navigation discipline

  • Follow pre‑agreed voyage plans reviewed by the Master and company. Ensure ECDIS safety contours and alarms are active and not silenced for convenience.
  • Maintain AIS as per regulatory requirements; do not manipulate AIS to create false tracks.
  • Keep a robust bridge team: extra lookouts during choke point transits; GMDSS operator monitoring.

• Communications hygiene

  • Use the company’s allowlisted email addresses for maritime security communications. Publish those allowlists in your SMS so the bridge knows which senders are valid.
  • Treat any message requesting payment or demanding confidential voyage details as a security incident.

Insurance and charter party implications

• Coverage pitfalls

  • P&I: Extortion payments to sanctioned actors can fall outside cover; even attempted payments may impair recovery if they constitute unlawful facilitation.
  • War‑risk: Deviation without owner/insurer approval or breach of implied warranties (e.g., “not to trade with sanctioned parties”) can trigger reservations of rights.

• Evidence and notification

  • Notify your P&I club and war‑risk underwriter immediately upon receipt of a suspect message. Early notification preserves options and guidance.
  • Provide full artifacts (headers, wallet addresses). Clubs can coordinate with analytics firms and law enforcement.

• Chartering and instructions

  • Ensure charter parties reflect the owner’s right to refuse unlawful or unsafe orders, including directions arising from unverified “security” messages.
  • Pre‑fixture clauses should document reporting, routing autonomy, and sanctions compliance expectations.

Red flags: seven signs a maritime advisory is fake

1. Payment request of any kind—no legitimate naval or maritime security center charges for passage or routing.
2. Email domain that is one or two characters off the known domain; missing SPF/DKIM alignment; unusual reply‑to address.
3. Demands for rapid compliance (e.g., within hours) and threats of “detention” without citing a legal instrument or official notice number.
4. Graphics-heavy PDFs with low‑quality seals or mixed typography; metadata showing odd author names or creation tools.
5. Messaging app groups with recently created accounts, limited mutual contacts, or stock photos and generic titles.
6. Conflicting waypoints relative to published TSS, Navarea warnings, or your approved voyage plan.
7. Wallet addresses that change between messages, or “reference tokens” that look like random strings not tied to any official process.

A practical playbook: 72‑hour response and hardening

• Within 24 hours

  • Circulate a fleet bulletin: “No payments for passage; verify all routing changes via UKMTO/IMSC/flag state.”
  • Update the bridge noticeboard with verified phone numbers and radio circuits for regional security centers.
  • Configure email security: enforce SPF/DKIM/DMARC, block lookalike domains, and enable banners for external senders.

• Within 48 hours

  • Run a tabletop drill (Master, CSO, DPA) for a spoofed routing message scenario. Validate escalation and decision authority.
  • Confirm with P&I/war‑risk contacts the incident reporting pathway, including out‑of‑hours numbers.
  • Set up a blockchain alert with your vendor to flag any inbound reports of maritime‑linked extortion addresses.

• Within 72 hours

  • Amend the SMS/SSP to add a verification checklist for unsolicited routing or fee demands.
  • Deploy a company‑wide advisory to agents and port captains instructing them not to forward “security corridors” or “escort offers” unless verified via official channels.
  • Engage your ECDIS provider to ensure latest T&P notices and Navarea warnings are loaded and signed.

Platform and policy fixes: what industry and regulators can do

• Sign the message: Create a public‑key infrastructure for maritime security advisories. UKMTO/IMSC/flag states should digitally sign notices; ECDIS and email clients can verify signatures automatically.
• Publish a global registry of authoritative security‑advisory domains and keys via IMO or IHO, with DNSSEC and DANE to reduce spoofing.
• Rapid crypto takedown: VASPs should blocklist wallet addresses reported by maritime security centers and underwriters; analytics vendors should maintain a “maritime extortion” label set.
• Abuse reporting lanes: Messaging platforms and registrars should fast‑track maritime-security impersonation reports with SLAs measured in hours, not days.
• Insurance incentives: Offer premium credits or deductibles relief for operators implementing signed‑advisory verification and crew training on social engineering.
• Sanctions clarity: Regulators should reiterate that paying “tolls” to purported state-linked actors is sanctionable and provide safe-harbor guidance for rapid incident reporting without penalty for attempted—but not completed—payments.

Key takeaways

• Do not pay or comply with unsolicited “safe passage” demands—verify via UKMTO/IMSC/flag state and your insurer before acting.
• Treat any payment request as a security incident. Maintain evidence, escalate quickly, and preserve cover by notifying insurers early.
• Harden the bridge: allowlist official contacts, enforce email authentication, and add a verification checklist to your SMS.
• Push platforms and regulators for signed advisories and rapid takedown of impersonation infrastructure.

FAQ

Q: Is paying a “safe passage” crypto fee ever legal?
A: It can violate sanctions if the counterparty is linked to a designated actor. Even when legality is uncertain, insurers may decline cover. Consult counsel and your P&I before any action; the standing guidance is: do not pay.

Q: Could an official security center ask for routing changes by email or app?
A: Centers can issue routing guidance, but they do not request payments. Always verify routing advice via published phone numbers/radio circuits and cross‑check against Navarea warnings and TSS.

Q: What if the message includes precise military waypoints or claims deconfliction with patrols?
A: Specificity does not equal authenticity. Unverified instructions can increase risk. Verify independently with recognized centers; do not rely on the message alone.

Q: Will insurance cover losses if my crew pays under duress?
A: Payment to sanctioned entities and unauthorized deviations can jeopardize cover. Immediate notification and documentation improve outcomes, but prevention and verification are critical.

Q: How should we report the wallet address?
A: Include it in your incident report to your flag state, insurer, and local FIU. If you have a relationship with a blockchain analytics provider, request tagging and dissemination to major exchanges.

Q: Should we switch off AIS to avoid being tracked?
A: AIS must be used in accordance with regulations and your risk assessment. Turning it off can raise suspicion and reduce situational awareness. Follow flag‑state and security‑center guidance.

—

Source & original reading: https://arstechnica.com/security/2026/04/crypto-scam-lures-ships-into-strait-of-hormuz-falsely-promising-safe-passage/