Event 1091

processed admin_quick Updated 2025-11-29T08:16:11.592473+00:00

Edit Previous Next

Status: processed Confidence: Category: Country: Attack Type: Where: Source: admin_quick URL: https://christian.panton.org/posts/spoofing-beyond-the-baltic/ 🔗 Archive: Archive failed (1 attempt)

🕐 Event Time: 2025-06-14T20:00:00Z

➕ Created: 2025-11-29T08:10:31.442907+00:00

✏️ Updated: 2025-11-29T08:16:11.592473+00:00

Checking requirements...

Description and Notes

Between June 13th and 15th, 2025, a significant surge in GNSS spoofing activity was detected across the Baltic Sea and extended into the Kattegat region near Denmark. This disruption affected maritime navigation, causing ships to report erratic AIS positions with errors up to 2.5 km from their true location. Authorities issued multiple advisories to mariners. Distinct spoofing systems, likely operating from Russian naval vessels, were observed transmitting spoofed GNSS signals limited by line-of-sight range (~20-30 nautical miles). The spoofing manifested in characteristic AIS patterns called 'TOREC' triangles, involving hopping spoofed position nodes with scripted sub-patterns, indicating use of commercial off-the-shelf GNSS spoofers such as the Crown JS1-7. The spoofing zones intermittently shift positions, with multiple systems operating simultaneously at sea level. This represents a concerning escalation of electronic warfare tactics extending beyond the Baltic Sea into key navigational chokepoints like the Kattegat and Øresund Strait.

Notes: This event reveals a sophisticated and escalating use of GNSS spoofing as a maritime electronic warfare tool, impacting both navigation and situational awareness in strategically vital waterways around the Baltic and Nordic regions. The use of commercial-off-the-shelf spoofers adapted for naval deployment suggests a scalable tactical measure possibly intended to disrupt NATO and allied maritime operations. Continued monitoring of AIS data, geofencing of spoofing nodes, and cross-verification with aviation GNSS disturbance reports is recommended to track operational patterns and attribution. The extension of spoofing beyond the Baltic Sea into the Kattegat is especially critical, given the area's importance for maritime traffic into the Baltic.

Evidence

Media

Screenshot

Screenshot capture

View →

Screenshot Count: 1.0

Location

Location: Baltic Sea and Kattegat near Denmark

Follow-up / Investigation

Country	Status	Link	Notes
Denmark	Investigation	—	—
Russia	Official Statement	—	—

Processed Payload

{
  "attack_type": "Electronic Warfare",
  "category": "EW",
  "confidence": "High",
  "country": "Denmark",
  "description": "Between June 13th and 15th, 2025, a significant surge in GNSS spoofing activity was detected across the Baltic Sea and extended into the Kattegat region near Denmark. This disruption affected maritime navigation, causing ships to report erratic AIS positions with errors up to 2.5 km from their true location. Authorities issued multiple advisories to mariners. Distinct spoofing systems, likely operating from Russian naval vessels, were observed transmitting spoofed GNSS signals limited by line-of-sight range (~20-30 nautical miles). The spoofing manifested in characteristic AIS patterns called 'TOREC' triangles, involving hopping spoofed position nodes with scripted sub-patterns, indicating use of commercial off-the-shelf GNSS spoofers such as the Crown JS1-7. The spoofing zones intermittently shift positions, with multiple systems operating simultaneously at sea level. This represents a concerning escalation of electronic warfare tactics extending beyond the Baltic Sea into key navigational chokepoints like the Kattegat and Øresund Strait.",
  "event_time_utc": "2025-06-14T20:00:00Z",
  "evidence": [
    "Between June 13th and 15th, 2025, the intensity of GNSS spoofing in the Baltic — and, as we’ll see, the Kattegat — surged dramatically. This uptick didn’t go unnoticed: authorities issued alerts and advisories to mariners across the region.",
    "The disruption is visible on monitoring platforms like gpsjam.org, though that site is increasingly saturated.",
    "AIS telemetry reveals erratic, jagged AIS trails from vessels caught in spoofed zones — a hallmark called ‘TOREC’ patterns.",
    "Some characteristics are present in many commercial off-the-shelf GNSS spoofing systems, such as the Crown JS1-7.",
    "GNSS reporting for vessel ANTRACYTH showed positions more than 2.5 km from actual location with only 2 NM to shore.",
    "Spoofing extended beyond the Baltic Sea into the Kattegat, with ships like BORE WAY, NUSA MERDEKA, and SIREN affected near Øresund and Kattegat.",
    "The spoofing zones move and are likely centered on Russian naval vessels broadcasting the spoofed signals.",
    "Spoofing is constrained by line-of-sight transmission — approximately 20 to 30 nautical miles.",
    "Distinct spoofing systems use near-identical but spatially shifted spoofing patterns identified by AIS heatmaps and node transition probabilities."
  ],
  "extra": {
    "extra": {
      "extra": {
        "category_raw": "Electronic Warfare",
        "evidence": [
          "Between June 13th and 15th, 2025, the intensity of GNSS spoofing in the Baltic — and, as we’ll see, the Kattegat — surged dramatically. This uptick didn’t go unnoticed: authorities issued alerts and advisories to mariners across the region.",
          "The disruption is visible on monitoring platforms like gpsjam.org, though that site is increasingly saturated.",
          "AIS telemetry reveals erratic, jagged AIS trails from vessels caught in spoofed zones — a hallmark called ‘TOREC’ patterns.",
          "Some characteristics are present in many commercial off-the-shelf GNSS spoofing systems, such as the Crown JS1-7.",
          "GNSS reporting for vessel ANTRACYTH showed positions more than 2.5 km from actual location with only 2 NM to shore.",
          "Spoofing extended beyond the Baltic Sea into the Kattegat, with ships like BORE WAY, NUSA MERDEKA, and SIREN affected near Øresund and Kattegat.",
          "The spoofing zones move and are likely centered on Russian naval vessels broadcasting the spoofed signals.",
          "Spoofing is constrained by line-of-sight transmission — approximately 20 to 30 nautical miles.",
          "Distinct spoofing systems use near-identical but spatially shifted spoofing patterns identified by AIS heatmaps and node transition probabilities."
        ]
      }
    }
  },
  "follow_up_by_country": [
    {
      "country": "Denmark",
      "status": "Investigation"
    },
    {
      "country": "Russia",
      "status": "Official Statement"
    }
  ],
  "location_text": "Baltic Sea and Kattegat near Denmark",
  "media_assets": [
    {
      "description": "Screenshot capture",
      "type": "screenshot",
      "url": "/media/event_1091_1764404151_10210fc2.jpg"
    }
  ],
  "notes": "This event reveals a sophisticated and escalating use of GNSS spoofing as a maritime electronic warfare tool, impacting both navigation and situational awareness in strategically vital waterways around the Baltic and Nordic regions. The use of commercial-off-the-shelf spoofers adapted for naval deployment suggests a scalable tactical measure possibly intended to disrupt NATO and allied maritime operations. Continued monitoring of AIS data, geofencing of spoofing nodes, and cross-verification with aviation GNSS disturbance reports is recommended to track operational patterns and attribution. The extension of spoofing beyond the Baltic Sea into the Kattegat is especially critical, given the area's importance for maritime traffic into the Baltic.",
  "schema_version": "v1",
  "screenshot_count": 1.0,
  "url": "https://christian.panton.org/posts/spoofing-beyond-the-baltic/",
  "where": "Sea"
}

Raw Payload

{
  "source": "admin_quick",
  "tags": [],
  "url": "https://christian.panton.org/posts/spoofing-beyond-the-baltic/"
}

Review & Decision

Payload History

Loading history...

Actor:
Action:
Created:

Re-enrichment

Re-enrich

Enrichment-only: keeps existing processed data, screenshots, and media. Re-runs only the enrichment step (AI extraction) without refetching the source or regenerating screenshots. Use this if enrichment failed or you need updated AI-extracted data.

Destructive Actions

Reprocess

Full rebuild: discards processed data, refetches source, regenerates screenshots/media, and re-enriches. Reset to pending and rerun the full pipeline from the raw payload. This will discard the current processed data, refetch the source, regenerate screenshots/media, and re-enrich from scratch. Use this if processing failed or you need a full rebuild.

Delete Event

⚠️ Warning: This permanently removes the event and its history. This action cannot be undone.