RECENTLY sanctioned Greek shipowner Altomare was the target of both a complex vessel identity theft scheme by a blacklisted tanker and cyberattacks from hackers affiliated with Iran’s Islamic Revolutionary Guard Corps, an analysis of documents published by Iranian dissident website WikiIran, satellite imagery and vessel-tracking data showed.

The elaborate scam to hijack the identity of the Altomare-operated Kallista (IMO: 9411965) encompassed the full gamut of identity fraud, from impersonating the tanker over Automatic Identification System messages to forging registry certificates and other shipping documents, illustrating the increasing sophistication of this sanctions-evasion tactic.

The scam may have also inadvertently contributed to the US potentially misidentifying Kallista and accusing the very large crude carrier of shipping 4m barrels of Iranian oil in early 2025.

Kallista’s name and International Maritime Organization number were peppered on shipping documents found in a cache of emails published on WikiIran from Shahid Abolfathi Oil Command, a little-known entity affiliated with Iran’s Armed Forces General Staff oil trading unit Sepehr Energy Jahan.

The documents, which placed the vessel in Iran on several occasions, were leaked just days before the US sanctioned Altomare and Kallista on November 20 and were published by WikiIran several days later.

But a review of the materials, verified by our analysis of satellite imagery and AIS data, suggest that it was another tanker — the US-sanctioned VLCC Limas (IMO: 9254082) — that lifted Iranian oil during that period while hijacking Kallista’s identity.

Lloyd’s List Intelligence vessel-tracking data shows that from at least December 2024 through to February 2025, two vessels were simultaneously broadcasting Kallista’s unique IMO and Maritime Mobile Service Identity numbers. Meanwhile, satellite imagery shows Limas lifting and transferring Iranian cargoes on dates that match timelines from the leaked shipping documents that purportedly bear Kallista’s details.

The findings demonstrate how maritime identity theft frauds are becoming increasingly complex as Western regulators’ blacklists continue to swell, creating a need for more “clean” identities to facilitate deliveries of sanctioned oil.

Lloyd’s List has previously reported how identities of dead and even fictional vessels are being used to circumvent sanctions, but the documents and AIS data chronicling the theft of Kallista’s identity provide a unique window to the relatively nascent practice of impersonating actively trading mainstream tankers, and into how these complex frauds are being perpetrated.

“What’s most alarming isn’t just that tanker identity theft exists — it’s how rapidly it’s evolving,” said Claire Jungman, director of maritime risk and intelligence at Vortexa.

“These schemes are becoming more sophisticated, more coordinated and far harder for the market to detect in real time.”

The US Office of Foreign Assets Control does not necessarily reveal all information about its targets when announcing designations, and it was not immediately clear whether there were other factors that contributed to the designation of Altomare and Kallista beyond the allegations of the latter’s sanctions violations in early 2025.

It is unlikely — although not impossible — that Altomare’s targeting was based solely on the leaked documents, according to a former US government official.

Altomare denies any wrongdoing and said the identity theft of Kallista led to it being erroneously designated.

Matthew Thomas of Blank Rome, counsel to Altomare, stated: “We can confirm that Kallista and manager Altomare were mistakenly targeted by Ofac, and have been engaged in fully lawful and compliant trade.”

“Kallista was the victim of an extraordinary maritime identity theft, in which a dark fleet imposter vessel stole the vessel’s identity via fake AIS transmissions, documents and communications, leading to erroneous sanctions on the real Kallista. We have petitioned Ofac for reconsideration, and we appreciate the efforts that we have seen from Ofac, as well as other authorities in the US and other countries, to review this unprecedented situation urgently,” Thomas told Lloyd’s List in an emailed statement. 

Ofac did not respond to an emailed request for comment.

A geotemporal improbability

The documents featured emails and papers stamped with Kallista’s IMO number but sent from “[email protected]”, indicating it was the US-sanctioned Limas that was hijacking Kallista’s identity.

Further, Lloyd’s List analysis of satellite imagery from Planet Labs and the European Space Agency places Limas in Kharg Island, Iran at least three times between December 2024 and February 2025 on dates matching timesheets and other shipping documents that were bearing Kallista’s identification.

For instance, a timesheet bearing Kallista’s IMO number and supposedly stamped by its master suggests the tanker tendered notice of readiness at Kharg Island on December 18, 2024 and was loading at the port the following day.

At the same time, AIS data essentially showed two vessels broadcasting Kallista’s MMSI and IMO numbers simultaneously, but at entirely different locations, hundreds of miles away from each other: one appeared to be spoofing its positional data off Oman — a common tactic for tankers seeking to hide loadings in Iran — while the other was sailing towards the port of Paradip, India.

Satellite imagery from December 19 shows Kallista at one of Paradip port’s single point mooring systems, where it discharged a cargo of Saudi crude.

Meanwhile, satellite imagery from December 18 shows Limas being escorted by tugs into the T jetty in Iran’s Kharg Island.

As to the January-February 2025 period, AIS data suggests that rather than lifting 4m barrels of Iranian oil, Kallista lifted a cargo from the Basrah Offshore Oil terminal around January 11, discharged it in Paradip around January 25-29, returned to the Middle East Gulf around February 8, and arrived at a drydock in Dubai six days later, where it spent the rest of the month. All these events except the January discharge in Paradip were corroborated with satellite imagery.

The imposter, Limas, meanwhile, was broadcasting manipulated locations near Oman using Kallista’s MMSI and IMO numbers throughout most of this period. 

That timeline also aligns with a statement issued by Altomare and quoted by Greek outlet Kathimerini, where the company said that Kallista was “located in the port of Basrah in Iraq, engaged in loading operations with its final destination being the discharge port of Paradip, in India”, during the period it was accused by the US of shipping Iranian oil.

The documents from Shahid Abolfathi also provided a window into how registration documents were falsified in the conspiracy.

Limas appeared to have been carrying a forged provisional registry certificate from the Panama Maritime Authority. The document was originally issued to Madestar (IMO: 9289726), a tanker that was sanctioned by the US and subsequently deflagged by Panama. A QR code on the forged certificate leads to a Panama registry document for Madestar that shows the vessel has been removed from the registry.

A spokesperson for the Panama Maritime Authority confirmed that the registry certificate for Kallista found in the emails published by WikiIran was not consistent with their records.

Alarmingly, Kallista may not have been the only tanker to have its identity stolen: the names of several other Greek-owned tankers also appear in the emails, with instructions to the impersonating masters to fraudulently use their names on shipping documents.

 “All documents must be signed and stamped with a fake name when the document officer is on board,” one of the emails read.

“I will share the real bl [likely referring to bill of lading] for you and sign and stamp with the real name and deliver it in full sealed envelope to the person introduced by the agent and just write on the envelope for the agent.”

At the sharp end of Iranian aggression

The Kallista conspiracy was not the only instance in which Altomare was targeted by Iranian actors.

Logs from IRGC-affiliated hacking group Charming Kitten — separate from the SEJ leaks — revealed that Altomare was targeted by the Iranian hackers.

According to analysts at maritime cybersecurity firm Cydome Security, the documents indicate that the hackers targeted Altomare’s email server and sought to establish a backdoor to its system.

“Analysis of threat intelligence regarding the Iranian-linked Advanced Persistent Threat group Charming Kitten [also known as APT35], reveals that the Greek company Altomare was identified as a specific target,” Cydome told Lloyd’s List.

“Altomare’s Exchange server was listed in the leaked “ProxyShell Targets” file, indicating an intent to compromise the specific system by leveraging this critical vulnerability chain.

The attack was designed to exploit flaws in Microsoft Exchange that “allow an unauthenticated attacker to achieve Remote Code Execution”.

“The primary objective of this RCE is to establish a persistent backdoor for cyberespionage,” explained Cydome.

It was not clear whether there was a direct connection between the cyberattacks against Altomare and the identity theft of Kallista, nor when the cyberattack took place, and whether it succeeded.

However, neither the cyber attack nor the Kallista case were the first time that Altomare or its assets were targeted.

In May 2023, the IRGC Navy hijacked Niovi (IMO: 9292498), a VLCC affiliated with Altomare.

The vessel was part of a multi-party legal dispute over a shipment of suspected Iranian crude discharged in China in November 2020, originally loaded via ship-to-ship transfer from the infamous Oman Pride, now known as LILLIAN (IMO: 9153525).

Iran’s official news agency IRNA reported at the time that the IRGC seized Niovi because of a “private complaint”, but offered no further details.

That disputed shipment was identified in a September 2023 criminal indictment by the US Department of Justice against an Omani and a Chinese national for allegedly violating US sanctions and money laundering.

According to the indictment, Oman Pride loaded about 1.8m barrels of Iranian crude around July 2020, which it transferred to Niovi later that month.

The indictment does not name or make any allegations against Altomare.