Between June 13th and 15th, 2025, the intensity of GNSS spoofing in the Baltic — and, as we’ll see, the Kattegat — surged dramatically. This uptick didn’t go unnoticed: authorities issued alerts and advisories to mariners across the region.

The disruption is visible on monitoring platforms like gpsjam.org, though that site is increasingly saturated. Its detection is based on ADS-B reports from aircraft experiencing degraded navigational accuracy — a method that, while useful, has limitations.

GNSS disturbances detected from aircraft reporting of GNSS navigation health

GNSS disturbances detected from aircraft reporting of GNSS navigation health. Screenshot: gpsjam.org.

Detecting Spoofing at Sea Level

Aircraft are especially sensitive to GNSS anomalies — but spoofing impacts more than just airspace. At ground and sea level, spoofed signals are physically constrained by the Earth’s curvature. Because GNSS (e.g., GPS L1 band at 1575.42 MHz) relies on line-of-sight transmission, the theoretical maximum range for spoofing is comparable to VHF radio — around 20–30 nautical miles. Practical range depends on transmit power, antenna height, and environmental conditions.

Line-of-sight becomes a physically limiting factor for ship-borne GNSS spoofers

Line-of-sight becomes a physically limiting factor for ship-borne GNSS spoofers

Because both ships and aircraft broadcast position data via AIS and ADS-B respectively, we can use AIS telemetry to triangulate spoofing events occurring at sea level.

While examining spoofing signatures, I noticed erratic, jagged AIS trails from vessels caught in spoofed zones — a hallmark described in community analyses. These strange tracks, often observed in Russia and near the Ukrainian front, are collectively referred to as ‘TOREC’ patterns by GNSS spoofing connoisseurs.

AIS positions reported from ANNEGRET (MMSI: 211463020)

AIS positions reported from ANNEGRET (MMSI: 211463020). Screenshot: MarineTraffic

One of the most common spoofing footprints — the TOREC triangle — can be broken down further:

TOREC Triangle Hopping Pattern

TOREC Triangle Hopping Pattern

Spoofed locations hop between red and gray nodes, typically centered on the red point, but rotated randomly. Each node contains a distinct microstructure — sub-patterns such as loops or figure-eights.

Detailed hopping pattern with sub-patterns

Detailed hopping pattern with sub-patterns

These sub-patterns are likely scripted. Notably, the red node features a circular swoop, ending in a south-north line, while the gray nodes share a similar internal motion, but ending in a east-west line. Although AIS data doesn’t provide altitude, it’s plausible that spoofers simulate an elevation ramp (designed to force drones to land).

Some of these characteristics are present in many commercial off-the-shelf GNSS spoofing systems, such as the Crown JS1-7. These systems support external power amplification and can be fitted with directional antennas, extending their operational range considerably.

Software interface of the Crown JS1-7 GNSS spoofer. Feature commonly available for COTS systems include 'drive away' and 'force land', which the sub-patterns seem to support.

Software interface of the Crown JS1-7 GNSS spoofer. Features commonly available for COTS systems include ‘drive away’ and ‘force land’, which the sub-patterns seem to support.

Most COTS GNSS spoofers can also be coupled with drone detectors, such that the navigation interference is limited during a drone incursion event.

Spoofing Reaches the Kattegat

Using AIS heatmaps from Kaliningrad, I defined geofences around all identifiable TOREC nodes. I then queried platforms like web.ais.dk, aprs.fi, aisstream.io, and marinetraffic.com for vessels passing through these zones.

This technique reliably flagged ships affected by spoofing and revealed a concerning trend: GNSS spoofing is now extending beyond the Baltic, into the Kattegat.

The following figures show examples from June 14th, between 20:00 and midnight UTC:

Spoofing of BORE WAY (IMO: 9892884) at the entrance to Øresund

Spoofing of BORE WAY (IMO: 9892884) at the entrance to Øresund. Data: web.ais.dk

Spoofing of NUSA MERDEKA (IMO: 9249178) at the entrance to Øresund

Spoofing of NUSA MERDEKA (IMO: 9249178) at the entrance to Øresund. Data: web.ais.dk

Spoofing of SIREN (IMO: 9405423) in the middle of Kattegat

Spoofing of SIREN (IMO: 9405423) in the middle of Kattegat. Data: web.ais.dk

Spoofing of ANTRACYTH (IMO: 9988279)

Spoofing of ANTRACYTH (IMO: 9988279), causing both jumps to the TOREC nodes and having significant impact on navigational accuracy (with GNSS reporting a position more than 2.5 km from the actual location) - with only 2 NM to shore. Data: web.ais.dk

Identifying Distinct Spoofing Systems

Given the repeated use of near-identical, but spatially shifted spoofing patterns, I propose that these are distinct systems — possibly different units of the same spoofing hardware, configured with slight variations. Treating each unique pattern as a system allows us to visualize them using color-coded IDs.

Each hopping pattern is mapped to a color-coded system-ID. Nodes shared by multiple systems are marked with an X, indicating weaker attribution.

Each hopping pattern is mapped to a color-coded system-ID. Nodes shared by multiple systems are marked with an X, indicating weaker attribution.

These system IDs were manually derived using the geofencing method mentioned earlier coupled with node transition probabilities. Here’s what that looks like in practice:

Systems identified using AIS heatmaps and node transition probabilities.

Systems identified using AIS heatmaps and node transition probabilities.

Identifying Distinct Spoofing Systems

Assuming each system operates within a spoofing zone limited by line-of-sight, we can detect when a ship enters or exits that zone—revealed by jumps between spoofed and actual AIS positions.

Tracking ship locations just before spoofing helps localize spoofers by system. Ships path is the black solid line.

Tracking ship locations just before spoofing helps localize spoofers by system. Ships path is the black solid line.

This method distinguishes at least two primary systems (yellow/green vs. blue/red). Spoofing noise around Kaliningrad should mostly be ignored due to data ambiguity beyond the geofence.

As validation, the full-day spoofing map on June 14th matches large-scale disruptions seen on gpsjam.org — but with added system-level resolution.

Spoofing for the entire day of June 14th, 2025. Colors represent systems. Data: aisstream.io, web.ais.dk, et. al.

Spoofing for the entire day of June 14th, 2025. Data: aisstream.io, web.ais.dk, et. al.

Zooming into one-hour time slots reveals that spoofing zones are not continuous — they move. My annotations (shown as large colored circles) are approximate, but each likely encloses a Russian naval vessel broadcasting the spoofed signals.

Spoofing for one hour of June 15th, 2025. Colors represent systems. Large circles are my manual annotations. Data: aisstream.io, web.ais.dk, et. al.

Spoofing for one hour of June 15th, 2025. Colors represent systems. Large circles are my manual annotations. Data: aisstream.io, web.ais.dk, et. al.