On 18 April 2026, as a partial reopening window of the Strait of Hormuz appeared to offer a way out for hundreds of vessels stranded in the Persian Gulf, an oil tanker attempted to exit the strait believing it had authorisation to do so. Iranian units opened fire on the vessel. In radio communications, the master asked forces to cease fire, claiming to have obtained proper clearance. That clearance, according to Greek risk management firm Marisks, was false, the result of a sophisticated scam exploiting the regulatory chaos surrounding the world’s most critical energy chokepoint.
The Strait of Hormuz is an unrivalled hub in global energy trade: before the escalation in the Middle East, around one fifth of the world’s oil and liquefied natural gas passed through it. With US measures blocking Iranian ports and Iran’s counter-blockade of the strait, hundreds of vessels have been stranded on both sides, involving around 20,000 seafarers and bringing segments of the global energy supply chain to a standstill. In this context, Marisks has issued a formal alert: fraudulent messages are being sent to companies with vessels held west of Hormuz, promising safe passage in exchange for cryptocurrency payments, in bitcoin or USDT, to individuals posing as representatives of the Iranian authorities.
The mechanics of the fraud are designed to appear credible. Messages follow an apparently bureaucratic process: companies are invited to submit vessel documentation, which is then subjected to a suitability assessment by an unspecified Iranian Security Services. Only after this stage is a fee communicated, payable in cryptocurrency. Once payment is made, the vessel would receive authorisation to transit within a pre-agreed time slot, “without impediment”. Marisks is explicit in its warning: “These specific messages are a scam” and do not originate from any official Iranian channel. Behind the campaign are “unknown actors” whose identity remains entirely unclear, with no public links to known criminal groups or state entities.
What makes this fraud particularly insidious is that it mimics a real policy discussion. Tehran has floated the idea of a toll regime for transit through the strait, set at around one dollar per barrel transported. For a Very Large Crude Carrier carrying two million barrels, this would amount to roughly two million dollars per passage. The proposed payment methods - bitcoin, digital yuan and stablecoins - explicitly exclude the US dollar in an attempt to bypass sanctions and the Western financial system. This alignment between genuine and fake tolls makes the fraudulent messages difficult to detect for operators working remotely, under pressure and with limited clarity on official channels. Structure, language and even payment instruments are identical; only the recipient of the funds differs.
The consequences for those caught out are potentially threefold. Financially, payments in bitcoin or USDT to unidentified parties are effectively irrecoverable, and the amounts involved - aligned with real toll levels, in the order of millions of dollars for large tankers - are significant. Physically, victims plan transit based on instructions that are not coordinated with those actually controlling the strait, exposing crews to real danger, as the 18 April incident illustrates. From an insurance and legal perspective, cryptocurrency payments to unidentified parties could constitute breaches of international sanctions, with implications for insurance cover and operator liability.
A direct link between payment of the fake toll and the 18 April attack remains, from a journalistic verification standpoint, a hypothesis. Reuters and other agencies reporting Marisks’ alert state they have been unable to verify this independently or identify the companies that received the fraudulent messages. Marisks considers it likely that at least one of the vessels targeted that day had paid the fake fee believing it had pre-authorisation for transit, but this assessment is based on confidential information held by the company rather than publicly available documentation. The identity of those behind the fraud - organised crime, regional maritime insiders, or groups exploiting open-source information - remains entirely unclear.
The case fits into a broader trend long known in the maritime sector: the use of phishing, address spoofing and fake port authority controls to extort money from operators. What sets the Hormuz fraud apart is the combination of an extremely high-tension geopolitical environment, a cryptocurrency-based payment regime introduced by a state actor as an economic policy tool, and the presence of hundreds of stranded vessels. Crews and shipowners are inundated with communications from multiple sources - flag authorities, agencies, brokers and security consultants - making it particularly difficult to distinguish legitimate channels from fraudulent ones.
Operational recommendations issued by Marisks converge on several points: treat with suspicion any toll payment requests via untraceable channels, verify message authenticity through trusted agents and official channels, avoid activating transit plans based on unconfirmed communications, and inform Protection & Indemnity Clubs and insurance brokers of any payment requests outside established procedures. At the time of writing, no formalised guidelines have been issued by the International Maritime Organization or major shipowner associations, although internal guidance is likely circulating among operators and maritime security centres.
M.L.
