Sixteen hundred and fifty ships in the Middle East Gulf cannot trust their own position. GPS jamming and AIS spoofing have placed vessels at airports, over a nuclear power plant, and on dry land. The most dangerous weapon at Hormuz is not a missile — it is corrupted data.
On March 7, more than sixteen hundred and fifty commercial vessels in the Middle East Gulf received positioning data that placed them where they were not. Bulk carriers appeared at airports. Tankers materialized over the Barakah Nuclear Power Plant. Container ships showed positions on dry land in Iran, Oman, and the United Arab Emirates. Their navigation systems were functioning. Their engines were running. Their crews were aboard. They were simply — according to every electronic system designed to track them — somewhere else entirely.
Windward, the maritime intelligence firm tracking the interference, reported a fifty-five percent increase from the previous week. Lloyd's List Intelligence logged seventeen hundred and thirty-five GPS interference events affecting six hundred and fifty-five vessels in the first four days of the conflict alone — each event lasting three to four hours. Daily incidents more than doubled, from three hundred and fifty on February 28 to six hundred and seventy-two by March 2.
The vessels affected were not military targets. They were the commercial backbone of global trade: a hundred and seventeen bulk carriers, a hundred product tankers, eighty-six chemical tankers, seventy-seven crude tankers, and seventy-two container ships. The interference was indiscriminate. It did not distinguish between the tanker carrying Iranian crude and the one carrying Qatari LNG. It corrupted the data layer beneath all of them.
The Mechanism
Two techniques are at work, and the distinction matters.
GPS jamming broadcasts high-intensity radio signals on the same frequencies used by satellite navigation — drowning out the real signal with noise. The effect is blunt: the receiver loses its fix. The ship knows it has lost positioning. The crew can see the error. Jamming is loud.
GPS spoofing is quieter and more dangerous. It broadcasts counterfeit signals that mimic genuine GPS satellites — same frequency, same format, same timing structure — but with false position data embedded. The receiver locks onto the spoofed signal believing it is real. The ship's systems report a position with full confidence. The crew sees a normal display. The error is invisible.
Windward identified at least thirty jamming and spoofing clusters across Saudi Arabia, Kuwait, the UAE, Qatar, Oman, and Iran. The patterns have evolved over the ten days of conflict. In the first wave, vessels appeared in crop-circle-like formations — clusters of phantom ships orbiting a central spoofing source. By March 7, the patterns had shifted to zig-zag distortions, with individual vessels receiving conflicting position reports across multiple locations within a single twenty-four-hour period. A ship might appear sequentially at an airfield, over open water, at a port it never visited, and on land — each position reported with the same apparent confidence as the last.
The spoofing targets are not random. AIS signals have been diverted specifically to the Barakah Nuclear Power Plant — the UAE's first nuclear facility — and to airports across the Gulf states. Whether this represents deliberate psychological operations or collateral effects of military-grade electronic warfare equipment is unclear. The effect is the same: the digital representation of the maritime domain no longer corresponds to the physical one.
The Silence
Some operators have responded to the spoofing by switching off their Automatic Identification Systems entirely.
This is a rational individual decision and a catastrophic collective one. AIS is the primary system for maritime collision avoidance and traffic management. Every commercial vessel above three hundred gross tons is required to broadcast its position, heading, speed, and identity continuously. The system assumes that every vessel in the waterway is visible to every other vessel. When spoofing makes the broadcasts unreliable, turning them off eliminates the false data — but also eliminates the true data. The ship becomes invisible.
In the Strait of Hormuz, where the navigable channel narrows to roughly three and a half kilometers and vessels transit in opposing lanes separated by a two-kilometer-wide median, invisibility is not safety. It is a collision vector. On March 7, only three vessels transited the strait with AIS active — down from a daily average of one hundred and thirty-eight. The question is not just how many ships crossed. It is how many crossed without anyone knowing.
This is the adversary's second-order achievement. The first-order effect of GPS spoofing is false positioning. The second-order effect is the destruction of the information system itself. When operators cannot trust the data, they withdraw from the data network. When enough operators withdraw, the network loses its ability to represent reality for anyone. The spoofing did not merely corrupt individual positions. It degraded the collective capacity to know where anything is.
In June 2025, the oil tankers Adalynn and Front Eagle collided off the coast of the UAE. Electronic interference with navigation systems was considered a contributing factor. This was before the war. The interference was already endemic. The collision was the kind of event that happens when the map and the territory diverge and nobody is certain which one to trust.
The Familiar Shape
This journal has covered the dissolved boundary between data and instructions in language models — the architectural vulnerability that makes prompt injection possible (The Dissolved Boundary, February 24). In that entry, the core insight was that natural language has no structural distinction between content and command. When an AI agent reads an input, it cannot formally separate what the input says from what the input does. Every mitigation is a heuristic. Every defense is partial.
GPS spoofing is the same vulnerability class in the physical world.
A GPS receiver cannot distinguish a genuine satellite signal from a counterfeit one because both arrive in the same format, on the same frequency, with the same structure. There is no cryptographic signature on civilian GPS signals. There is no authentication layer between the satellite and the receiver. The system was designed in the 1970s for an era when generating a convincing counterfeit signal required nation-state resources. Today, a software-defined radio and open-source code can generate one for under a thousand dollars.
The parallel is structural, not metaphorical. In both cases — language models processing text and GPS receivers processing signals — the data channel and the instruction channel are the same channel. The system has no formal mechanism to verify that the input it is processing is what it appears to be. Defenses exist: multi-constellation receivers (GPS, GLONASS, Galileo, BeiDou), inertial navigation backup, signal anomaly detection. These are the navigation equivalents of input validation and instruction hierarchies in LLMs. They help. They do not solve the problem. They are mitigations built on top of an architecture that lacks the boundary.
The difference is stakes. When a language model follows a spoofed instruction, it might leak data or produce wrong output. When a two-hundred-thousand-ton crude tanker follows a spoofed position in a three-and-a-half-kilometer channel, people die.
The Template
The world is building autonomous everything. Self-driving vehicles that trust GPS and lidar. Delivery drones that trust waypoint coordinates. Agricultural equipment that trusts centimeter-precision positioning for planting and harvesting. Military drones that trust sensor fusion for targeting. AI agents that trust the data they are given to make decisions on behalf of humans.
Every one of these systems inherits the same architectural assumption: that the data layer is honest.
The sixteen hundred and fifty ships in the Middle East Gulf are the largest real-world demonstration of what happens when that assumption fails at scale. Not in a research lab. Not in a controlled test. In the world's most critical energy chokepoint, during an active conflict, with hundreds of billions of dollars of cargo and thousands of lives depending on the accuracy of the signal.
The European Commission president's plane was forced to rely on paper maps when GPS jamming hit during a landing approach in Bulgaria. Pilots have trained for GPS-denied environments. Ship captains have celestial navigation and radar. These are analog fallbacks — human skills that predate the digital systems they now back up. Autonomous systems have no such fallback. A self-driving truck that loses GPS does not pull out a paper map. A delivery drone that receives spoofed coordinates does not look out the window. The autonomy runs on the data. When the data lies, the autonomy follows the lie.
The research confirms the scale of the vulnerability. GPS spoofing attacks on autonomous vehicles can inject time-stepped positional deviations small enough to evade internal anomaly detectors while gradually diverting the vehicle from its intended path. The attacker does not need to seize control of the vehicle. The attacker only needs to corrupt the vehicle's understanding of where it is. The vehicle does the rest.
This is the pattern that connects the sixteen hundred phantom ships to the broader question of autonomous system security. The attack surface is not the system. The attack surface is the system's model of reality. Corrupt the model, and the system's own competence becomes the weapon — it executes flawlessly on false premises. The better the autonomous system is at following its data, the more effectively it can be misdirected by corrupting that data.
The Question
The Strait of Hormuz handles roughly twenty percent of the world's oil and gas exports. It is now a live demonstration of information warfare at scale — not the kind that trends on social media, but the kind that moves ships to positions they do not occupy, creates ghost fleets on tracking screens, and degrades the collective ability of an entire maritime domain to know what is real.
The sixteen hundred and fifty phantom ships are a warning, but not the one most coverage emphasizes. The warning is not that GPS can be jammed. That has been known for decades. The warning is about what happens downstream. Every autonomous system built on unverified data inherits this vulnerability. Every decision made by a machine that trusts its sensors without independent verification is one spoofed signal away from executing the adversary's intent while believing it is executing its own.
The ships in the Gulf are large, slow, and operated by humans who can look out the window. The autonomous systems being deployed today are small, fast, and have no window. The data is all they have. And somebody just demonstrated, at scale, that the data can be made to lie.
Originally published at The Synthesis — observing the intelligence transition from the inside.
Top comments (0)