A Beginner’s Guide to Investigating Vessels and Sanctions Using Maltego

If you are new to Maltego, you can check out my other blog here for getting started with the installation of the free Maltego Community Edition and how to add Transforms to your Maltego CE account. For this investigation, I installed the free Aleph OCCRP Transform that will allow us to enumerate details including:

• Phrase

• Company

• Domain

• Vessel

• Person Alias

• Phone Number

• Sanctions/OFAC/Designations

OCCRP Aleph is a publicly accessible platform for investigation that gives access to a large variety of archived open databases and government records. You can read more about Aleph here and even sign up to access the web platform. The Transform does not require you to have an account with Aleph and can be used straight within Maltego without an API key. Once you have the Transforms installed, open up a new graph by clicking the page with the plus sign right under the Maltego logo.

Today, I am going to walk through a quick investigation and visualization of a few sanctioned entities and associated vessels.

On the Entity Palette on the left side, search for Company, and drag the Entity onto the blank graph.

Once the Entity is on the graph, double-click on the name and change it to the entity you want to search. In this case, I am researching Transpetrochart Co. Ltd.

Now, right-click on the Entity icon to open the transforms that you had previously installed in Maltego. You can see in the screenshot that I have Standard Transforms, LittleSis, and Hunter installed as well as Aleph. Scroll to find OCCRP Aleph in your list and click on it.

At this point you have two options, you can run all of the Aleph data against the entity or you can choose the specific datasets to run against (as shown in the image below). I am going to choose to run all just so we can see the results.

When the Aleph Transform is run it brings back a variety of data from the Aleph archives including an indictment, sanctioned vessels (SIG, SUDAK), press releases, OFAC designations, and some additional sanctioned entities.

Diving a little deeper, we can select the indictment of Sovfracht icon and in the right panel, there are links to the document to read. It is possible to investigate many of the documents straight through links in Maltego which is really effective for a streamlined workflow.

Turning our attention now to the vessel SUDAK that was discovered, we can right click and run all Transforms on it.

We can see that more sanctions reports and OFAC details are presented.

Following the same method and clicking through the documents to find an Aleph link to a document providing additional ships connected to Sovfracht and Transpetrochart: YAZ, PASSAT, SIG, OT-2077 and of course, SUDAK.

Here is where you choose your own adventure based on your investigative needs. Continuing to run transforms on Entities, People, Companies, and Vessels in Maltego can provide more details on ownership structure, people in charge, and finances. Instead, I grabbed the IMO numbers of the vessels YAZ and SIG (an IMO is the International Maritime Organization ship registration number and it acts like the VIN number of a ship) and I am going to pop over to Twitter to check these vessels out.

You can see I did not have to try very hard to find them. A quick search of “YAZ” and the IMO number "9735323” shows that analysts are presently reporting on these sanctioned vessels performing the same activity they were sanctioned for.

I hope you enjoyed this quick walkthrough on how to use Maltego and Aleph to pivot through sanctions data, corporate records, and vessel information!