A recent operation in the port of Brindisi, conducted by the Guardia di Finanza in collaboration with the Customs and Monopolies Agency (ADM) and coordinated by the Brindisi Public Prosecutor’s Office, is a concrete example of how the fight against organized crime, terrorism, and—more generally—many hybrid threats (including cyber) can be supported through the rigorous use of open sources and seemingly ordinary technical data.
According to open sources, GdF officers have seized approximately 33,000 tons of ferrous metal stored on board a merchant vessel coming from Russia , as part of an investigation into sanctions and their possible evasion.
Beyond geopolitical considerations—which view the Mediterranean as a permanent nexus of interests, routes, energy, and power projection—this case deserves attention for one specific reason : it’s not just a “judicial operation.” It’s a practical demonstration that modern investigation today relies on three elements:
It’s the same pattern we see in the cyber domain: single events that, in isolation, “say nothing”; but which, when linked with other elements, become patterns.
Open sources indicate that, in the investigative reconstruction, the AIS (Automatic Identification System) traces were evaluated in relation to the ship’s route and, above all, the moments in which the system was interrupted or non-transmitting.
It should be stated clearly: AIS can have legitimate interruptions (for example, for safety reasons or operational procedures). However, an investigator thinks in terms of exceptions: if the interruptions occur near specific ports or during “sensitive” time windows, the event deviates from the norm and becomes an indicator. In itself, it is not proof, but it is a signal that deserves verification and correlation.
In cyber, we call this step “detection” and “triage.” At sea, the concept remains the same: a telemetry gap is a question, not an answer. The answer comes when the gap intersects with other data.
A second, more structural level is that of the internal planning and navigation track: ECDIS (Electronic Chart Display and Information System), i.e. the electronic cartography and navigation support system.
According to the reconstruction reported, the extraction and analysis of this data would have allowed to ascertain the stopover and loading operations in the Russian port of Novorossiysk between 13 and 16 November 2025.
This passage is relevant because, from an evidentiary point of view, it comes close to what in cyber we would call a “system artifact”: not a narrative, but a technical trace that helps delimit times, places, and behaviors.
In support of the technical levels, the consultation of specialized databases – including, reportedly, Lloyd’s List Intelligence (via tools used by ADM) – would have allowed the investigative framework to be consolidated and contextualized.
The message here is simple: the difference between information and evidence is often contextualization. In cyber, we see it every day: IP addresses, logs, hashes, digital identities, and infrastructure become meaningful only when inserted into a coherent chain. In the maritime domain, the same holds true: records, ownership, management patterns, and operational histories serve to transform fragments into testable hypotheses.
This case provides operational evidence: technologies don’t “do” investigations on their own. They’re done by people who know how to use them, and who have invested in training upgrades and a data-driven culture. This applies to the Guardia di Finanza, to the ADM, and—more generally—to all law enforcement agencies.
And it’s also a reminder: when the threat is hybrid, the clear separation between domains (maritime, economic-financial, cyber) is often an illusion. Data is the connecting link. Correlation is the lever. Legal prudence is the framework.
In conclusion, the Mediterranean remains the hinge of the world and a space of deterrence.
While a non-negotiable principle of our legal system remains intact—one is innocent until proven guilty—the evidence emerging from the available reconstructions shows how an approach based on OSINT, telemetry, databases, and forensics can produce high-level investigative results.
And here we return to the Mediterranean: it’s not “just sea,” it’s a strategic space. Mackinder taught us to interpret power in terms of geography and access; today, following that same logic, the Mediterranean is a hub for goods, energy, interests, and—increasingly—data and infrastructure. Those who control these hubs, even with sober and rigorous tools, aren’t just seizing power: they’re increasing the cost of the gray zone.
References (open sources and technical background)
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
