In this post I go on a maritime OSINT adventure and take on Bellingcat’s “Maritime Mysteries” challenges: Fully Stocked, Operation Fleet Finder, Cyrillic Confusion, Clouded Perception, and Synoptic Code.
I filmed the entire process, so if you prefer watching instead of reading you can check out the full video here.
This time the challenges are a fun mix of geolocation, ship tracking, image forensics, and code breaking. For me, they are also part of a bigger goal – building real open source intelligence skills that I can carry into cybersecurity.
Fully Stocked – Finding a Container Ship’s Port
A single photo shows a large container ship with “UASC” written on the side and a big bridge in the background. The ship is moored in a busy port. The task is simple on paper: identify the city where this photo was taken.
I started with the obvious text in the image.
The ship has “UASC” on the side. A quick search tells me that stands for “United Arab Shipping Company.”
That sounds very Middle East focused, so my first instinct was to look at ports in that region.
This is a classic OSINT trap: anchoring on the first thing that looks meaningful. The company’s origins do not automatically mean the photo was taken in the Middle East. So I shifted my attention to something more unique – the bridge.
The bridge has a very recognizable shape and structure, so I tried reverse image search. I uploaded the image and looked through the visually similar results.
That is where things clicked. One of the results pointed to the Köhlbrand Bridge in Hamburg.
From there I:
Opened Hamburg in Google Maps
Located the Köhlbrand Bridge
Looked for container terminals nearby
Rotated the view until the bridge, cranes, and towers lined up with the original photo
The perspective and layout matched almost perfectly, confirming the location.
Correct answer – Hamburg
Operation Fleet Finder – Chasing an MMSI Number
This challenge shows several gray naval ships moored together. All of them look similar at first glance. The task is to identify the MMSI number of the leftmost ship.
An MMSI (Maritime Mobile Service Identity) is a unique nine digit number used to identify ships in radio and AIS communications.
Zooming into the image, two details stand out:
A US flag
A hull number “69” on one of the ships
That hull number leads to a likely match – the USS Dwight D. Eisenhower (CVN 69), a US aircraft carrier.
However, the challenge asks for the leftmost ship, which is another aircraft carrier in the group.
At this point I knew
We are looking at a US Navy carrier group
The leftmost vessel is an aircraft carrier
The photo is relatively recent
I pulled up a list of US Navy aircraft carriers in active service and started visually comparing:
The shape of the island (the tower structure)
Position and style of radar domes and antennas
Details on the flight deck and hull markings
Along the way I made a wrong guess and tried the USS Theodore Roosevelt. The details looked close, but the MMSI number did not work in the challenge interface, which meant I had to keep digging.
I went back to the photo, focused more on the shape of the radar domes and the structure of the island, and narrowed it down again. After eliminating the other options, the best match turned out to be USS George H. W. Bush (CVN 77).
From there it was just a matter of looking up the ship’s MMSI number.
Correct answer – 369970663
Cyrillic Confusion – Verifying a Russian Port Log
This challenge is about the Chinese cargo vessel YUI PENG 3, which was linked in media coverage to damaged underwater data cables in the Baltic Sea in 2024.
We are shown a screenshot of what looks like a Russian port movement log and asked:
What is the original URL of this log?
(Without includinghttporhttps.)
My first instinct was to use mainstream ship tracking sites. Many of them show port calls, positions, and historical logs. The problem
Almost all of them hid the detailed historical data behind paywalls.
I could see that YUI PENG 3 existed, but I could not match the screenshot to a specific page.
Then I tried a different angle. I assumed the port was something big and obvious like Saint Petersburg and searched for open port logs from there. Again, nothing useful.
At this point I realized I was doing things backwards. Instead of guessing the port, I should confirm which Russian port YUI PENG 3 actually left around the time of the cable damage.
News articles about the incident mentioned that the vessel departed from the Russian port of Ust Luga which narrowed down the search.
Since I was dealing with a Russian port authority system, I decided to switch from Google to Yandex, which often indexes Russian government and regional sites more thoroughly.
I searched for things like
Ust Luga port movement logs
The call sign number that appeared on the screenshot
The results looked a bit sketchy at times, but one of them finally matched both the layout and the data structure of the screenshot.
The URL belonged to a Russian port system that listed vessel in and out movements. The page for YUI PENG 3 matched the challenge screenshot.
Correct answer – skap.pasp.ru/Move/InOutMoveList/165759?harb=UL
Clouded Perception – Finding Hidden Numbers in an Image
This challenge shows a beautiful photo of a lake with mountains and clouds. The description hints that the image has been manipulated, and the task is to find a hidden six digit number.
I started with the usual basic tricks in an image editor
Adjusting contrast and brightness
Playing with saturation
Splitting color channels
Inverting the colors
Nothing obvious appeared in the water or on the shore, even after heavy adjustments.
I even tried common steganography checks with tools like steghide and binwalk to see if there was a hidden file inside the image. That was a dead end too.
The challenge description hinted at manipulated imagery, so I turned to online image forensics tools, including:
While looking at the analysis results, I learned about ELA – Error Level Analysis.
Very briefly, ELA works like this
The tool resaves the image at a given quality level.
It compares the new version with the original.
Areas with different compression levels stand out, which often reveals where something was edited or added later.
On one of the sites, when I ran ELA on the image, the sky suddenly showed faint but clearly structured shapes that looked like numbers.
After some trial and error reading those shapes correctly, I arrived at the hidden six digit number.
Correct answer – 428309
Synoptic Code – Decoding a Ship’s Weather Report
The final challenge provided a long Morse code message. The task was to decode it and find the air temperature in degrees Celsius that was transmitted.
Here is the Morse code I started with:
.-. -.-. …- / -.. . / ..- -.-. – .- ….. / .—- …– .—- —.. .—- / —-. —-. …– ….- ….. / .—- —– …– ….- -…. / ….- .—- -…. —-. —.. / …– ..— ….- —– ….. / .—- —– ..— —.. —– / ….- —– .—- ..— —– / ….. ….- —– —– —– / –… —– ..— —– —– / —.. …– ….. —– —– / ..— ..— ..— ….. ..— / —– —– ..— —.. —– / .—- …– —– .—- ..— / -… – / .- .-. / ..- -.-. – .- ….. / -.
I used CyberChef to decode the Morse code. The output looked like this:
RCV DE UCTA5 13181 99345 10346 41698 32405 10280 40120 54000 70200 83500 22252 00280 13012 BT AR UCTA5 N
This looks like a structured message rather than a simple sentence. That usually means some kind of code or reporting format.
The context in the challenge mentioned that the message was believed to be from a Russian ship operating in the Black Sea and that it was received on 13 October 2024.
The numbers did not look random. They resembled synoptic weather code, which is a standardized way for ships to report weather conditions.
After some searching I found a naval training presentation (in this case for the Oman navy) that broke down these ship weather reports group by group. It explained how each block of digits represents a specific measurement: date, time, location, wind, cloud cover, temperature, and so on.
Using that reference, I began mapping my decoded message:
RCV DE UCTA5– Receive from station UCTA513181– Day and time of observation13 for the day
18 for the hour (UTC)
99345and10346– Latitude and longitude groupsAnd so on, through clouds, visibility, and other conditions
The key for this challenge was the group that encodes air temperature.
In this format the air temperature appears in a group that starts with 1. In my message that group was:
10280
By the rules of the code:
The first digit
1marks it as the air temperature groupThe second digit is the sign
0means temperature at or above zero1would mean below zero
The last three digits are the temperature, usually in tenths of degrees
So 10280 decodes to:
Sign
0– positive temperatureTemperature
280tenths of a degreeWhich equals 28.0°C
Correct answer – 28.0
What I Learned From These Maritime Mysteries
Working through these Bellingcat challenges was both fun as well as educational. Here are a few takeaways that I think are very relevant for my cybersecurity journey:
OSINT is about pivots, not guesses
When I stopped guessing the port and instead pivoted from news articles to the actual port name, Cyrillic Confusion finally cracked open.Tool diversity matters
Reverse image search, CyberChef, online forensics, and even a random Oman navy PDF all played a role. In cybersecurity you often need the same flexibility with log tools, threat intel feeds, and scripts.Understand the format, not just the content
For Synoptic Code, nothing made sense until I recognized the message as a structured weather report. The same holds for log files and network traces in cyber – knowing the format unlocks the meaning.Verification beats assumption
Whether it is confirming that the bridge is in Hamburg or double checking which ship matches an MMSI, every step reminded me not to trust the first “good enough” answer.
If you enjoy this mix of geolocation, OSINT, and puzzle solving, and you are curious how it all ties into my path into cybersecurity, feel free to check out my YouTube channel and follow along as I keep learning.
And if you tried solving any of these yourself, I would love to hear how you approached them! 🙂
