AMBREY THREAT CIRCULAR> Strait of Hormuz Email Scams 

Date released: 21 May 2026

Source: This document has been approved for distribution by Ambrey Analytics Ltd.

“Ambrey has identified a sustained campaign of fraudulent communications impersonating Iranian authorities and demanding cryptocurrency payments for Strait of Hormuz transit authorisation. The activity demonstrates increasing sophistication and presents financial, operational, and security risks to shipping companies and crews.” 

POST-CEASEFIRE RED SEA ROUTING: RISK & RESUMPTION

• Ambrey has seen multiple emails from online scammers impersonating Iranian authorities and requesting payment in return for the safe passage through the Strait of Hormuz.  
• Emails claiming to be from Iranian authorities are requesting millions of dollars’ worth of cryptocurrency payments in return for authorisation to transit the Strait. 
• Ambrey has seen evidence that scammers have also attempted to receive information allowing for direct communication with crew and crew members’ identities. 
• Potential victims of these false emails not only risk financial loss from making any payments, but also risk attempting to transit the Strait of Hormuz without approval from Iranian authorities, who have used force against merchant vessels to prevent unauthorised transits.  

SITUATION

Iran selectively closed the Strait of Hormuz on 28 February 2026 14:00 UTC. Demands of payment for safe passage were first reported on 23 March 2026, and an official ‘toll’ was proposed by Iranian authorities at the onset of the 8 April 2026 ceasefire between the US and Iran. It was reported that the toll would be requested in Chinese Yuan or in cryptocurrency payments. On 5 May 2026, Iran established the Persian Gulf Strait Authority to administer the Strait. 

The selective closure of the Strait and the subsequent reports of a ‘toll’ for safe passage presented an opportunity for online scammers to fraudulently impersonate official Iranian channels for financial gain. 

Ambrey has reviewed multiple fraudulent emails sent to shipping companies and insurers over the intervening weeks. The emails all emphasise that navigation of the Strait is under the control of Iranian authorities. The more sophisticated emails observed by Ambrey were written to apply increased pressure for payment on the recipient, either by emphasising a sense of urgency and a threat or by using more developed techniques to disguise the scams as official communications from Iranian authorities. 

Two of the earliest emails reviewed by Ambrey, sent from Proton Mail email addresses, claimed to be from “a task force acting on behalf of the Islamic Revolutionary Guard Corps (IRGC)” and used the same text template, claiming vessels were operating “without appropriate approval” in the Strait of Hormuz and that unless “financial obligations” were settled and a payment made as acceptance of the terms for transit, vessels would be at risk of “measures to forcefully stop and establish control over the vessel.”  

One of the attempts included requests for information on individual crew members aboard vessels and information that would allow them to contact the vessel directly. The email requested Inmarsat Mobile Number and the Mobile Earth Station terminal ID for the bridge satellite transceiver, as well as passport and Seafarer’s Identity Document information on the Master, Chief Officer and Chief Engineer aboard the vessel.  

The emails also included more thorough attempts to impersonate Iranian officials. Multiple reviewed emails have been signed off using the signatures of Iranian government officials and IRGC Navy personnel. More recent cases have seen fraudulent emails attempting to impersonate the recently established Persian Gulf Strait Authority. These developments in the methods used indicate an increasing sophistication in the methods used to deceive potential victims of the scam. 

The demanded payments have varied between the emails. The first email reviewed by Ambrey demanded a payment of US $2 million, which is in line with the initial figures reported to be requested by Iran in March 2026. Since the beginning of the closure of the Strait, the price demanded by scammers has varied, with separate demands of US $1.3 and US $1 million being observed. The reduction in the demanded payments indicates a deflation in the value the scammer thought they could extract, indicating a possible lack of success.  

Payments have been requested in these emails in multiple cryptocurrencies. Ambrey has observed requests for payment in Bitcoin, Ethereum, and USD Tether. The scam emails provided different blockchain wallet addresses for payments to be sent to. Ambrey has not seen evidence of financial activity linked to the emails in any of the identified wallets, indicating that the reviewed examples have not resulted in payments being made to the senders. One of the wallets provided was observed to have made small transactions to a Thai-based cryptocurrency exchange.

ANALYSIS

Ambrey has assessed it is almost certain that the emails it has received from shipping companies and insurers have been scams. They contained the following indicators: 

The emails observed by Ambrey have all been sent by identifiable non-official email addresses. Multiple of them were sent by Proton Mail email addresses. Proton Mail is a Switzerland-based email service that advertises itself as a privacy-focused email service offering end-to-end and zero-access encryption for users. Signing up for a Proton Mail account requires very little verification of personal information and can be used as a free service. It is unlikely that the reviewed emails were fully end-to-end encrypted, as Proton’s end-to-end encryption relies on either both the email sender and recipient being Proton addresses or the sender also sharing a decryption password with the recipient. 

Cryptocurrency can be a legitimate form of payment used in many industries. However, it is frequently used in scams and criminal activity: cryptocurrency payments are typically peer-to-peer and generally lack the consumer protections available with credit cards or bank transfers, and transactions sent to a crypto wallet are usually irreversible. Ambrey is also aware that Iran has made considerable use of cryptocurrency in response to significant international sanctions placed against the country’s financial system. This has helped to disguise the scammer’s fraudulent identity, as Iranian authorities have made use of cryptocurrencies in the past and have been reported to be requesting cryptocurrency payments in return for authorising transits of the Strait. 

Some of the language used in the emails was inconsistent with what is usually seen from Iranian official policy or behaviour: 

In one example, the email read that the Strait was closed to “crude oil tankers”. It is clear from attacks that Iran has targeted other types of vessels, including before this email was shared.  

Shipping companies have been told that their ship was already in the Strait of Hormuz, but their actual location was outside of Iranian publications demarcating their official interpretation of the Strait.  

Iranians will almost always refer to the “Gulf” as the “Persian Gulf”. This was not always the case in these emails, which even a translation into English should have recognised. 

The instructions, or lack thereof, indicated an incomplete understanding of the Iranian inspection and transit modus operandi at the time, as indicated by vessel behaviour and permissible trade. 

The scam emails that Ambrey has observed are relatively simple. While the groups or individuals sending these emails are unknown, the emails themselves require very little in terms of resources or capabilities and could be carried out by low-level scammers.  

On 5 May 2026, Iran announced the establishment of the Persian Gulf Strait Authority. Iran intends this authority to administer the Strait and act as a body to manage the ‘toll payments’. Iran has provided an official point of contact email address (“info@PGSA.ir”) for the Persian Gulf Strait Authority through state media. This will likely impact the efficacy of these types of scams, as many of the fake email addresses used so far will become easier to identify as false. 

Scammers have been observed using similar email addresses to official channels announced by Iran, using the signatures of prominent Iranian officials and attempting to mimic the format of official communications. 

Whilst there is no evidence of a payment to one of these scammers, vessels may have proceeded to transit the Strait of Hormuz under the false impression that their companies have gained official approval. Crews have been overheard during attacks reporting that they have authorisation to transit. This might reflect a change of policy, a miscommunication, or a breakdown of communications, but there is a possibility that they had gained fraudulent assurances.  

None of the companies that have received these fraudulent emails have subsequently been attacked after ignoring them. 

RECOMMENDATIONS

• Train staff to recognise these fraudulent emails. Intelligence providers can provide realistic materials and scenarios, and keep them up-to-date with evolving scammer attempts and official policy of those they are impersonating. 
• Review company policies on reporting the emails, marking them as spam/phishing, who to report to, how to review threats made towards specific crew and ships, and what to do if there has been a security breach. 
• If you have any suspicious emails that you would like us to review, please feel free to share, and we will analyse the threat, and advise accordingly. 
• Ambrey recommends carrying out thorough sanctions check before engaging in any such payments, particularly given US Department of the Treasury guidance on the matter. 

CONTACT INFORMATION

Ambrey: +44 203 503 0320, intelligence@ambrey.com

AMBREY – For Every Seafarer, Every Vessel, Everywhere.