6:22 a.m. April 14th, 2026. Port of Houston, Texas. 14 federal agents in unmarked vehicles. Four separate entry points along the Barbours Cut Terminal access road. Engines off. Radio traffic encrypted. What they were about to take down, $340,000 in untraceable cash, 14 pre-loaded burner phones, and a document pipeline that had been quietly moving Iranian nationals into the United States through falsified maritime crew manifests for 5 months.
The arrests would happen simultaneously. Houston, Baltimore, Dearborn, Newark. The signal would come at 6:47 a.m. No one moved yet. What those agents understood, and what most people outside federal counterintelligence don’t, is that the Strait of Hormuz blockade in spring 2026 had created a secondary problem nobody planned for.
The Navy was managing the headline. The FBI was managing what the headline was covering. Six port operations workers across two of the country’s busiest cargo terminals had found a mechanism so embedded in routine commercial shipping bureaucracy that it had passed through normal CBP screening undetected for months.
They weren’t moving drugs. They weren’t moving weapons. They were moving people. One name at a time. Buried inside crew manifests for vessels that had never logged a port call in Iran. The scheme had a price list. $8,000 for a standard insertion. 15,000 for expedited processing, clean documentation, and no secondary flags.
47 transactions total by the FBI’s count at the time of the arrests. Conservative estimate for total proceeds, just over half a million dollars split across six individuals who had spent years earning trusted access to one of the most critical cargo systems in federal infrastructure. This is how it worked, and how it ended. The first flag didn’t come from an agent.
It came from a data anomaly inside CBP’s Automated Commercial Environment System, ACE. A cargo processing platform that handles manifest verification for every commercial vessel entering a US port. November 6th, 2025. A routine ACE audit in Houston’s port director office flagged a statistical anomaly. Nine Iranian passport holders had appeared on crew manifests for Panamanian and Marshall Islands flagged vessels over a 31-day window.
None of those vessels had any logged port calls in Iranian waters. None had transited through Iranian ports of origin. Under standard maritime routing logic, Iranian nationals appearing on the crew rosters of vessels with no Iranian port history required a secondary explanation. The explanation provided in the manifest was consistent.
Each individual was listed as a replacement crew member brought on at a transit stop in a third country, typically Oman or the UAE. Paperwork in order. Crew certifications attached. No individual case triggered a flag on its own. But nine cases in 31 days on vessels using the same registry corridor, processed through the same terminal cluster at Barbour’s Cut, all with the same document structure.
That pattern didn’t exist naturally in ACE’s historical data. CBP port director Sandra Meisner referred the pattern to FBI Houston’s counterintelligence division on November 19th, 2025. The referral noted the timing. The US Navy’s posture in the Strait of Hormuz had been escalating since late October. Any channel allowing Iranian nationals to enter the United States through commercial maritime labor unscreened or screened against falsified documentation was a national security exposure that couldn’t wait for a routine
investigative timeline. FBI Houston opened a preliminary inquiry that same week. The lead was supervisory special agent Claire Dougherty, 22 years in counterintelligence. The last six focused on maritime and port security vulnerabilities. She had seen document fraud before. What she had not seen was document fraud embedded at this level of the cargo processing chain.
The thing about ACE, she told the case review team in early December, is that it’s built for speed and volume. 4 million manifests a year through Houston alone. The security model assumes the people entering data are who they say they are. It doesn’t assume they’re being paid to lie. Unquote.
The investigation didn’t advertise itself. That was the first decision and one of the most important. The fraudulent manifests were still moving through the system, which meant the people generating them didn’t know they’d been flagged. Every day the operation ran undetected was another day of evidence collection. Dougherty’s team started with the manifests themselves.
Each document carries a chain of custody inside ACE. A timestamp sequence showing which terminal operator ID processed the submission, which shift supervisor validated the cargo clearance, and which port liaison signed the crew certification package. 40 manifest submissions across the nine flagged cases all traced back to terminal operator accounts at Barbour’s Cut.
Three accounts. Four individuals because two of the accounts had shared login credentials across shifts. Common informal practice at high-volume terminals. Against regulation, but not unusual enough to trigger an internal audit. The four were port operations workers employed by a private terminal management contractor operating inside the Port of Houston under a long-term concession agreement with the Port Authority.
Their names, as they appear in the federal indictment filed April 15th, 2026. Marcus Aldrin, terminal logistics coordinator. Eight years at Barbour’s Cut. Daria Okonkwo, senior manifest processor. 11 years of service. Joel Frias, shift supervisor for cargo documentation. Six years at the terminal. And Ramon Estevez, the newest of the four.
A manifest entry clerk with 14 months on the job who had been recruited into the scheme approximately four months after being hired. Going through the ACE audit records that became part of the case file, one detail kept standing out. Estevez, the newest hire, the most junior member of the group, had processed more of the flagged manifests than any of the other three.
11 of the 14 Houston submissions traced back to his operator account. That distribution doesn’t happen by accident. In a scheme that requires deniability, you give the highest volume work to the person with the least institutional exposure. If something gets flagged, he takes the initial heat.
The others stay clean. The FBI watched the ACE account activity for 6 weeks before making contact with any potential witnesses or informants. 6 weeks of passive surveillance, cross-referencing manifest submissions against vessel arrival logs, crew change records at the Seafarers International Union Hall, and financial records obtained under grand jury subpoena.
The financial records were where the pattern became undeniable. Aldrin had deposited $74,000 in cash across 11 transactions at three different banks between August and November 2025. Each deposit was structured to stay below $9,000, the threshold for mandatory bank reporting, a textbook structuring pattern. Combined across all four Houston workers, the cash deposits totaled $218,000 in the same 4-month window.
The money was moving carefully. Agents pulled surveillance footage from three of the bank branches where Aldrin had made deposits. The footage showed a man in work clothes, no identifying port credentials visible, making transactions at teller windows rather than ATMs. No hesitation. No visible nervousness. A man who had practiced the routine until it felt ordinary.
That behavioral detail mattered to the investigation because it spoke to duration. You don’t get that cash structuring pattern in a few weeks. Aldrin had been doing this long enough that it had become unremarkable to him. By late December 2025, the investigation had confirmed the Houston end of the operation.
What it hadn’t yet identified was where the insertion requests were originating, who was contacting the port workers, negotiating prices, and providing the fraudulent crew documentation that needed to be loaded into ACE. That piece came from Baltimore. A parallel CBP referral submitted to FBI Baltimore on December 3rd, 2025, had flagged a smaller but structurally identical pattern at the Port of Baltimore Sea Girt Marine Terminal.
Five Iranian passport holders had appeared on manifests for Marshall Islands flagged bulk carriers between November and early December. Two individuals in Sea Girt’s manifest processing unit had account activity consistent with what Houston had already found. They were Gabriel Weston, a cargo documentation analyst with nine years at Sea Girt, and Thomas Byrne, a terminal operations supervisor who had worked at the port for 16 years.
Byrne was the senior figure. He was also, as the investigation would later establish, the individual who had first made contact with the buyers. FBI Baltimore and FBI Houston formally merged their investigations on December 18th, 2025. The combined task force included counterintelligence personnel, financial crimes analysts from FinCEN, and two CBP counterterrorism specialists assigned to assess the national security dimension of the identified infiltration pattern.
By the end of December, they were working with a document laundering operation with six confirmed participants across two ports, a minimum of 47 completed transactions, and an upstream supply chain they hadn’t yet mapped. Somewhere between the Iranian nationals appearing on the manifests and the port workers typing names into ACE, there was a logistics layer, someone coordinating placements, someone vetting candidates, someone who knew which terminals to target and which document formats would pass.
What’s most surprising about this case isn’t the corruption at the port level. People with financial pressure and access to sensitive systems make that calculation in every industry. What’s surprising is how long the upstream coordination chain had been running before the port workers were even recruited.
The FBI’s working theory by early January 2026 was that the coordination layer predated the Hormuz blockade by at least a year. The blockade created urgency, pressure to move people before the channel closed, but the infrastructure for falsifying maritime crew documentation had been built and tested well before the naval escalation made it strategically valuable.
Confirming that theory required penetrating the communication chain. The port workers weren’t using their personal phones for the scheme. That was apparent from the digital forensics on the ACE account activity. The submission patterns were too disciplined, too clean to be coordinated casually. The FBI’s assumption was that encrypted communication devices were in use, likely burner phones refreshed on a regular cycle.
The problem was that direct surveillance on the six port workers risked exposing the investigation before the upstream buyers had been identified. Arresting six corrupt terminal workers would dismantle the document pipeline. It would not identify who had been inserted through it, where those individuals were now, or who had been running the placement coordination.
Dockerty’s team made the decision that defined the rest of the case. They would not arrest the port workers, not yet. They would watch, collect, and build backward from the money to the people spending it. Three months of surveillance, that was the cost of that decision. Three months of watching fraudulent manifests continue to move through ACE while agents documented every transaction, mapped every financial flow, and worked the communication intelligence to identify the buyers.
The surveillance wasn’t without obstacles. In late January 2026, a winter storm that hit the Houston port complex shut down terminal operations for 61 hours, and disrupted the physical surveillance teams maintaining line of sight on Aldrin and Frias. The gap in coverage created a 20-hour window the FBI couldn’t account for. When operations resumed, a new batch of crew submissions appeared in ACE, processed remotely by Okonkwo from a location that was not her registered home address.
That single anomaly sent the financial crimes team back through 3 weeks of bank records. It surfaced a $22,000 cash deposit at a credit union in Pasadena, Texas, not one of the three banks already under subpoena, and under a joint account name that hadn’t appeared in the initial financial mapping. The account belonged to a relative of Okonkwo’s.
It expanded the scope of the financial investigation by two additional weeks. The technical surveillance operation produced its critical break in mid-February 2026. NSA-assisted intercepts of encrypted messaging platforms identified a communication cluster originating from two IP addresses in the greater Detroit metropolitan area.
Specifically, locations in Dearborn, Michigan. The content of the messages, reviewed under FISA authorization, included crew placement specifications, passport numbers, Farsi transliterated alias structures, target vessel names, and manifest submission windows keyed to specific shift schedules at both Barber’s Cut and Seagirt.
The Dearborn addresses corresponded to two businesses registered with the state of Michigan. The first was a maritime logistic consulting firm, Caspian Bridge Maritime Services LLC, incorporated in 2023 with a registered agent address in a commercial suite on Michigan Avenue. The second was an import-export facilitation company, Nexus Meridian Trade Group, incorporated in 2022 at a separate address 2 miles away.
Both companies had publicly listed business activities related to commercial shipping advisory services. Both had verifiable client relationships with legitimate shipping firms operating in Gulf and Caspian Sea routes. And both, according to intelligence assessments coordinated between FBI and the Office of the Director of National Intelligence, had organizational ties to Iranian state-linked commercial front networks operating in North America.
Here’s the part of this case that should sit uncomfortably with anyone who thinks about it carefully. Caspian Bridge Maritime Services had a website, a LinkedIn page, a registered phone number. It had filed taxes in Michigan for two fiscal years. It looked, from the outside, like a small but legitimate maritime trade consultancy.
The operational infrastructure for a counterintelligence infiltration program was running behind a facade that cost about $3,000 and an afternoon of paperwork to build. That’s not a failure unique to this case. That’s a structural reality of how commercial front operations work in the current environment.
And it’s worth being direct about what that means for detection timelines. Because three years of legitimate-appearing operation before a single flag gets generated is not an unusual track record. We’ll say what most analysis of this case doesn’t. The five-month detection window that CBP and FBI point to as evidence of an effective screening system is the success story version of a much longer undetected runway.
The scheme didn’t begin in November 2025. The detection began in November 2025. Those are two different things. A second Dearborn address surfaced in late February. A residential property linked to a naturalized US citizen, Farid Mahmoudi, who had no criminal record, no prior intelligence flags, and a 15-year work history in commercial real estate.
His phone number appeared in three of the intercepted message chains. His role, as the indictment later described it, was logistics coordination, matching available placement slots at the port terminals to the candidate pipeline being managed by Caspian Bridge. He was not, by the FBI’s assessment, a trained intelligence officer.
He was a facilitator, a link in a chain that stretched from Tehran to Dearborn to Barbara’s Cut to a cargo vessel riding at anchor in the Gulf of Mexico. Agents who conducted the pre-arrest physical surveillance on Mahmoudi described a man operating in apparent normalcy. He drove his children to school in the mornings.
He attended a local mosque on Fridays. He had dinner at the same restaurant on Michigan Avenue most Tuesday evenings. Nothing about his outward routine suggested a man conscious of being watched. That composure, whether genuine or cultivated, made the surveillance straightforward and the eventual arrest that much more disorienting for those around him.
A parallel arm of the network had been identified in Newark, New Jersey by early March 2026. A single individual, Amir Nasiri, a commercial shipping broker with an office near Newark’s container terminal, had been in contact with Thomas Byrne at the Port of Baltimore through an encrypted message channel that Byrne had set up using a burner phone purchased at a gas station in Dundalk, Maryland.
Nasiri’s contact with Byrne was more direct than the Dearborn coordination structure. He communicated specific crew names, specific vessels, and specific dates. He transferred funds through a layered series of wire transfers that moved through accounts in Cyprus and the UAE before arriving in cash in Byrne’s hands.
Consider the position of the surveillance team reading those intercepts in real time, knowing that the manifests being negotiated in those messages were still being processed, still being certified, still moving people through the port system while the legal authorization for intervention was being assembled. Every day of additional evidence collection was another day of exposure for the United States.
The judgment call at that level is not academic. Doherty’s team requested authorization for arrest operations on March 28th, 2026. The request went to the US Attorney’s Office for the Southern District of Texas and the District of Maryland simultaneously. It was reviewed by DOJ’s National Security Division.
Authorization was granted on April 7th. The operational planning required coordinating simultaneous enforcement actions across four geographic locations. Houston, Baltimore, Dearborn, and Newark. The challenge was sequencing. A premature arrest in any one location would alert the others. Cell phone activity from any of the six port workers or from Mahmoudi or Nassiri could trigger a communications blackout that would eliminate the remaining evidence chain before it was secured.
The decision was made to execute all arrests within a 15-minute window. That required four separate FBI field divisions, two CBP enforcement units, and local law enforcement coordination in Houston, Baltimore, and Newark to be in position simultaneously. Operating on a single encrypted command channel with each team maintaining radio silence until the unified signal.
6:47 a.m., April 14th, 2026. The signal was transmitted. At Barbour’s Cut Terminal in Houston, agents moved through two entry points simultaneously. Marcus Aldrin was reached in the terminal’s administrative building sitting at a workstation processing the morning’s manifest queue. He did not resist.
He looked up from the screen, made eye contact with the lead agent, and said nothing. Daria Okonkwo was reached at a coffee counter in the terminal’s employee break room. She asked for her lawyer before the agents had finished reading her rights. Joel Frias was located in the parking structure adjacent to the main processing building walking toward his vehicle.
Ramona Steves was reached at his apartment in Pasadena, Texas 22 minutes after the initial signal. The only arrest that did not happen at the port itself. At Seagirt Marine Terminal in Baltimore, Gabriel Weston was taken into custody at the terminal entrance gate during her morning check-in. Thomas Byrne was arrested at his home in Dundalk at 7:03 a.m. Eastern time.
Agents executing the search of Byrne’s residence found $74,000 in cash in a fireproof safe in the basement along with three burner phones and a spiral notebook containing what appeared to be a manual log of crew placement transactions. Dates, vessel names, amounts received, and what the indictment described as disposition codes whose meaning investigators were still analyzing at the time of the initial press release.
In Dearborn, Farid Mahmoudi was taken into custody at the Caspian Bridge Maritime Services office at 7:18 a.m. Eastern. The office contained four operational workstations, two of which had been partially wiped within the previous 48 hours. Digital forensics teams were able to recover a substantial portion of the deleted data.
What remained unrecoverable, approximately 30% of the communication logs on the wiped drives, was still an open question in the case file as of the date of the arrests. In Newark, Amir Nasiri was not at his office when agents arrived at 7:22 a.m. Eastern. His car was in the parking lot. His coffee was on his desk, still warm, but Nasiri was gone.
A 48-hour search of Newark’s transit infrastructure, regional airports, and border crossings produced no confirmed sighting. As of the date of the initial indictment filing, Nasiri remained at large. A federal arrest warrant was issued. Interpol notification was filed. His current whereabouts were listed as unknown. The physical evidence recovered across all four locations included the $340,000 in cash cited in the public arrest announcement, 14 preloaded burner phones, the Byrne transaction log, and approximately 4,200 pages of digital
communication records recovered from devices and partially wiped workstations. The 14 burner phones alone contained an estimated 2,800 discrete messages related to crew placement negotiations. Forensic processing of that volume of evidence was expected to take months. The six individuals in custody faced federal charges including conspiracy to defraud the United States, visa fraud, making false statements to federal agencies, and conspiracy to commit money laundering.
The charges against Mahmoudi included an additional count under the International Emergency Economic Powers Act related to financial transfers involving entities connected to Iranian-linked commercial networks. The question that consumed the internal review process at CBP, and that did not appear in any public statement, was simpler and more uncomfortable than the legal framework.
How many prior insertions had gone undetected? The 47 documented transactions represented the period for which the FBI had verifiable evidence. The ACE system’s historical records went back further. CBP’s internal review, begun immediately after the arrests, was attempting to identify whether the same document structure had appeared in manifest submissions before the November 2025 audit flag, and if so, how far back.
Preliminary findings shared with the Senate Intelligence Committee in a closed briefing in late April 2026 indicated at least 14 additional manifest submissions with characteristics consistent with the scheme dating back to February 2025. Those 14 cases involved individuals whose current locations were unknown. 14 names on crew manifests for vessels that had long since departed US ports bound for destinations across the Gulf region and the Eastern Mediterranean.
Whether those individuals were still in the United States, whether they were who their manifest described them to be, whether the placements had served an intelligence purpose, a logistics purpose, or something the investigation hadn’t yet framed, those questions had no confirmed answers at the time of the arrests.
One detail in the case file that stayed with me, Estevis, the junior manifest clerk, the one who processed the most fraudulent submissions, had applied for a transfer out of the Barbours Cut Terminal in late March 2026, two weeks before the arrests. The transfer request cited a desire to move closer to family. It was still pending in HR when agents knocked on his door.
Whether he knew something was coming or whether the timing was coincidental was listed in the case notes as unresolved. Here’s what this case actually demonstrates about the current infrastructure protection posture at US maritime ports. The detection mechanism that identified this scheme was a statistical anomaly flag in a data audit system, not a human investigator, not a physical inspection, not a whistleblower.
The flag worked because the volume of insertions crossed a threshold visible in aggregate data. A slower, more disciplined operation, one insertion per month instead of nine, might not have triggered the same flag, might not have triggered any flag. The six port workers now facing federal charges did not build the pipeline they were operating inside.
They were end users. The upstream architecture, the front companies in Dearborn and Newark, the coordination chain between them, the document preparation process, the candidate vetting system, that architecture was built by people who are not in custody. Nassiri remains at large. The 30% of communication data not recovered from the wiped workstations in Dearborn remains unrecovered.
The 14 pre-blockade insertions whose subjects cannot be located remain unaccounted for. Was this operation connected to Iran’s broader intelligence posture during the Hormuz crisis or was it an opportunistic commercial scheme that happened to serve intelligence-adjacent interests? The indictment charges document fraud and money laundering.
It does not charge espionage. That distinction carries legal weight. Whether it reflects the full operational picture of what was moving through those manifests, that’s a different question. Do you think this was an isolated operation or one channel of a larger network the public hasn’t been told about yet? Drop your read in the comments because the evidence points in directions the official statements haven’t fully addressed.
The network is dismantled. Nassiri is in the wind. 14 individuals are somewhere in the world with their port certified crew identities and no one currently tracking them. The manifest said they were merchant sailors. What they actually were and what they were doing the day agents arrested their document brokers remains an open question in a case file that by any reasonable assessment is not yet closed.
If you want to understand how federal counterintelligence actually operates in the current threat environment, not the version in the press release, but the version in the case files, subscribe. The next investigation goes further.
Disclaimer : This content may be created by AI for entertainment purposes. Any resemblance to real persons, events, or places is coincidental.