Operator dossier

TiMc is a ransomware operator currently active on public leak sites. Darkfield has indexed 5 public victims claimed by this operator between April 9, 2026 and May 15, 2026. TiMc is an emerging ransomware group first observed in April 2026, with limited public documentation indicating financially-motivated cybercriminal activity targeting organizations primarily in Spain and Argentina. Given the recent emergence and limited victim count of three known cases, there is insufficient public intelligence from major security agencies or researchers to definitively establish the group's country of origin, operational structure, or potential affiliations with other threat actors. The group has demonstrated a targeting preference for business services and healthcare sectors based on observed victim patterns, though their specific attack methodologies, initial access vectors, encryption techniques, and whether they employ data exfiltration or multiple extortion tactics remain undocumented in available threat intelligence reporting. No major campaigns, high-profile incidents, or law enforcement actions against TiMc have been publicly reported by CISA, FBI, Mandiant, or other established security research organizations. The group's current operational status remains unclear due to limited visibility and the nascent nature of their observed activities.

Most-targeted sectors

Business Services1 victims
Healthcare1 victims
Not Found1 victims

Most-affected countries

ES1 victims
AR1 victims

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

TiMc

5 victims indexed · first seen 1 month ago · last activity 6 days ago

Victims indexed

#241 of 348 tracked operators

Active period

Apr 2026 → May 2026

Countries hit

top ES · 1

At a glance

Status: active
First seen: 1 month ago
Last activity: 6 days ago
Onion sites: 1 known endpoint
Primary sector: Business Services · 1 hits

About

TiMc is an emerging ransomware group first observed in April 2026, with limited public documentation indicating financially-motivated cybercriminal activity targeting organizations primarily in Spain and Argentina. Given the recent emergence and limited victim count of three known cases, there is insufficient public intelligence from major security agencies or researchers to definitively establish the group's country of origin, operational structure, or potential affiliations with other threat actors. The group has demonstrated a targeting preference for business services and healthcare sectors based on observed victim patterns, though their specific attack methodologies, initial access vectors, encryption techniques, and whether they employ data exfiltration or multiple extortion tactics remain undocumented in available threat intelligence reporting. No major campaigns, high-profile incidents, or law enforcement actions against TiMc have been publicly reported by CISA, FBI, Mandiant, or other established security research organizations. The group's current operational status remains unclear due to limited visibility and the nascent nature of their observed activities.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/timc

Timeline

1 months

2026-04-01T00:00:00+00:002026-04-01T00:00:00+00:00

Top countries

🇪🇸 ES

🇦🇷 AR

ES dossier →AR dossier →

Top sectors

Business Services

Healthcare

Not Found

Business Services dossier →Healthcare dossier →Not Found dossier →

Recent victims

Loading…

Onion infrastructure

1 known

http://rzzfiwoop67jrxadngcy7nvjm7suwtrjznview63ooowqfsm5sq7gmqd.onion

Source

Updated 6 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.