Skip to main content

Operator dossier

TiMc is a ransomware operator currently active on public leak sites. Darkfield has indexed 8 public victims claimed by this operator between April 9, 2026 and June 11, 2026. TiMc is an emerging ransomware group first observed in April 2026, with limited public documentation indicating financially-motivated cybercriminal activity targeting organizations primarily in Spain and Argentina. Given the recent emergence and limited victim count of three known cases, there is insufficient public intelligence from major security agencies or researchers to definitively establish the group's country of origin, operational structure, or potential affiliations with other threat actors. The group has demonstrated a targeting preference for business services and healthcare sectors based on observed victim patterns, though their specific attack methodologies, initial access vectors, encryption techniques, and whether they employ data exfiltration or multiple extortion tactics remain undocumented in available threat intelligence reporting. No major campaigns, high-profile incidents, or law enforcement actions against TiMc have been publicly reported by CISA, FBI, Mandiant, or other established security research organizations. The group's current operational status remains unclear due to limited visibility and the nascent nature of their observed activities.

Most-targeted sectors

Most-affected countries

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

TiMc

8 victims indexed · first seen 3 months ago · last activity 1 month ago

8
Victims indexed
#221 of 364 tracked operators
2m
Active period
Apr 2026 → Jun 2026
2
Countries hit
top ES · 1

At a glance

Status
active
First seen
3 months ago
Last activity
1 month ago
Onion sites
1 known endpoint
Primary sector
Business Services · 1 hits

About

TiMc is an emerging ransomware group first observed in April 2026, with limited public documentation indicating financially-motivated cybercriminal activity targeting organizations primarily in Spain and Argentina. Given the recent emergence and limited victim count of three known cases, there is insufficient public intelligence from major security agencies or researchers to definitively establish the group's country of origin, operational structure, or potential affiliations with other threat actors. The group has demonstrated a targeting preference for business services and healthcare sectors based on observed victim patterns, though their specific attack methodologies, initial access vectors, encryption techniques, and whether they employ data exfiltration or multiple extortion tactics remain undocumented in available threat intelligence reporting. No major campaigns, high-profile incidents, or law enforcement actions against TiMc have been publicly reported by CISA, FBI, Mandiant, or other established security research organizations. The group's current operational status remains unclear due to limited visibility and the nascent nature of their observed activities.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

1 months
2026-04-01T00:00:00+00:00 · 3
2026-04-01T00:00:00+00:002026-04-01T00:00:00+00:00

Top countries

🇪🇸 Spain
1
🇦🇷 Argentina
1

Top sectors

Business Services
1
Healthcare
1

Recent victims

Loading…

Onion infrastructure

1 known
  • http://rzzfiwoop67jrxadngcy7nvjm7suwtrjznview63ooowqfsm5sq7gmqd.onion

Source

Updated 1 month ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time TiMc posts a victim.

Add TiMc to your watchlist — Pro pings you within 5 minutes of any new TiMc leak-site post, Telegram callout, or affiliate-rebrand inference.