← All writeups
Hard 30 pts OSINT · Person Investigation

Operation LOCKERGOGA

CTF · ctf.osint.industries

Challenge Overview

This challenge is based on a real Europol Most Wanted listing. The subject, TYMOSHCHUK (ТИМОЩУК), Volodymyr Viktorych, born October 2, 1996, is wanted by France for computer-related crime, participation in a criminal organisation, and racketeering and extortion.

From 2018 to 2020, Tymoshchuk and accomplices participated in deploying the LOCKERGOGA ransomware on hundreds of victim companies, causing total global damages exceeding $18 billion.

The objective is to identify, using only legal open-source intelligence methods:

  • The licence plate of the vehicle linked to the individual
  • Its brand and model
  • Year of manufacture
  • Last known mileage
Operation LOCKERGOGA challenge prompt

Initial Research

Starting from the Europol listing, the subject's name Volodymyr Tymoshchuk was searched alongside cybercrime-related keywords. This surfaced an investigative article on decodecybercrime.com that had already aggregated publicly available social media data on the subject, including screenshots from his Instagram account.

The article contained a photograph taken from his Instagram that clearly showed a licence plate and states the VIN number is WP1ZZZ9YZKDA39521.

Instagram post showing vehicle with licence plate AB 6637 IE and VIN number

Identifying the Vehicle

The licence plate visible in the image was AB 6637 IE. With the VIN number also known, a VIN lookup was performed using publicly available VIN decoder services. VIN numbers encode the manufacturer, model, production year, and other vehicle specifications directly into the string. No registration database access is required.

The VIN decode confirmed:

  • Brand: PORSCHE
  • Model: CAYENNE
  • Year of manufacture: 2019
VIN decoder results confirming Porsche Cayenne 2019

Finding the Mileage

The last known mileage was found in an Instagram story posted by the subject. The story showed the interior of the vehicle with the dashboard slightly visible, but after zooming in the odometer read 36,921 km.

Instagram story showing dashboard odometer reading 36921 km

Flag

OSINT{AB 6637 IE, PORSCHE, CAYENNE, 2019, 36921KM}

Conclusion

This challenge demonstrates how a threat actor's own social media posts can become an intelligence source. Despite being a fugitive on Europol's Most Wanted list, publicly shared images contained enough embedded data to fully reconstruct the vehicle's identity and history.

Key takeaways:

  • Third-party investigative articles often aggregate social media content that may have since been deleted from the original source.
  • VIN numbers are publicly decodable and reveal full vehicle specifications without requiring access to any registration authority.
  • A licence plate alone is not enough. Layering it with a VIN decode is what confirms make, model, and year with certainty.
← Back to all writeups