DataCarry
DataCarry, also referred to as DATACARRY and Datacarry, is a ransomware/extortion threat actor first described in the provided content as an emerging group in May 2025. The content indicates it operates as an extortion-only actor, relying on data theft and leak-based extortion without deploying ransomware lockers. Reported activity places its victimology in Europe and the Americas, with victim companies disclosed across eight countries and steady activity in Q3. DataCarry was identified in connection with the August attack on Swedish HR and work-management IT supplier Miljödata, which serves roughly 80% of Sweden’s municipalities. In that incident, Miljödata said attackers stole data and demanded 1.5 Bitcoin to prevent publication, and BleepingComputer reported that Datacarry posted the stolen data on its dark web portal on September 13. The leaked material included a 224 MB archive later indexed by Have I Been Pwned, containing personal data for about 870,000 individuals; reporting cited exposed data such as names, email addresses, physical addresses, phone numbers, government IDs, dates of birth, and in related victim reporting, full names and Social Security numbers. The Miljödata breach was assessed by Swedish authorities as affecting up to 1.5 million people and caused operational disruption across multiple Swedish regions. The content also notes that Datacarry listed an additional 12 victims on its website.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- government
- technology
Tradecraft
1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware group claiming a breach of Swedish HR software supplier Miljödata, resulting in exposure of employee PII (including names and SSNs) affecting Volvo employees via a third-party vendor compromise.
DATACARRY is a ransomware group that, in 2025, specialized in data theft and extortion through public leaks, foregoing traditional ransomware encryption.
Ransomware group operating in Europe and the Americas, focusing on extortion without encryption.
DataCarry is a threat actor responsible for leaking data stolen from Miljödata, exposing personal information of over 1.5 million individuals in Sweden. The attack did not involve ransomware but focused on large-scale data exfiltration and public exposure.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.