Cyber Threat Actor: Ne'er-do-wells

Thethreat actor known as Ne'er-do-wells is associated with a Magecart‑style operation that targeted an online retailer in Germany. Publicly available reporting identifies the group by this alias and notes its operational base in Germany. The actor’s activity has been observed in the form of a web‑based skimming campaign aimed at capturing payment information during checkout processes.

On January 27 2022 the actor compromised the website of Emma Matratzen GmbH, injecting malicious JavaScript into the site’s checkout page to skim customers’ credit or debit card data as it was entered. The script was designed to harvest personal details such as names, addresses, phone numbers, email addresses, and payment information, even when a purchase was not completed. Approximately 97,000 customers residing in twelve different countries were affected by the breach. The attackers employed advanced evasion techniques to avoid detection, including the dynamic loading of malicious code from external servers. Emma Matratzen GmbH confirmed that it does not store payment data directly on its systems, yet the skimming code still captured the information at the point of entry.

Following the discovery, the company notified all potentially impacted individuals and reported the incident to German authorities. No evidence of subsequent misuse of the stolen data was found by the victim organization. The observed tactics—JavaScript injection, external script loading, and evasion of security controls—represent the core TTPs associated with this actor’s publicly reported activity. No further details regarding affiliations, state connections, or additional campaigns are available in the source material.