Cyber Threat Actor: Keeper
| Actor Type | Location | Known Incidents |
Criminal
|
Russia
|
6 incidents |
|---|
Profile
The threat actor known as Keeper, also tracked under that alias, has been publicly linked to operations originating from Russia. Observed activity focuses on compromising online restaurant ordering platforms to harvest payment card data for financial gain, with no indication of espionage or disruptive motives in the available reporting. The actor’s campaigns have targeted businesses that rely on centralized digital ordering infrastructure, affecting both direct service providers and third‑party aggregation platforms used by hundreds of restaurants.
Keeper’s tactics consistently involve deploying Magecart‑style web skimming code onto the compromised ordering services, thereby capturing card‑not‑present transaction data as it is processed. Initial access appears to be gained through vulnerabilities in the third‑party services or the ordering platforms themselves, allowing the actor to inject malicious scripts without needing to breach individual restaurant systems. The tooling observed is limited to the skimming payloads and associated infrastructure used to exfiltrate the stolen card information, with no reference to other malware families or custom exploit frameworks.
Attribution to Keeper is based on public reporting that links the group to the specific incidents, and the actor’s location is noted as Russia; however, no definitive connection to a state sponsor or a larger criminal consortium has been established in the sources provided. The actor operates as a financially motivated cybercrime group, leveraging the prevalence of online food‑ordering services to monetize stolen payment data through card‑not‑present fraud.
Representative operations include the October 2020 breach that affected approximately 343 000 payment cards across multiple ordering platforms and the April 2021 incident involving several restaurant‑focused services, both attributed to Keeper and employing similar Magecart skimming techniques against centralized payment processing systems. These events illustrate the actor’s repeated focus on exploiting vulnerabilities in shared ordering infrastructure to obtain large volumes of card data for illicit use.
