Skip to content ↓ | Skip to navigation ↓

Spanish authorities have arrested a Russian national who they believe is responsible for having helped develop and operate the NeverQuest banking trojan.

On 13 January, Spain’s law enforcement agency Guardia Civil placed 32-year-old Stanislav Lisov under arrest on charges of having used electronic means to hack computers and commit fraud.

Authorities converged at El Prat airport in Barcelona after investigators with the force’s Unidad Central Operativa (Central Operative Unit) spotted Lisov and his wife on vacation in Catalonia. They arrested him as soon as he and his wife exited a car in the airport’s parking lot before they boarded a flight for another EU country.

Stanislav Lisov in custody (Source: Guardia Civil)

The United States has been investigating Lisov since 2014 on suspicion that he helped create a piece of malware called NeverQuest.

First discovered in 2013, NeverQuest is a banking trojan that comes with a list containing the names for hundreds of banks located around the world. The malware waits until a victim visits one of those banking websites, at which point it injects malicious JavaScript code into a user’s browser. This code allows NeverQuest’s author(s) to control the connection between the user’s browser and the server, effectively empowering them to modify web pages as well as steal usernames and passwords.

Whoever developed the malware, which also goes by the name “Vawtrak,” they’re still committed to updating their creation. The most recent upgrade came in late summer 2016, when NeverQuest’s list of websites expanded to include other types of targets such as government agencies and payroll services.

In total, the malware is believed to have robbed victims of approximately 5 million USD.

Lisov currently sits in jail, as an analysis of his servers located in France and Germany revealed the Russian national had obtained lists of stolen information from users regarding their accounts at various financial institutions. One such server contained usernames, passwords, security questions and answers, and account numbers.

As of this writing, the FBI is petitioning Spain to extradite Lisov to the United States.