Suspected Hacker Behind the NeverQuest Banking Trojan Arrested in Spain

In 2013, researchers from Kaspersky Lab’s SecureList published “Online Banking Faces a New Threat” and explained the threat NeverQuest, a banking trojan, posed to the public. Three-and-a-half years after a hacker listed the malware on a forum, Spain’s Guardia Civil announced that officers arrested NeverQuest’s creator. The press release revealed that the FBI requested Interpol issue an arrest warrant for the 32-year-old Russian national, Stanislav Lisov.

The NeverQuest banking trojan “could be used to attack ‘about 100 banks’ by seeding add-on code onto bank websites,” the NeverQuest forum post explained. NeverQuest appeared on a secret Russian forum known for data dumps and many of the trojans in the wild today. When the infected user visited one of the services the malware identified—using Internet Explorer or Firefox—the NeverQuest installed malicious JavaScripts. Once the scripts deployed, NeverQuest manipulated the connection between the victim and the particular website visited. The malware sent stolen bank credentials to hackers across the globe—to the amount of $5,000,000, according to the Guardia Civil.

Upon returning a rental car to an airport rental location on January 13, the Guardia Civil arrested Stanislav Lisov. According to the announcement, “the Civil Escape Team of the Central Operative Unit (UCO) of the Civil Guard who had detected their presence in Catalonia, after Several days of surveillance intercepted him when he intended to leave Spain on a flight bound for another EU country.” BleepingComputer wrote that the couple planned to visit friends in Lyon, France.

The Guardia Civil explained the Lisov arrest:

Lisov was considered a major operator of NeverQuest, having been charged among other illicit, of the creation and administration of a network of computers infected with NeverQuest using the leasing and acquisition of servers of computers used to administer that system.

A thorough investigation of the servers operated by Lisov in France and Germany revealed databases with stolen lists of information from accounts of financial institutions, with data indicating, among other things, account balances. One of the servers leased by Lisov contained files with millions of login credentials, including usernames, passwords, and security questions and answers, for the bank and financial website accounts.

Interpol “asked” Spain to arrest the suspect with an international warrant. Although US law enforcement initiated the ordeal, the FBI needed Interpol to issue the detention order. Spain, outside of Interpol’s order, never announced any legal matters with the Russian citizen. Daria Lisov, the suspected hacker’s wife, told RT that authorities refused to tell both her and her husband the reason for the arrest. “We were detained at the airport of Barcelona ​​when we went to pay for a rental car,” she said. “When we got out of the car, we were approached by two police officers.” The Guardia only told her, she said, “that the detention was at the request of the FBI and Interpol.”

Law enforcement, specifically the FBI, believe Lisov created the NeverQuest banking trojan after finding stolen financial data on servers in France and Germany. Officials claimed that the servers traced back to the suspect. The wife told RT that Lisov worked in the IT field as a software quality assurance professional at a company that sells e-commerce platforms in Taganrog, Russia. The company, “Oggetto” or “Odzhetto Web,” declined to comment.

Lisov, if extradited and found guilty, will join a handful of internationally-located hackers that the US chased down and convicted.