Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Spanish Court Approves Suspected Hacker's Extradition

Russian Citizen Arrested in Barcelona While On His Honeymoon
Spanish Court Approves Suspected Hacker's Extradition
The Spanish National Court (Audiencia Nacional) in Madrid. (Photo: FDV, via Wikimedia/CC)

Spain has approved a U.S. government request to extradite a Russian national who allegedly helped organize and profit from a prolific banking Trojan.

See Also: Generative AI Survey Result Analysis: Google Cloud

But the suspect, Russian national Stanislav Lisov, 31, has until Friday to appeal the decision by the Spanish National Court in Madrid, and one of his attorneys has said that his client plans to do so.

Lisov was detained on January 13 by Spain's Civil Guard, assisted by FBI agents, at Barcelona's El Prat airport, when he and his wife were wrapping up their honeymoon, according to multiple press reports.

The U.S. Department of Justice couldn't be immediately reached for comment.

A programmer by trade, Lisov has stated in court that he is innocent of the charges filed against him and has sought to have the extradition request quashed.

But according to charges detailed last week in the Spanish court, a U.S. federal grand jury has indicted Lisov - aka "Black" and "Blackf" - for crimes related to the "Neverquest" banking Trojan, based on Justice Department allegations that his actions resulted in $855,000 being stolen from U.S. banking customers between June 2012 and January 2015, according to multiple press reports.

The Neverquest malware is also known as Vawtrak and Snifula. According to court testimony, U.S. prosecutors have accused Lisov of obtaining access to servers in France and Germany that were used as part of command-and-control operations tied to Neverquest attacks, Associated Press reports.

Stanislav Lisov (undated photograph)

Based on the computer abuse and fraud charges filed against Lisov as part of a two-year Justice Department investigation, he faces up to 35 years in prison, Reuters reports.

Two of Lisov's Madrid-based attorneys - Oleg Gubarev and Juan Manuel Arroyo - could not be immediately reached for comment on the approval of the extradition request by the Spanish National Court, which oversees crimes that have an international component.

Arroyo told the court last week that his client had been arrested as part of a political "chess game" between Washington and Moscow, AP reports. The attorney had sought to have the charges dismissed on the grounds that the United States had failed to prove that his client created, distributed or profited from Neverquest, or that he had any connection to the missing money.

But the public prosecutor countered that there had been no sign of any ideological agenda behind Lisov's indictment, and requested that the court approve the U.S. extradition request, AP reports.

Neverquest Targets Banks

U.S. prosecutors have accused Lisov of being tied to Neverquest, a banking Trojan that first appeared in 2006. The malware has continued to be updated in recent years, for example with better Web injection - or "man in the browser" - attack capabilities that allow the malicious code to hook into Windows processes, gain direct access to raw data and manipulate the browser to disguise its activities. Such Web injection capabilities enable attackers to surreptitiously drain victims' bank accounts while they're logged into their online bank account.

By July 2014, Symantec was reporting that Neverquest contained 400 unique strings for specific types of web services - "social networking, customer relationship management, Web mail, messaging, cloud computing, storage, financial, online movie, photo sharing and gaming services" - and that the malware would launch whenever a user visited one of the designated sites. "The [malware] monitors the Web pages users visit and starts logging when any of the strings in the configuration file matches with part of a URL or Web page content," Symantec said. Such activities could be used to capture users' credentials, for starters.

Symantec also noted that the malware, at that time, included Web injection configuration files designed to emulate dozens of financial institutions in the United States, as well as Germany and Japan. Such files would allow the malware to transfer money - to attacker-controlled accounts - while displaying a fake, lookalike screen to an online bank account user, to disguise the attack.

The Web injections developed by the Neverquest team were later somehow obtained and put to use by the group behind Shifu malware to attack online banking platforms in Japan and Europe (see Banking Malware: Big in Japan).

Russians Detained on Holiday

Lisov is only the latest suspected Russian hacker to be detained while vacationing abroad, at the request of U.S. authorities.

Last week, police in Greece arrested Alexander Vinnik, 38, for allegedly running a massive money laundering operation that processed $4 billion in bitcoins via a cryptocurrency exchange called BTC-e, according to a 21-count federal indictment. The Justice Department is now seeking Vinnik's extradition.

Other suspected Russian hackers have also been detained in locations ranging from Amsterdam, to Prague, to the Maldives, at the request of U.S. authorities, who have then sought their extradition (see Hackers' Vacation Plans in Disarray After Prague Arrest).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.