Stanislav Lisov
Stanislav Lisov in custody (Source: Guardia Civil)

Spanish police officers arrested and jailed a Russian national last Friday, January 13, on suspicion of creating and operating the NeverQuest banking trojan.

Officers of Spain's Guardia Civil said they arrested 32-year-old Stanislav Lisov based on an international arrest warrant issued by Interpol at the FBI's request.

When he was arrested, Lisov was vacationing in Spain. The suspect and his wife returned a rented car at Barcelona's El Prat's airport, and were arrested as soon as they got out of the vehicle in the airport's parking lot. The couple was planning to embark on a flight and visit friends in Lyon, France.

Lisov awaiting extradition to the US

A judge later ruled he needed to be jailed as there was a high chance he could flee the country. US authorities are asking for Lisov's extradition.

Lisov's wife told Russian media that police didn't inform them of the reason her husband was being detained. Russian media also says Lisov is just a systems administrators and web developer at a company in Taganrog, Russia.

Some Russian authorities reacted by calling the arrest an "international kidnapping." They also had the same reaction when Czech authorities arrested Yevgeniy Aleksandrovich Nikulin in Prague in October 2016. Nikulin is the main suspect behind data breaches at LinkedIn, Dropbox, and Formspring.

Lisov accused of creating and managing NeverQuest banking trojan

In an official statement published today, Spanish police made it clear that the FBI had requested Lisov's arrest after a two-year-old investigation that started in 2014.

Investigators found servers in France and Germany with data stolen from financial institutions, which they later tracked down to Lisov, who they now suspect of being one of the many architects of the NeverQuest banking trojan, also known as Vawtrack or Snifula.

NeverQuest market share among banking trojans
NeverQuest market share among banking trojans (Source: IBM, August 2016)

According to statistics from IBM X-Force, NeverQuest is one of today's most common banking trojans, with a market share that varies around 20% of all banking trojans active today.

According to a report released by Sophos Labs in June 2016, NeverQuest recently received a major update.