Russian hacker accused of creating NeverQuest malware pleads guilty

Stanislov Lisov created the NeverQuest banking malware that was used against hundreds of financial institutions
vault 7
The façade of Thurgood Marshall United States Courthouse in New York City. (Getty)

Stanislav Lisov, a Russian hacker accused of creating banking malware used to steal $885,000, pleaded guilty to one count of conspiracy to commit computer hacking in the U.S. Southern District Court of New York Friday.

Lisov created the NeverQuest banking malware that was used against hundreds of financial institutions.

Lisov was facing 35 years in prison when he was extradited to the U.S. from Spain after being apprehended in Barcelona in 2017. Lisov faces a maximum of five years in prison under the terms of his plea deal, according to his lawyer.

“My client spent over a year in jail in Barcelona, Spain while in extradition,” lawyer Arkady Bukh said in a statement. “[It] then took over a year here in the United States to negotiate this plea.”


Lisov was one of a number of alleged Russian hackers apprehended by international authorities while outside Russia at the behest of the U.S. law enforcement. He was taken into custody in the Barcelona airport in 2017 during his honeymoon.

NeverQuest first was discovered in 2014 and quickly picked up by organized cybercriminal groups. The malware would infect specific banking and investment banking customers then alert its operator to where it arrived. Attackers then would funnel cash from one hacked account into others, laundering the funds through a number of accounts under their control to disguise their location, according to Kaspersky.

“Neverquest is believed to be a cybercrime-as-a-service platform that supported a number of geo-specific operators who used the malware and botnet to rob bank accounts and share the loot with operators,” IBM researcher Limor Kessem wrote in a 2017 analysis of NeverQuest operations. “Similar to the way the Dridex botnet is divided into numbered campaigns and sub-botnets, Neverquest is also programmed to create this distinction: As soon as it lands on a newly infected endpoint, it calls home with a numeric ID that identifies its campaign.

The full indictment against Lisov is available below.

[documentcloud url=”” responsive=true]

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts