Andrei Tarasov’s criminal life is not as glamorous as you might expect from a leading criminal actor.
Tarasov (aka Aels and more recently Lavander) left his native Russia because of ‘political persecution’; subsequently claiming to have been granted asylum in Ukraine. He was outspoken in his condemnation of modern Russia, saying he removed himself “Because nothing is left from the ‘great’ country I grew up in except for a bunch of clowns and the battle against America… Because the only things decreasing in price (and value) are vodka, reality, and life.”
The precise date of his flight from Russia is unknown – but despite this antipathy, he returned to Russia in January 2024. This period between the two events is the focus of a report from Intel 471.
Tarasov had been known to law enforcement and threat intelligence analysts for many years, but he came to wider public attention following two US indictments against him, Maksim Silnikau, and Volodymyr Kadariya – and the subsequent arrest (July 18, 2023) of Silnikau in Spain and extradition (August 9, 2024) from Poland.
It is not entirely clear why Silnikau was arrested in one country and extradited from another. It may be that the Spanish authorities released him, but he was subsequently rearrested in Poland based on an Interpol Red Notice. This is conjecture but would align with Tarasov’s arrest in Germany on the same day, and subsequent release six months later. “I think it was the Superior Court in Berlin,” Intel 471 analyst Jeremy Kirk told SecurityWeek, “who decided that the US charges didn’t meet their standards –so, they let him out.”
Having said that, Tarasov’s six month detention was not a pleasant experience – as we shall see. Meanwhile, it is worth considering the cause of these events. The pivot seems to be the Angler exploit kit, perhaps the most infamous of all exploit kits. Intel 471 does not suggest that Tarasov was involved in its development, merely its use. Similarly, the US indictment simply says the accused “took a leading role in disseminating… an exploit named the Angler Exploit Kit.”
However, in its announcement claiming involvement in Silnikau’s arrest, the UK’s NCA wrote, “These individuals were responsible for the development and distribution of notorious ransomware strains, including Reveton and most recently Ransom Cartel, as well as exploit kits, including Angler, which have extorted tens of millions from victims worldwide.” Yet Kaspersky had, in 2016, concluded that the Lurk group had developed Angler – leading to the arrest of 50 individuals in Russia.
That confusion aside, Tarasov was certainly heavily involved in the use of Angler. Kirk suggested that on balance he probably had some involvement in its development, based on his deep association with exploit kits and that community. “Tarasov has a background in many different things,” said Kirk. “We traced him back to 2010, doing card skimming and spamming and that sort of stuff.” And this was before he got involved with malvertising, exploit kits and system compromises.
It is alleged that he developed, and was paid $2,500 by Kadariya, to develop a traffic distribution system for a malvertising campaign that drew victims to Angler and subsequent compromise. “This reduced the chance malvertisements could be blocked and made it difficult for security researchers to track malware campaigns using exploit kits,” writes Intel 471.
“In June 2017, Tarasov also allegedly discussed with Silnikau a plan to develop a way to lock the internet browsers of people who viewed their malvertisements – a kind of ransom extortion scheme.” This is most likely the origin of Reveton, a scareware form of ransomware that effectively became the first RaaS – and is also pinned on Silnikau, Kadariya, and Tarasov by the NCA.
Fast forward to Tarasov’s detention in Germany. His troubles had already started before his official arrest. On July 8, 2023, he posted on the XSS forum, “That’s right. I’m in Europe; and yes, they talked to me, too. For my old wrongdoing… there’s not enough (yet) data in the case to request my extradition. So, I’m basically free. But the situation is very unpleasant, especially when they offer a few million bucks for testifying against some well-known people. And I’m scared as fuck to say ‘no’.”
He was wrong about the extradition request. Ten days later he was arrested. He was held in Moabit Prison in Berlin, which is a pretrial and extradition detention facility. Nine days after that, the Higher Regional Court of Berlin granted the US more time to file extradition documents.
On September 1, 2023, an actor known as Tagesanzeiger warned the underground community not to interact with Aels (Tarasov) since any communication likely came from the authorities (ultimately the FBI). He also posted a letter supposedly, ultimately, from Tarasov saying that Tarasov had doxed stern – likely to be the stern who was a leading manager in Conti and later Trickbot.
Little was heard from Tarasov for a year after his arrest. Rumors spread. Had he been extradited? Did he escape and flee to Russia? Nothing quite so dramatic. The German authorities had released him after six months detention because the extradition request from the US didn’t quite pass German muster. After release, he travelled by car to Poland, and then by car back into Russia – where, for a while, he remained silent.
He is now active again, although perhaps comparatively subdued. He has written about his time in Germany. The Intel 471 report notes, “He wrote he contemplated suicide after his arrest in Germany, which led to his hospitalization in a prison hospital. He was either facing more than 50 years in prison or having to out more cybercrime figures to U.S. authorities in exchange for a lighter sentence.”
An interesting thought here is that he decided returning to Russia – where he would hardly be welcome given his public anti-Russian government statements – would be better than facing prison in the US. Was he right? On October 29, 2024, using the alias Lavander, he wrote on the XSS forum, “This is Aels. Hello, everyone. I’m so fucking happy to see you all.”
He explained how he got from Germany back to Russia, but also commented, “Then, however, an incident happened, and over the following nine months I learned that there were places no better than prison, but that’s a whole ’nother story.” On May 5, 2025, he wrote, “Now I’m stuck in Russia, beginning from the zero. And I still owe my lawyer.”
Related: US Indicts China’s iSoon ‘Hackers-for-Hire’ Operatives
Related: Kosovar Administrator of Cybercrime Marketplace Extradited to US
Related: Ukrainian Nefilim Ransomware Affiliate Extradited to US
Related: Two Indicted in US for Running Dark Web Marketplaces Offering Stolen Information
