On Jan. 5, 2024, Андрей Владимирович Тарасов (Eng. Andrei Vladimirovich Tarasov), a 33-year-old Russian man, was released from Moabit Prison in Berlin. He’d been held there for about six months. Originally from Russia, he’d been living in Berlin when police arrested him July 18, 2023, related to computer crime charges in the U.S. Tarasov was indicted by a grand jury in New Jersey in June 2023 along with Maksim Silnikau, Belarusian and Ukrainian dual national, and Volodymyr Kadariya of Belarus. They were charged with conspiracy to commit wire fraud, conspiracy to commit computer fraud and abuse and two counts of wire fraud. The indictment alleges the three men ran an expansive scheme from October 2013 through March 2022 to infect computers with malware via fake advertisements, or malvertisements, and then sell the stolen data and access. The computers were attacked using a potent tool called the Angler exploit kit, which was designed to quickly probe a computer for vulnerabilities and then silently deliver malware. This scheme was believed to have been used to attack millions of computers worldwide.
By his own account, Tarasov was questioned by the U.S. FBI and claimed he gave information about a malicious hacker the U.S. sought. He claims to have done this because he had lost six friends to Russia’s war in Ukraine. On cybercrime forums, Tarasov expressed anti-Russia views stretching back years, which at times put him at odds with some Russian-speaking threat actors. However, he eventually swore off the FBI after the U.S. continued to pursue his extradition. Then, he caught a lucky legal break: the Generalstaatsanwaltschaft (Eng. General State Prosecution Office) in Berlin applied for his release after concluding the U.S. charges weren’t concrete enough, a decision affirmed Jan. 9, 2024, by the Kammergericht (Eng. Superior Court of Justice) four days after his release. The U.S. charges still stand, but Tarasov is in Russia, which does not extradite its own citizens. To this day, Tarasov is on the U.S. Secret Service Most Wanted list. His Instagram profile displays the link to the Secret Service page, a kind of infamous badge of honor.
Remarkably, his activity on cybercrime forums appears to continue. In this post, we’ll examine Tarasov and his activity under various nicknames, including Aels and Lavander, why exploit kits were so damaging and how Tarasov purportedly made his way back to Russia after being released.
Cybercrime pioneers
Silnikau and Tarasov were arrested the same day, July 18, 2023. The U.K.’s National Crime Agency (NCA) had tracked Silnikau and his partners across Europe and arrested him with international law enforcement partners at an apartment in Estepona, Spain. The NCA outlined the significance of Silnikau’s apprehension shortly after he was arrested. Silnikau, who went by the personas J.P. Morgan, xxx, targa, klm and lansky, and his criminal network “essentially pioneered both the exploit kit and ransomware-as-a-service [RaaS] models, which have made it easier for people to become involved in cybercrime and continue to assist offenders.”
A little over a year later after his arrest was announced by the NCA, the U.S. Department of Justice (DOJ) issued a news release Aug. 12, 2024, detailing the unsealed charges against Tarasov, Silnikau and Kadariya. Silnikau had been released by Spanish authorities but he was arrested again in Poland and eventually extradited from there to the U.S. three days prior to the news release.
According to the indictment, the three men created bogus media companies and personas to place malicious ads with legitimate online advertising companies. Those harmful ads — known as malvertisements — directed millions of computers to a powerful hacking tool called the Angler exploit kit and infected them with malware. Exploit kits are server-based frameworks that quickly determine the type and browser version a victim is using and versions of multimedia extensions such as Adobe Flash or Microsoft Silverlight. If any of the software programs were vulnerable, the kit would launch an exploit that would silently deliver malware to the machine. This was a remarkably efficient way to infect mass numbers of computers that could then be exploited for data theft, fraud and ransomware.
Around the 2010s, exploit kits ruled the day as an infection method. Starting in 2013, Angler was one of the most popular kits, and represented 40% of all exploit kit attacks at its peak with an estimated annual turnover of US $34 million, according to the NCA. It was a premium cybercrime tool. It was rented for a monthly fee of up to US $5,000 per month and received regular exploit updates to capitalize on new vulnerabilities. It became the distribution mechanism for early ransomware strains including CryptoWall, TelsaCrypt, AlphaCrypt and CryptXXX.
Once infected, the computers and their data were offered for sale on cybercrime forums and the data on the computer sold as logs, a type of cybercriminal product that comprises a bundle of data stolen from an infected machine, such as login credentials and financial information. This type of data exfiltration and resale still occurs on a massive scale today. The use of exploit kits faded over time, however, with their effectiveness diminished with the retirement of often-buggy multimedia plug-ins and better browser security, including automated patch updates.
The indictment accuses Tarasov of working closely with Silnikau and Kadariya on malware deployment. It’s alleged that Tarasov agreed to develop a traffic distribution system (TDS) for Kadariya for US $2,500 that would only show malvertisements to specific types of computers. This reduced the chance malvertisements could be blocked and made it difficult for security researchers to track malware campaigns using exploit kits. In June 2017, Tarasov also allegedly discussed with Silnikau a plan to develop a way to lock the internet browsers of people who viewed their malvertisements — a kind of ransom extortion scheme.
Silnikau still faces other charges in the U.S. He was also indicted in the U.S. District Court for the Eastern District of Virginia for allegedly being the administrator of the Ransom Cartel ransomware group and other ransomware operations starting in May 2021. Although it is not alleged in either of the U.S. indictments against Silnikau, U.K. police allege he was also involved in the launch of Reveton, which was the very first RaaS gang. This is a cybercrime business model that continues to this day. Ransomware coders and developers offer malware, infrastructure, negotiation and other services to other criminal groups in exchange for a share of ransoms paid by organizations. This sharing of tools, resources and ransoms has allowed this type of crime to scale, with thousands of ransomware and data extortion attacks occurring annually.
Silnikau made his first appearance in the New Jersey federal court after his extradition from Poland Aug. 12, 2024. According to PACER, the online U.S. federal court document repository, Silnikau’s case is continuing in the Eastern District of Virginia while the New Jersey charges appear on hold. Like Tarasov, Kadariya is at large and on the Secret Service’s Most Wanted list, and the State Department has an up to US $2.5 million reward offer for information leading to his arrest or conviction.
Aels: Long-running actor
Long before the indictment was alleged against him, Tarasov’s personas had been active on cybercriminal forums. One of his main online handles is Aels. The actor is a long-standing member of Russian cybercrime forums who joined the underground community around 2010. The actor has an extensive history of fraudulent activity, engaging in carding, malware spamming and payment card sniffer schemes. The actor participated in technical discussions and primarily was active in exploit-, malware- and vulnerability-related forum sections.
An analysis of Aels’ online posts from 2012 to 2015 revealed the actor was a notable figure in the exploit kit community. The actor was in direct contact with the majority of exploit kit owners and developers, including the actor GrandSoft of the SploitX exploit kit, Nuclear of the Nuclear Pack exploit kit, Paunch of the Blackhole exploit kit, феня (Eng. fenia) of the Phoenix exploit kit and хио (Eng. khio) associated with the Eleonore exploit kit. The actor Aels was also seen in discussions related to the Cool, Styx and Sweet Orange exploit kits.
In subsequent years, Aels published various posts around vulnerability exploitation, skimming, spamming and malicious traffic and had a strong interest in ransomware. Other activity included:
— April 12, 2017: Offered to sell a Microsoft Word remote code execution (RCE) vulnerability based on a recently disclosed Microsoft Office zero-day vulnerability.
— April 9, 2019: Shared information from the NCA website about Zain Qaiser, a U.K man who received six years and five months in prison in connection with using the Angler exploit kit to infect computers with malware and the Reveton ransomware. Qaiser went by the online persona K!NG.
— April 19, 2022: Claimed to use the domain registration service at domaindiscount24.com for spamming purposes.
— Aug. 26, 2022: Auctioned unauthorized web shell access to 758 corporate email servers powered by the Zimbra Collaboration Suite (ZCS) provider. The actor allegedly exploited the CVE-2022-37042 authentication bypass vulnerability to gain access to the impacted servers, ZCS versions 8.8.15 Patch 32 and earlier and ZCS versions 9.0.0 Patch 25 and earlier. The compromise allegedly impacted more than 100,000 email accounts.
— Feb. 7, 2023: Offered to sell a manual on Microsoft Outlook spamming.
Trouble brews
The first public signs of Aels’ trouble appeared July 8, 2023, in a post on the XSS forum. The actor disclosed that authorities approached him.
The actor wrote:
“That's right. I'm in Europe; and yes, they talked to me, too. For my old wrongdoing. There's a case in the United States, in which I'm a witness. I've managed to get a residence permit here, so I am under the protection of the German government. Besides, there's not enough (yet) data in the case to request my extradition. So, I'm basically free. But the situation is very unpleasant, especially when they offer a few million bucks for testifying against some well-known people. And I'm scared as fuck to say ‘no’.”
Shortly thereafter in mid-July 2023, we observed rumors on the Exploit and XSS cybercrime forums about Aels’ arrest. On July 26, 2023, a newcomer to the XSS cybercrime forum, the actor Tagesanzeiger, confirmed Tarasov’s arrest by German authorities in Berlin.
The actor revealed additional details, including Aels’ first name Andrei. The actor solicited cryptocurrency donations to help Tarasov and posted a short video of Arkady Bukh, a New York, U.S.-based criminal lawyer who previously defended Eastern European and Russian defendants accused of cybercrime. In the video, Bukh advocates for donations for Tarasov, mentioning Andrei Tarasov’s full name and the Aels nickname, saying the funds will help in his defense as well as in prison while he awaits extradition. Bukh confirmed the video is him.
Tarasov was held in Moabit Prison in Berlin, which is a pretrial and extradition detention facility. On Sept. 1, 2023, Tagesanzeiger posted a link to a screenshot of a document from the Higher Regional Court of Berlin. On July 27, 2023, the court granted the U.S. more time to file extradition documents related to Tarasov’s case due to its complexity.
The actor Tagesanzeiger followed up with a long post on XSS Sept. 1, 2023. The post advises other threat actors to not interact with the Aels handle if contacted on the forums and Telegram, likely because those communications might be coming from law enforcement agents who control the account rather than Tarasov.
The post also includes what Tagesanzeiger contends is a letter Tarasov wrote to a close friend that was then passed to Tagesanzeiger. The letter makes several contentions about law enforcement’s interrogations of Tarasov. Intel 471 could not verify the letter as coming from Tarasov. However, Tagesanzeiger had access to the Higher Court document related to Tarasov and the video from Bukh, which Bukh has verified, so it is possible the letter did come from Tarasov.
The contentions include:
- The FBI wanted Tarasov’s help in tracking down a threat actor they’d been pursuing for five years. The person was the subject of a US $10 million reward offer by the U.S. Tarasov wrote he found the person for the FBI “because I couldn’t forgive him for the war that took away my home for the second time and took the lives of six of my friends,” referring to the war in Ukraine. Tarasov regretted not forgiving the person, and writes that the person is now “safe.” Tarasov later indicated in online posts the threat actor he identified for the FBI was stern and said he doxed stern due to his involvement with the Conti ransomware group. The group supported Russia’s war against Ukraine.
(Note: Many threat actors have used the moniker stern, but one of the most notable stern personas was a top-tier manager in the Conti ransomware group hierarchy who was also involved in the Trickbot botnet. In May 2022, the U.S. State Department published a reward offer of up to US $10 million for information related to Conti group members and expanded the bounties later that year. Although the stern nickname was not mentioned in the information about the expanded bounties, the actor’s real identity would certainly be sought by U.S. law enforcement.)
- The FBI wanted help capturing the threat actor b1shop but b1shop apparently found out about it.
- The FBI also wanted help finding the leader of Cl0p, purportedly offering Tarasov US $2 million or US $3 million in exchange. Tarasov writes that he refused the offer. He then wrote: “Guys from LockBit, this is why I didn’t work with you; you are the next ones on that list.” This is a reference to the LockBit RaaS, which was targeted by disruptive law enforcement actions repeatedly in 2024.
- Tarasov expressed disgust with the FBI, contending that agents will seem friendly but “then they'll eat you up.”
- Tarasov contended the authorities had connected him to three criminal cases, including one involving the Cl0p group from around early 2022. Tarasov expressed concern that he would be made to look like a member of the gang unless he cooperated. Tarasov indicated he would not cooperate: “I won't sell and ruin the lives of those who trust me.”
Anti-Russia sentiments
The actor Aels maintained a good reputation across cybercrime forums. He was known to lend help, often without charge, to other threat actors. But there was one sticking point: he was outspoken about his views of Russia and the war Russia is waging in Ukraine.
The anti-Russia views go back a number of years. On May 11, 2015, Aels engaged in a debate about May 9 — Victory Day in Russia that commemorates the defeat of Germany in World War II. It has been marked by large military parades in Moscow, tributes and other events. The actor expressed strong discontent about the patriotic pomp and circumstance given what he contended was a barely functioning country. In one message, he writes:
“Yes, it pains me to my core that not a single government institution works in the country that's driven into the abyss by its own people who are cheering to ‘Krymnash’ [Crimea is ours], ‘we won in 1945, so we can repeat that,’ and ‘beating the fascists,’ be it the judicial system, healthcare, education, literally nothing. While the country is pissing its pants to the sounds of ‘Farewell of Slavianka,’ Proton and Topol missiles are falling all over, hospitals are being closed, people are shooting themselves because they can't stand their pain from the tumors and can't buy painkillers. Because Russia is in conflict with the entire world but is friends with North Korea and Venezuela. Because nothing is left from the ‘great’ country I grew up in except for a bunch of clowns and the battle against America. Because I have nothing to bring my friends except for a freaking matryoshka, because Russia doesn't make anything else. Because the only things decreasing in price (and value) are vodka, reality, and life.
Because in Germany (which ‘lost’), people woke up from their nationalistic frenzy and built a decent country. 80 million Germans provide 6% of the global GDP; they don't have oil and gas, but they provide their senior citizens with EUR 2k pensions.
Russia, which ‘won,’ is responsible for 2% of the global GDP with a 120 million population; 90% of it is from oil and gas production. So, essentially, we make absolutely nothing. But we march the squares with funny ribbons whose names we don't even remember, and we're claiming to one another that ‘we won’ and ‘we are great.’
Why did we waste RUB 120 million on fireworks but hospitals were closed because we weren't able to pay the doctors the pathetic 100 million in salary? What the fuck??! Wake up, people. We're free falling into the abyss.”
Tarasov may have lived in Ukraine for some time. A photo included in the Secret Service’s Most Wanted posting shows a profile photo of Tarasov that appears to have been taken from a Ukraine-issued identity document due to the presence of a visible tryzub, or the Ukrainian trident, the country’s coat of arms. Further, the U.S. indictment states Tarasov resided in Ukraine, but does not specify over what time period. One threat actor, bratvacorp, claimed in a forum post Aels claimed he had been granted asylum in Ukraine due to political persecution in Russia. This claim could not be verified. However, Tarasov’s co-defendant in the U.S. criminal case, Kadariya, apparently eventually became a Ukrainian citizen after first applying for refugee status based on a claim of political persecution, according to a Sept. 4, 2024, Voice of America news story.
After Tarasov’s arrest, some threat actors discussed why they should support him financially for his legal costs given his views of Russia. On July 26, 2023, the actor Desoxyn wrote on the XSS forum:
“I'm sorry, but if he hadn't been actively donating money to the Armed Forces of Ukraine and their funds, would he possibly have more money ‘in his pocket’? He (according to his own words) is a former Russian citizen who has changed sides and whose citizenship was revoked. Personally, I cannot help a person who was sponsoring the slaughter of my fellow citizens (and his own former fellow citizens), even despite all his accomplishments. He has chosen a side himself. He has gone into the hands of the cops himself.”
The actor Tagesanzeiger attempted to tamp down the animosity toward Tarasov in a Sept. 1, 2023, post:
“Guys, I have a huge favor to ask! In my previous post, there undoubtedly were a lot of words of support for Andrey [sic]. In addition to that, there were several people who started fueling a political conflict. I ask you to abstain from political discussions, they won't lead to anything. What happened, happened. I often see people who are trying to defend their stance and express who's good and who's bad. Unfortunately or fortunately, I won't be the judge of that, this will lead to nothing. There are no good or bad people among us. Let's respect each other!”
Departing Germany
About a year after Tarasov’s arrest, discussion of his whereabouts and fate surfaced on the Exploit underground forum. The actor bratvacorp, a generally reliable source of information about the Eastern European cybercriminal underground, wrote July 5, 2024, that it was thought Tarasov had been extradited to the U.S.
The actor posted another message Oct. 20, 2024, claiming someone said Tarasov had not been extradited but fled from Germany to Russia. The actor found this claim doubtful, however, writing that “except for sons of highly-placed Russian senators and ultra-wealthy crypto millionaires, no one normally gets released on house arrest, especially if a person was arrested in a third country on a U.S. extradition request.”
The actor continued:
“If we imagine the highly unlikely situation when the person COULD have been released on house arrest, then yes, it's true that the bracelet can be taken off, BUT an escape from Germany to Russia is something that can happen only in a Hollywood movie. You need extensive connections and REAL criminal experience (which most of us lack, and it's probably a good thing). Even if the person has somehow managed to reach Poland with an Interpol Red Notice, under the current circumstances, he won't be able to cross the Polish border into Russia. And if we assume that the nearly impossible thing happens and our superman somehow manages to cross the border, he'll be arrested in Russia and held in detention for at least a week (minimum) until the situation is fixed (if he has any fixers). Aels himself claimed that he had been persecuted in Russia for political reasons, which is why he had been granted asylum in Ukraine — with that being the case, it's 99.99% likely that he WILL NOT be able to contact you and share the good news about his ‘escape.’”
Five days later, bratvacorp made a startling claim:
“It took me some time to double-check everything. You can congratulate Aels: he's in Russia. Looks like he managed to get away from extradition (there's no information also to how he did it at the moment) by the end of last November. He entered the Russian Federation via a car from Poland sometime around January 10th (there's a confirmation that he crossed the border with his passport and personal data). This is how this story ends.”
In another post a day later, bratvacorp clarified Tarasov crossed the border into Russia’s territory of Kaliningrad by car from Poland at the Mamonovo-Grzechotki border checkpoint.
Similar to other countries, Russia has experienced many data breaches, including some involving border crossings. One nicknamed Cordon 2023 purportedly leaked all border crossings by Russian citizens between 2014 and 2023. Cordon 2023 contained names, birthdates, times and places of border crossings, and vehicles used and number plates, according to the Moscow Times. Other data may be available from corrupt Russian government authorities and law enforcement. The actor bratvacorp did not specify from what database the finding was sourced and Intel 471 was unable to replicate it.
‘Lavander’ speaks
On Oct. 29, 2024, just a few days after bratvacorp’s post, someone using the handle Lavander identified himself as Aels on the XSS forum:
“This is Aels. Hello, everyone. I'm so fucking happy to see you all.”
The actor wrote that he was surprised and confused that he was let go from extradition detention in Germany. He thought about going to see his girlfriend or whether to go straight to Russia to acquire new identification documents. He opted for Russia. The actor wrote he used the BlaBlaCar ride-sharing service to get to Poland, which he claims meant he didn’t need to show his real identity documents required for other modes of transport. From there, he writes, he crossed into Kaliningrad by vehicle and then eventually flew to Moscow. The actor then hinted at troubles with Russian authorities:
“Then, however, an incident happened, and over the following nine months I learned that there were places no better than prison, but that's a whole 'nother story.”
Conclusion
Tarasov is active today in spamming and cybercrime circles. His GitHub has several projects related to mass emailing and spam, one of which — MadCat Mailer, a command-line spamming application written in Python — was recently updated. On Telegram, he participates in chats on a spamming channel under the persona Lavander (Aels). “Need to find a way to hack Zimbra servers at scale,” Lavander (Aels) wrote on the Telegram channel May 3, 2025.
Tarasov’s case and circumstances are a curiosity to others in the cybercrime community. In between discussions about effective spam techniques, Lavander (Aels) continues to answer questions about his time in Germany and now his time in Russia. He writes in English on the channel.
There are many unverifiable claims. The actor claims he is still paying friends back about US $10,000 for loaning him money toward US $80,000 in legal fees for his German lawyer: “Not cheap at all, but saved my life.” In another message May 5, 2025, he wrote: “Now I'm stuck in Russia, beginning from the zero. And I still owe my lawyer.”
He wrote he contemplated suicide after his arrest in Germany, which led to his hospitalization in a prison hospital. The reason was that he was either facing more than 50 years in prison or having to out more cybercrime figures to U.S. authorities in exchange for a lighter sentence. Another actor on the channel advised “don’t touch USA” when doing cybercrime. The actor Lavender (Aels) wrote: “Too late for me. When you work in traffic (Angler EK times), you touch entire globe at once.”
On April 30, 2025, the user bloodhouse asked Lavender (Aels) on the Telegram channel: “Where did you go wrong, Aels? Why were you arrested? If you could go back, what would you have done differently? Just out of curiosity—they say wisdom is learning from the mistakes of others.”
The actor wrote back in broken English: “My mistake was an attempt to make friendship with both sides. It will be a good idea to leave EU and disappear after first meeting [with law enforcement]. Also doxing stern was a mistake, cuz it haven't returned my killed friends back to life anyway.”
