Cybercriminal Andrei Tarasov Escapes US Extradition, Returns to Russia
Andrei Vladimirovich Tarasov, a 33-year-old Russian cybercrime figure known online as “Aels,” has returned to Russia after evading US extradition.
Released from Berlin’s Moabit Prison on January 5, 2024, Tarasov had been held for approximately six months following his July 2023 arrest on computer crime charges.
The Berlin Superior Court of Justice determined that US charges weren’t concrete enough, paving the way for his release.
Despite still being on the US Secret Service Most Wanted list, Tarasov is now safely in Russia, which does not extradite its citizens.
Tarasov was indicted by a US grand jury in New Jersey in June 2023, along with co-defendants Maksim Silnikau and Volodymyr Kadariya.
They faced charges of conspiracy to commit wire fraud, computer fraud and abuse, and two counts of wire fraud.
According to the indictment, the trio ran an extensive cybercrime operation from 2013 to 2022 using “malvertisements” – fake advertisements that directed millions of computers to the Angler exploit kit.
The Angler exploit kit was a powerful hacking tool that quickly probed victim computers for vulnerabilities in software like Adobe Flash and Microsoft Silverlight, then silently delivered malware.
At its peak, the kit represented 40% of all exploit kit attacks with an estimated annual turnover of $34 million.
Tarasov allegedly developed specialized traffic distribution systems that showed malvertisements only to specific types of computers, making campaigns difficult to track and block.
To this day, Tarasov is on the U.S. Secret Service Most Wanted list. His Instagram profile displays the link to the Secret Service page, a kind of infamous badge of honor.
Remarkably, his activity on cybercrime forums appears to continue. In this post, we’ll examine Tarasov and his activity under various nicknames, including Aels and Lavander.
FBI Cooperation and Ukraine Conflict
According to forum posts and letters allegedly written by Tarasov, he claimed FBI agents approached him to help capture other cybercriminals, including a threat actor who had a $10 million US bounty.
Tarasov reportedly identified a hacker known as “stern” due to personal grievances related to Russia’s invasion of Ukraine.
“I doxed stern because I couldn’t forgive him for the war that took away my home for the second time and took the lives of six of my friends,” Tarasov reportedly wrote.
Long before the indictment was alleged against him, Tarasov’s personas had been active on cybercriminal forums. One of his main online handles is Aels.
An analysis of Aels’ online posts from 2012 to 2015 revealed the actor was a notable figure in the exploit kit community.
He later expressed regret for cooperating with US authorities. Notably, Tarasov had expressed anti-Russia sentiments for years on cybercrime forums, which sometimes put him at odds with Russian-speaking threat actors.
Escape to Russia and Current Activities
After his unexpected release from German custody, Tarasov made a calculated escape to Russia.
According to his own account on the XSS cybercrime forum under the handle “Lavander,” he used the BlaBlaCar ride-sharing service to reach Poland without showing identification documents required for other transport modes.
He then crossed into Russia’s Kaliningrad territory by vehicle before eventually flying to Moscow.
Tarasov remains active in cybercrime circles today. His GitHub features several recently updated projects related to mass emailing and spam, including “MadCat Mailer.”
On Telegram, he participates in spamming channels under his “Lavander” persona. On May 3, 2025, he wrote, “Need to find a way to hack Zimbra servers at scale.”
When asked about lessons learned, Tarasov responded, “My mistake was an attempt to make friendship with both sides.
It will be a good idea to leave EU and disappear after first meeting [with law enforcement]”.