Andrei Tarasov’s legal life just isn’t as glamorous as you may count on from a number one legal actor.
Tarasov (aka Aels and extra just lately Lavander) left his native Russia due to ‘political persecution’; subsequently claiming to have been granted asylum in Ukraine. He was outspoken in his condemnation of recent Russia, saying he eliminated himself “As a result of nothing is left from the ‘nice’ nation I grew up in apart from a bunch of clowns and the battle in opposition to America… As a result of the one issues lowering in worth (and worth) are vodka, actuality, and life.”
The exact date of his flight from Russia is unknown – however regardless of this antipathy, he returned to Russia in January 2024. This era between the 2 occasions is the main focus of a report from Intel 471.
Tarasov had been recognized to legislation enforcement and menace intelligence analysts for a few years, however he got here to wider public consideration following two US indictments in opposition to him, Maksim Silnikau, and Volodymyr Kadariya – and the following arrest (July 18, 2023) of Silnikau in Spain and extradition (August 9, 2024) from Poland.
It’s not completely clear why Silnikau was arrested in a single nation and extradited from one other. It might be that the Spanish authorities launched him, however he was subsequently rearrested in Poland based mostly on an Interpol Purple Discover. That is conjecture however would align with Tarasov’s arrest in Germany on the identical day, and subsequent launch six months later. “I feel it was the Superior Court docket in Berlin,” Intel 471 analyst Jeremy Kirk informed SecurityWeek, “who determined that the US fees didn’t meet their requirements –so, they let him out.”
Having mentioned that, Tarasov’s six month detention was not a pleasing expertise – as we will see. In the meantime, it’s price contemplating the reason for these occasions. The pivot appears to be the Angler exploit package, maybe essentially the most notorious of all exploit kits. Intel 471 doesn’t recommend that Tarasov was concerned in its growth, merely its use. Equally, the US indictment merely says the accused “took a number one function in disseminating… an exploit named the Angler Exploit Equipment.”
Nevertheless, in its announcement claiming involvement in Silnikau’s arrest, the UK’s NCA wrote, “These people had been liable for the event and distribution of infamous ransomware strains, together with Reveton and most just lately Ransom Cartel, in addition to exploit kits, together with Angler, which have extorted tens of thousands and thousands from victims worldwide.” But Kaspersky had, in 2016, concluded that the Lurk group had developed Angler – resulting in the arrest of fifty people in Russia.
That confusion apart, Tarasov was definitely closely concerned in the usage of Angler. Kirk prompt that on stability he in all probability had some involvement in its growth, based mostly on his deep affiliation with exploit kits and that neighborhood. “Tarasov has a background in many alternative issues,” mentioned Kirk. “We traced him again to 2010, doing card skimming and spamming and that type of stuff.” And this was earlier than he received concerned with malvertising, exploit kits and system compromises.
It’s alleged that he developed, and was paid $2,500 by Kadariya, to develop a visitors distribution system for a malvertising marketing campaign that drew victims to Angler and subsequent compromise. “This lowered the possibility malvertisements might be blocked and made it troublesome for safety researchers to trace malware campaigns utilizing exploit kits,” writes Intel 471. Commercial. Scroll to proceed studying.
“In June 2017, Tarasov additionally allegedly mentioned with Silnikau a plan to develop a method to lock the web browsers of people that considered their malvertisements – a type of ransom extortion scheme.” That is almost certainly the origin of Reveton, a scareware type of ransomware that successfully turned the primary RaaS – and can be pinned on Silnikau, Kadariya, and Tarasov by the NCA.
Quick ahead to Tarasov’s detention in Germany. His troubles had already began earlier than his official arrest. On July 8, 2023, he posted on the XSS discussion board, “That’s proper. I’m in Europe; and sure, they talked to me, too. For my outdated wrongdoing… there’s not sufficient (but) information within the case to request my extradition. So, I’m mainly free. However the state of affairs may be very disagreeable, particularly once they supply just a few million bucks for testifying in opposition to some well-known folks. And I’m scared as fuck to say ‘no’.”
He was mistaken in regards to the extradition request. Ten days later he was arrested. He was held in Moabit Jail in Berlin, which is a pretrial and extradition detention facility. 9 days after that, the Larger Regional Court docket of Berlin granted the US extra time to file extradition paperwork.
On September 1, 2023, an actor generally known as Tagesanzeiger warned the underground neighborhood to not work together with Aels (Tarasov) since any communication possible got here from the authorities (in the end the FBI). He additionally posted a letter supposedly, in the end, from Tarasov saying that Tarasov had doxed stern – prone to be the strict who was a number one supervisor in Conti and later Trickbot.
Little was heard from Tarasov for a 12 months after his arrest. Rumors unfold. Had he been extradited? Did he escape and flee to Russia? Nothing fairly so dramatic. The German authorities had launched him after six months detention as a result of the extradition request from the US didn’t fairly cross German muster. After launch, he travelled by automobile to Poland, after which by automobile again into Russia – the place, for some time, he remained silent.
He’s now energetic once more, though maybe comparatively subdued. He has written about his time in Germany. The Intel 471 report notes, “He wrote he contemplated suicide after his arrest in Germany, which led to his hospitalization in a jail hospital. He was both going through greater than 50 years in jail or having to out extra cybercrime figures to U.S. authorities in trade for a lighter sentence.”
An fascinating thought right here is that he determined returning to Russia – the place he would hardly be welcome given his public anti-Russian authorities statements – could be higher than going through jail within the US. Was he proper? On October 29, 2024, utilizing the alias Lavander, he wrote on the XSS discussion board, “That is Aels. Hiya, everybody. I’m so fucking glad to see you all.”
He defined how he received from Germany again to Russia, but additionally commented, “Then, nevertheless, an incident occurred, and over the next 9 months I discovered that there have been locations no higher than jail, however that’s a complete ’nother story.” On Might 5, 2025, he wrote, “Now I’m caught in Russia, starting from the zero. And I nonetheless owe my lawyer.”
Associated: US Indicts China’s iSoon ‘Hackers-for-Rent’ Operatives
Associated: Kosovar Administrator of Cybercrime Market Extradited to US
Associated: Ukrainian Nefilim Ransomware Affiliate Extradited to US
Associated: Two Indicted in US for Working Darkish Net Marketplaces Providing Stolen Info
