The cybercrime story of Andrei Tarasov, also known online as Aels and more recently Lavander, isn’t the typical cybercriminal thriller filled with glamour and fortune. Instead, it’s a complex saga of exploit kits, malvertising schemes, international arrests, and mental health struggles—all set against a backdrop of geopolitical tension and declining trust among underground actors.
While widely associated with major cyber threats like Reveton ransomware and the Angler Exploit Kit, Tarasov’s alleged cyber activities span more than a decade and intersect with some of the most well-known cybercriminal operations in recent history.
From Card Skimming to Angler Exploit Kit Operations
Tarasov has been known to threat intelligence firms and law enforcement since at least 2010, with early activity linked to card skimming and spam operations. His rise in the cybercrime world accelerated when he allegedly became involved in malvertising campaigns and exploit kit infrastructure, particularly the use and suspected development of the infamous Angler Exploit Kit.
Although he was never explicitly named as Angler’s creator (a title often attributed to the Lurk gang dismantled by Russian authorities in 2016), Intel 471 analysts believe Tarasov played a leading role in its deployment and monetization. Evidence suggests he received payments from fellow cybercriminals, such as Volodymyr Kadariya, to build traffic distribution systems that drove victims to Angler-based exploits.
In 2017, Tarasov reportedly discussed plans with Maksim Silnikau to lock browsers via malicious ads—a precursor to the Reveton scareware ransomware, now seen as an early model of Ransomware-as-a-Service (RaaS).
International Arrests and Legal Limbo
The turning point came in July 2023, when a coordinated international operation led to the arrests of Silnikau in Spain and Tarasov in Germany, both tied to earlier U.S. indictments accusing them of widespread cyber extortion. While Silnikau was later extradited from Poland in 2024, German courts declined the U.S. extradition request for Tarasov, citing insufficient grounds. After six months in Berlin’s Moabit prison, he was released.
Tarasov later claimed that during his detention, he was offered millions in exchange for testifying against other cybercriminals and contemplated suicide while imprisoned. He was hospitalized in a prison clinic and later released, after which he quietly traveled to Poland and then back into Russia—despite earlier vocal criticism of the Kremlin.
Underground Reputation and Return as “Lavander”
Following his arrest, underground actors distanced themselves from Tarasov. In September 2023, a user named Tagesanzeiger warned threat actors not to interact with him, citing FBI involvement. It was alleged that Tarasov had doxed another prominent figure, possibly “Stern” from the Conti or Trickbot gangs, further damaging his standing.
After more than a year of silence, Tarasov resurfaced online under the handle Lavander, posting on cybercrime forums like XSS. On October 29, 2024, he reintroduced himself:
“This is Aels. Hello, everyone. I’m so fucking happy to see you all.”
In a follow-up post on May 5, 2025, Tarasov confirmed he was back in Russia, but described life there as bleak:
“Now I’m stuck in Russia, beginning from the zero. And I still owe my lawyer.”
He cryptically hinted at a troubling experience after returning, writing,
“There were places no better than prison… but that’s a whole ’nother story.”
Tarasov’s cybercrime case underscores the international complexity of extradition, the blurring lines between cybercriminal factions, and the increasing legal risks faced by well-known actors—even those who once found refuge in geopolitical gray zones.
While much of his future remains uncertain, Tarasov’s saga reveals the personal toll of cybercrime prosecution and the slow erosion of loyalty and trust within criminal ecosystems. Once seen as a leading figure in exploit kit operations and early ransomware models, he now claims to be starting over, alone, under surveillance, and in debt.
Whether Andrei Tarasov resurfaces as a key actor or disappears into digital obscurity, his case will remain a case study in modern cybercrime’s evolution—and its consequences.
