Law enforcement has dismantled the “AudiA6” cryptocurrency service allegedly used by ransomware actors and other cybercriminals to launder more than $380 million.
Europol says that the service has been linked to more than 15 distinct international investigations of ransomware attacks.
It is believed that the platform acted as a central money laundering hub between 2022 and 2025.
“Investigators uncovered what they describe as an industrial-scale cryptocurrency laundering operation built around thousands of fraudulent exchange accounts opened using stolen or purchased identities,” describes Europol says.
“Analysis conducted by Europol linked the criminal service to more than 15 investigations worldwide involving ransomware attacks and large-scale cryptocurrency theft.”
The service was marketed as a “professional cryptocurrency mixing service,” but all it did was accept cybercrime proceeds, move the money around through complex transaction routes that obscured its origin, and return it “cleaned” to the holders in about an hour, minus a 3-10% service commission.
Past reports from Intel471 and blockchain investigator ZachXBT exposed AudiA6 for facilitating illegal activity.
The investigation involved authorities from 11 countries across Europe, America, and Asia, who were supported by Europol and Eurojust.
Europol states that the action was possible due to the arrest in Poland in September 2025 of a Ukrainian national linked to AudiA6.
The forensic examination of the suspect’s devices helped investigators identify key individuals behind the operation and eventually locate and arrest them in Georgia.
As a result of the action from yesterday, the authorities have:
- Arrested 2 individuals in Georgia
- Searched 3 properties
- Seized 25 domains
- Seized 80 vehicles and properties
- Seized €86,000 ($99k) in cryptocurrency
- Froze €692,000 ($798k) in cryptocurrency
- Blocked Telegram accounts used by the network
The two arrested individuals, a Ukrainian and a Russian national, are believed to be administrators of AudiA6, as well as of the underground forum “Dark2Web,” which cybercriminals used to advertise illicit services.
Both AudiA6 and Dark2Web websites now display a seizure notice to visitors.
Source: Europol
The U.S. Department of Justice named Ruslan Igorevich Tkachuk, aged 37, and Alexander Vladimirovich Ledenev, aged 25, as senior members of the AudiA6 platform.
The two individuals are currently in the custody of Georgian authorities and are facing sentences of up to 20 years in prison for facilitating cybercrime laundering operations.
“Out of the approximately 10,333 bitcoin deposited, approximately 393.39 BTC (valued at around $19,234,331 at the time of the transactions) were received directly from known darknet markets, ransomware organizations, cybercrime services, and other illicit sources, while additional funds were deposited indirectly from illicit sources into AudiA6 wallets,” the DoJ states.
Apart from the two administrators, authorities also retrieved 6,000 ‘Know-Your-Customer’ (KYC) records linked to money mule accounts.
Europol says these accounts were created using stolen or purchased identities, and many are connected to Russian-speaking intermediaries that recruited them specifically for this purpose.
This massive network of money mules used multiple domains to register accounts on cryptocurrency exchanges, a fact Europol published to raise awareness and help platforms block them.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper
