European authorities have successfully disrupted AudiA6, a cryptocurrency laundering service that was heavily utilized by ransomware gangs and cybercriminal networks.
According to Europol’s announcement on Thursday, dismantling AudiA6 has effectively severed a crucial financial channel responsible for washing hundreds of millions in illegal profits. Since its establishment in 2021, the service is believed to have laundered over €336 million (~$389 million).
Described as a central hub for ransomware actors and cybercriminals looking to convert stolen digital assets into untraceable funds, AudiA6’s operators are also suspected of running a dark web cybercrime forum called Dark2Web. This forum facilitated illicit services advertising and served as a networking platform for threat actors worldwide.
The crackdown on AudiA6, which occurred on June 10, 2026, involved several coordinated actions, including the arrest of two administrators of Ukrainian and Russian nationality in Georgia, three property searches, takedown of 25 domains and seizure of over 30 servers, confiscation of more than 80 vehicles and multiple properties in Georgia, freezing of cryptocurrency assets worth €692,000 ($798,000), seizure of €86,000 ($99,400) in cryptocurrency, blocking of Telegram accounts associated with the network, and replacing the websites of AudiA6 and Dark2Web with a law enforcement seizure banner.
In parallel, the U.S. Department of Justice (DoJ) announced charges against the two detained individuals, Ruslan Igorevich Tkachuk, 37, and Alexander Vladimirovich Ledenev, 25, accusing them of conspiracy to launder monetary instruments and sting money laundering. If found guilty, they could face a maximum sentence of 20 years in prison.
According to the DoJ, approximately 393.39 BTC, valued at around $19,234,331, were directly received from darknet markets, ransomware organizations, cybercrime services, and other illicit sources into AudiA6 wallets.
Europol attributed the success of the crackdown to an earlier operation by the Polish Police, leading to the arrest of a Ukrainian national in September 2025 for alleged involvement in money laundering activities connected to AudiA6. This initial arrest enabled authorities to conduct a forensic analysis of seized electronic devices, uncovering additional individuals linked to the operation.
AudiA6 operated as an industrial-scale cryptocurrency laundering service, utilizing thousands of fraudulent exchange accounts established using stolen or purchased identities. The service was implicated in over 15 global investigations related to ransomware attacks and large-scale cryptocurrency theft.
Promoted as a cryptocurrency mixing service promising anonymity and speed, AudiA6 allowed customers to transfer illicit proceeds to group-controlled wallets in exchange for “cleaned” funds within an hour through a series of transactions designed to obfuscate the money trail.
Transactions were conducted via private messaging platforms, with operators charging commissions ranging from 3% to 10%. The investigation identified more than 6,000 Know Your Customer (KYC) records associated with money mule accounts, many of which were linked to Russian-speaking intermediaries recruited to facilitate moving criminal proceeds through cryptocurrency exchanges.
AudiA6 relied on commercial email providers and domain-linked email addresses to register money mule accounts on various cryptocurrency exchanges. Some of the domains used include designli.pictures, pheontx.eu, smplfy.in, sumato-soft.org, technobrains.dev, lett.email, trayo.app, deliverly.top, inboxly.top, postfast.eu, postino.click, inboxally.agency, mailora.eu, postify.email, quix.express, flowcomm.click, qube.black, deliverlett.com, and lettermail.eu.
Intel 471’s report in November 2021 revealed that AudiA6 required a minimum balance of 27 bitcoins and charged a flat service fee between 3% and 5.5%. Recent analysis by TRM Labs in December 2025 showed that funds from the 2022 LastPass hack were funneled through Cryptex and AudiA6.
The investigation was a collaborative effort involving the United States Secret Service, IRS Criminal Investigation, Polish Police, and law enforcement partners from Australia, Canada, France, Georgia, Germany, Iceland, Japan, Switzerland, and the U.K.
The case highlights the emergence of industrial-scale cryptocurrency laundering services supporting the cybercrime economy, along with the use of fraudulent exchange accounts, mule wallets, and privacy tools to obscure the money trail and circumvent anti-money laundering measures.
Europol noted that ransomware groups and cybercriminal networks increasingly rely on chain-hopping, decentralized exchanges, and mixer-as-a-service platforms to swiftly move illicit cryptocurrency across multiple blockchains, allowing criminal profits to vanish into the digital underworld.
