European law enforcement agencies have taken down AudiA6, a cryptocurrency laundering platform that was widely exploited by ransomware operators and other cybercriminal groups.
According to a statement released on Thursday by Europol, the takedown of AudiA6 severed a “critical financial channel used to clean hundreds of millions in criminal proceeds.” Since its inception in 2021, the service is believed to have laundered upwards of €336 million (approximately $389 million).
“The platform evolved into a primary meeting point for ransomware operators and cybercriminals looking to convert stolen digital currencies into cash while obscuring the flow of money from investigators,” the agency explained.
Investigators suspect that the people behind AudiA6 also ran a dark web crime forum called Dark2Web, which served as a marketplace where cybercriminals promoted illegal services and established connections with threat actors around the globe.
The joint operation, conducted on June 10, 2026, involved a series of synchronized enforcement measures, including:
- The detention of two suspected administrators — one Ukrainian and one Russian national — in Georgia
- Searches of three properties
- The shutdown of 25 domains and confiscation of over 30 servers
- Seizure of more than 80 vehicles and several real estate properties in Georgia
- Freezing of cryptocurrency holdings valued at €692,000 ($798,000) and the confiscation of an additional €86,000 ($99,400) in cryptocurrency
- Blocking of Telegram accounts associated with the criminal network
- Replacement of both the surface web and dark web sites for AudiA6 and Dark2Web with official law enforcement seizure notices
In a parallel move, the U.S. Department of Justice (DoJ) filed charges against the two individuals arrested — 37-year-old Ruslan Igorevich Tkachuk and 25-year-old Alexander Vladimirovich Ledenev — on one count of conspiracy to launder monetary instruments and one count of substantive money laundering. A conviction on these charges carries a maximum penalty of 20 years behind bars for each defendant.
“Of the roughly 10,333 bitcoin deposited into the platform, about 393.39 BTC (worth approximately $19,234,331 at the time of the transactions) came directly from identified darknet marketplaces, ransomware groups, cybercrime operations, and other criminal sources, with additional funds flowing in indirectly from illicit origins into AudiA6 wallets,” the DoJ stated.
Europol noted that the crackdown stemmed from an earlier operation by Polish Police, who arrested a Ukrainian national in September 2025 on suspicion of involvement in money laundering activities tied to the AudiA6 network.
This initial arrest enabled investigators to perform a detailed forensic analysis of the suspect’s electronic devices, which in turn helped uncover additional individuals connected to the scheme.
AudiA6 has been characterized as a large-scale, industrial-style cryptocurrency laundering operation that depended on thousands of fake exchange accounts created using stolen or bought identities. The service has been connected to more than 15 separate investigations across the globe involving ransomware attacks and major cryptocurrency heists.
Before being shut down, AudiA6 promoted itself as a cryptocurrency mixing service that promised both anonymity and rapid processing. Users could send their illicit funds to wallets controlled by the group and, within an hour, receive “laundered” funds routed through an “intricate sequence of transactions” specifically designed to mask the money’s origins.
These dealings were conducted via private messaging apps, with the operators taking commissions of between 3 percent and 10 percent per transaction.
“Investigators uncovered more than 6,000 Know Your Customer (KYC) records tied to money mule accounts during the probe,” Europol reported. “A significant number of these mule accounts were linked to Russian-speaking middlemen who were recruited specifically to facilitate the movement of criminal funds through cryptocurrency exchanges.”
AudiA6 is also believed to have used both mainstream email providers and custom domain-based email addresses to set up money mule accounts on various cryptocurrency platforms. The domains involved include:
- designli.pictures
- pheontx.eu
- smplfy.in
- sumato-soft.org
- technobrains.dev
- lett.email
- trayo.app
- deliverly.top
- inboxly.top
- postfast.eu
- postino.click
- inboxally.agency
- mailora.eu
- postify.email
- quix.express
- flowcomm.click
- qube.black
- deliverlett.com
- lettermail.eu
A November 2021 report from Intel 471 revealed that AudiA6 required a minimum deposit of 27 bitcoins and charged a flat service fee ranging from 3 percent to 5.5 percent. More recently, a December 2025 analysis by TRM Labs traced funds stolen in the 2022 LastPass data breach through both Cryptex and AudiA6.
The investigation was led by the United States Secret Service and the IRS Criminal Investigation division, working alongside Polish Police and law enforcement agencies from Australia, Canada, France, Georgia, Germany, Iceland, Japan, Switzerland, and the United Kingdom.
The case highlights the growing sophistication of industrial-scale cryptocurrency laundering services that fuel the broader cybercrime economy, as well as the increasing reliance on fraudulent exchange accounts, mule wallets, and privacy-enhancing tools to disguise financial trails and circumvent anti-money laundering safeguards.
“Ransomware crews and cybercriminal networks are turning more and more to chain-hopping, decentralized exchanges, and ‘mixer-as-a-service’ solutions to shuttle illicit cryptocurrency across multiple blockchains in a matter of minutes, allowing criminal earnings to vanish into the digital underground,” Europol warned.
