Authorities Dismantle AudiA6 Crypto Laundering Service Used by Ransomware Gangs
8 min. read 
Published on
International law enforcement has dismantled AudiA6, a cryptocurrency laundering service accused of helping ransomware gangs and cybercriminals hide more than EUR 336 million in illicit crypto flows between 2022 and 2025.
The operation, announced by Europol, cut off a laundering pipeline that investigators say was trusted by ransomware actors, darknet market users, and other cybercrime groups seeking to convert stolen digital assets into harder-to-trace funds.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
U.S. prosecutors also charged two alleged senior members of the AudiA6 organization. According to the U.S. Department of Justice, Ruslan Igorevich Tkachuk, a Ukrainian national, and Alexander Vladimirovich Ledenev, a Russian national, were arrested in Georgia and accused of operating the laundering service and the related Dark2Web cybercrime forum.
AudiA6 Was Used to Wash Ransomware and Cybercrime Funds
AudiA6 operated as a professional crypto laundering service for criminals who needed to move stolen digital assets without exposing the original source of the funds.
Eurojust said criminals could send stolen cryptocurrency to wallets controlled by the group and receive “cleaned” funds back within around an hour through a complex chain of transactions.
The operators allegedly charged commissions between 3% and 10%, turning the service into a profitable financial layer for ransomware groups and other cybercriminal customers.
| Operation detail | What authorities reported |
|---|---|
| Service name | AudiA6 |
| Main use | Cryptocurrency laundering for ransomware and cybercrime funds |
| Suspected laundering volume | More than EUR 336 million between 2022 and 2025 |
| U.S. blockchain analysis figure | About 10,333 BTC deposited since 2021, valued at roughly $389 million at the time of transactions |
| Related forum | Dark2Web |
| Arrests | Two alleged administrators arrested in Georgia |
Two Alleged Administrators Were Arrested in Georgia
The coordinated action took place on June 10 and involved agencies from the United States, Georgia, Poland, France, Germany, Iceland, and other partners.
The Justice Department said the two defendants were charged by criminal complaint with conspiracy to launder monetary instruments and sting money laundering. The charges remain allegations unless proven in court.
Authorities searched three properties, seized more than 30 servers, took down 25 domains, blocked Telegram accounts, froze cryptocurrency assets, and replaced AudiA6 and Dark2Web websites with law enforcement seizure banners.
- Two alleged administrators were arrested in Georgia.
- Three properties were searched.
- More than 30 servers were seized.
- Twenty-five domains were taken down.
- Over 80 vehicles and multiple properties were seized in Georgia.
- EUR 692,000 in cryptocurrency was frozen and more than EUR 86,000 in cryptocurrency was seized.
Dark2Web Helped Advertise the Laundering Service
Investigators say AudiA6 was tied to Dark2Web, an underground cybercrime forum used to advertise illicit services and connect threat actors.
Chainalysis described Dark2Web as a meeting point for ransomware affiliates, hackers, and other cybercriminals, with AudiA6 offering those users a way to move stolen crypto into cleaner funds.
The takedown targeted both sides of that ecosystem. Shutting down only the laundering service would have left the forum available to help criminals regroup. Taking down Dark2Web also disrupted the marketplace where AudiA6 allegedly found customers.
| Platform | Role in the ecosystem | Law enforcement action |
|---|---|---|
| AudiA6 | Crypto laundering service for cybercriminals | Infrastructure seized and domains taken down |
| Dark2Web | Cybercrime forum used to advertise AudiA6 and other illicit services | Website replaced with a seizure notice |
| Telegram channels | Communication and coordination channels | Accounts blocked |
| Money mule accounts | Exchange accounts used to move and cash out funds | Thousands of KYC records identified |
Investigators Found Thousands of Fake KYC Records
The laundering operation allegedly relied on a large network of fake or mule accounts at cryptocurrency exchanges.
Eurojust reported that investigators identified more than 6,000 Know Your Customer records tied to money mule accounts opened with stolen or purchased identities.
Many of those mule accounts were connected to Russian-speaking intermediaries recruited to help move criminal proceeds through exchanges. Authorities also published domains used to create email accounts for those mule accounts so exchanges can identify and block related activity.
| Money mule method | Why it helped the laundering network |
|---|---|
| Stolen or purchased identities | Allowed criminals to open accounts under other people’s names |
| KYC-verified exchange accounts | Helped move funds through services that require identity checks |
| Intermediaries | Managed or supplied mule accounts for laundering flows |
| Custom email domains | Supported large-scale account registration |
| Rapid transaction chains | Made it harder to trace the original source of funds |
AudiA6 Shows How Crypto Laundering Services Support Ransomware
Ransomware groups need more than malware, affiliates, and leak sites. They also need financial services that can help convert ransom payments into spendable funds.
Chainalysis said AudiA6 functioned as a mixer-as-a-service model and processed about 10,333 bitcoin since 2021, with at least 393 BTC directly traced from known darknet markets, ransomware organizations, cybercrime services, and other illicit sources.
That makes the AudiA6 takedown important beyond one site. It removes part of the payment infrastructure that ransomware crews used to cash out, pay partners, and distance themselves from stolen funds.
- Ransomware groups use laundering services to hide payment trails.
- Darknet market operators use similar services to move criminal proceeds.
- Money mule accounts help bridge illicit crypto flows into regulated exchanges.
- Fast laundering services reduce the time investigators have to freeze funds.
- Forum-linked laundering services can attract many criminal customers from one marketplace.
Crypto Laundering Is Becoming Faster and More Professional
The AudiA6 case fits a broader trend in cybercrime. Professional laundering services now use mixers, exchange accounts, mule networks, chain-hopping, and cross-border infrastructure to make stolen assets harder to trace.
Europol’s Internet Organised Crime Threat Assessment 2026 says chain-hopping, blockchain bridges, privacy coins, CoinJoin-style services, and mixer-as-a-service tools continue to complicate investigations into illicit cryptocurrency flows.
The same report warns that ransomware actors and dark web marketplace administrators often prefer faster laundering methods, including decentralized exchanges and smart contract-based mixers, when they need quick movement toward an off-ramp.
| Laundering method | How criminals use it | Investigation challenge |
|---|---|---|
| Chain-hopping | Move assets across different blockchains | Investigators must follow funds across multiple chains |
| Mixers | Blend funds from many users | Breaks the visible link between sender and receiver |
| Privacy coins | Hide transaction details by design | Reduces blockchain tracing visibility |
| Money mule accounts | Use third-party identities at exchanges | Moves risk onto stolen or rented identities |
| Dark web forums | Advertise laundering services to criminals | Connects multiple criminal groups to shared infrastructure |
What the Takedown Means for Exchanges and Investigators
The operation gives cryptocurrency exchanges new information to identify accounts tied to AudiA6. That includes email domains, mule account records, wallet links, and infrastructure details recovered during the investigation.
Europol said its cybercrime and cryptocurrency experts traced illicit crypto flows, mapped laundering infrastructure, and supported law enforcement partners with intelligence before the final phase of the operation.
For ransomware investigations, this kind of disruption can create a valuable evidence trail. Seized servers, Telegram accounts, mule records, and exchange data can help investigators connect payments to operators, affiliates, brokers, and cash-out networks.
- Exchanges should screen for domains and KYC patterns linked to the AudiA6 mule network.
- Incident responders should trace ransom payments through known AudiA6-linked infrastructure where relevant.
- Law enforcement can use seized records to identify customers and related services.
- Financial crime teams should review accounts that show rapid layering across wallets and exchanges.
The Case Shows Why Laundering Infrastructure Is a Key Target
Ransomware groups can rebuild malware brands, leak sites, and affiliate programs, but they still need reliable ways to move and cash out cryptocurrency. That makes laundering services high-value targets for law enforcement.
The IOCTA 2026 report describes crypto laundering as a major cybercrime enabler, especially as criminals use faster and more automated ways to move funds across blockchains.
The AudiA6 takedown does not end ransomware financing, but it removes a service authorities say was deeply embedded in the cybercrime economy. It also signals that investigators are targeting not only ransomware crews, but also the financial services that keep those crews operating.
FAQ
AudiA6 was a cryptocurrency laundering service allegedly used by ransomware gangs, darknet market users, and other cybercriminals to hide the source of stolen digital assets and receive cleaned funds.
European authorities say AudiA6 is suspected of laundering more than EUR 336 million between 2022 and 2025. U.S. prosecutors said blockchain analysis identified about 10,333 BTC deposited to AudiA6 wallets since 2021, valued at roughly $389 million at the time of the transactions.
Two alleged senior administrators, Ruslan Igorevich Tkachuk and Alexander Vladimirovich Ledenev, were arrested in Georgia. U.S. prosecutors charged them by criminal complaint, and the allegations still need to be proven in court.
Dark2Web was an underground cybercrime forum allegedly managed by the same people behind AudiA6. Authorities say it helped advertise illicit services and connect cybercriminal actors, including users of the laundering service.
Ransomware groups need laundering services to hide ransom payments and cash out stolen cryptocurrency. Taking down AudiA6 disrupts one financial pipeline and may give investigators records that help identify criminals, affiliates, and money mule accounts.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages