Europol Dismantles AudiA6 Crypto-Laundering Hub Tied to Ransomware Gangs

Law enforcement agencies across 11 countries have jointly dismantled "AudiA6," a cryptocurrency laundering service that processed more than $380 million in illicit proceeds for ransomware operators and other cybercriminals between 2022 and 2025. Coordinated by Europol and Eurojust, the operation led to the arrest of two alleged administrators in Georgia, the seizure of 25 domains, 80 vehicles and properties, and the freezing of roughly €778,000 in cryptocurrency. Both the AudiA6 platform and its associated underground forum "Dark2Web" now display law enforcement seizure banners to visitors. Investigators identified the network's key figures after the arrest of a Ukrainian national in Poland in September 2025, whose devices revealed critical operational details.

AudiA6 marketed itself as a "professional cryptocurrency mixing service" but functioned as an industrial-scale money laundering hub. Operators opened thousands of fraudulent exchange accounts using stolen or purchased identities, funneled cybercrime proceeds through complex transaction chains, and returned "cleaned" funds to clients within about an hour, retaining a 3–10% commission. Blockchain analysis from Intel471 and investigator ZachXBT previously linked the platform to more than 15 international investigations involving ransomware attacks, large-scale crypto theft, and direct deposits from darknet markets. Of approximately 10,333 BTC processed, around 393.39 BTC (~$19.2 million) flowed directly from known illicit sources. The U.S. Department of Justice has named Ruslan Igorevich Tkachuk, 37, and Alexander Vladimirovich Ledenev, 25, as senior members; both face up to 20 years in prison for facilitating cybercrime laundering.

The takedown underscores how transnational cooperation is becoming the new frontline against ransomware infrastructure. For security teams, the case is a reminder to scrutinize incoming transactions and third-party financial relationships, and to monitor for exposure tied to illicit services. Researchers investigating the seized infrastructure can pivot on the 25 confiscated domains using a WHOIS lookup to trace registration histories and ownership changes, while defenders can audit their own environments with a port scanner to ensure ransomware affiliates have not established covert access points.

With Telegram channels used by the network now blocked and additional forensic evidence still under review, the AudiA6 takedown is likely to surface further indictments and connected operations in the coming months. Organizations should treat this as an opportunity to revisit incident response playbooks, verify that crypto-related counterparties are legitimate, and run a privacy checkup to confirm that corporate and executive identities are not being weaponized to open fraudulent financial accounts—a core tactic in the AudiA6 playbook.