Authorities dismantle 'AudiA6' ransomware crypto-laundering service

Authorities Dismantle AudiA6 Ransomware Crypto-Laundering Service

OverviewA coordinated international operation has dismantled the AudiA6 cryptocurrency laundering network, a platform prosecutors say was used by ransomware actors and other cybercriminals to move and “clean” illicit funds. Europol reports that the service is linked to more than 15 separate international investigations into ransomware attacks and large-scale cryptocurrency theft, with activity concentrated between 2022 and 2025. The operation highlights the scale of professional money laundering ecosystems that support cybercrime beyond the initial breaches.

How AudiA6 Operated

The platform was marketed as a professional cryptocurrency mixing service. In practice, it functioned as a central hub for laundering criminal proceeds.
It accepted funds from cybercrime activities, then obscured their origin by routing them through a labyrinth of transactions.
The cleaned funds were returned to the rightful holders typically within about an hour, applying a service commission of 3–10%.
Investigators describe AudiA6 as built around thousands of fraudulent exchange accounts opened with stolen or purchased identities, forming a vast network to obfuscate fund trails.

International Investigation and Cooperation

The takedown involved law enforcement from 11 countries across Europe, the Americas, and Asia, supported by Europol and Eurojust.
A critical breakthrough came from the September 2025 Polish arrest of a Ukrainian national linked to AudiA6, which helped unlock the broader operation.
The Georgian phase of the investigation culminated in the arrest of two administrators, whose identities are central to the platform’s leadership. The operation also resulted in significant seizures and the seizure of seizure banners for AudiA6 and the associated underground forum Dark2Web.

Timeline of Key Events

September 2025: A Ukrainian national connected to AudiA6 is arrested in Poland, marking a pivotal point in the sting.
June 10, 2026: Authorities in Georgia arrest two individuals believed to be administrators of AudiA6 and of the underground forum Dark2Web. The operation also includes searches, seizures, and account takedowns as part of a broader crackdown.
June 11, 2026 (reported): DoJ and Europol outline the criminal scope, the defendants’ roles, and the ongoing custody and charged status.

Key Actions and Seizures (June 10, 2026)

Arrests: 2 individuals in Georgia, identified as administrators.
Property and Domain Seizures: 3 properties searched and 25 domains seized.
Asset Seizures: 80 vehicles and related properties seized.
Cryptocurrency Seizures: €86,000 and €692,000 in cryptocurrency seized or frozen.
Communications and Accounts: Telegram accounts used by the network blocked.
Administrative and Records: 6,000 Know-Your-Customer (KYC) records linked to money mule accounts were retrieved.

Suspects and Roles

The two administrators arrested in Georgia are believed to have led AudiA6 and were also involved with the underground forum Dark2Web, which cybercriminals used to advertise illicit services.
The U.S. Department of Justice has identified Ruslan Igorevich Tkachuk, 37, and Alexander Vladimirovich Ledenev, 25, as senior members of the AudiA6 platform.
Both individuals are in the custody of Georgian authorities and face potential sentences of up to 20 years for facilitating cybercrime laundering operations.

Money Trail and Identity Abuse

The platform processed roughly 10,333 deposited bitcoins, of which about 393.39 BTC (value at the time around $19.2 million) came directly from known darknet markets, ransomware groups, and other illicit sources.
Additional funds entered AudiA6 wallets from illicit sources via indirect deposits.
Approximately 6,000 KYC records tied to money mule accounts were recovered; many mules were recruited through stolen or purchased identities, with connections to Russian-speaking intermediaries.
The laundering network used multiple domain registrations to facilitate account creation on cryptocurrency exchanges, complicating traceability and platform-blocking efforts.

Impact and Legal Proceedings

The seizure and disruption of AudiA6 and the Dark2Web ecosystem represent a major blow to one of the more sophisticated money-laundering infrastructures supporting ransomware ecosystems.
DoJ statements indicate ongoing investigations into the precise flow of funds and the individuals who orchestrated and benefited from the operation.
The international nature of the case underscores the importance of cross-border cooperation in tackling cybercrime that operates across multiple jurisdictions.

Context and Significance

This case illustrates how ransomware ecosystems increasingly rely on dedicated money-laundering services to monetize extortion payments.
The combination of fraudulent account networks, swift transaction routing, and mass KYC data usage demonstrates both the reach and the forensic complexity of modern cybercrime operations.
Law enforcement emphasis on targeting the infrastructure that enables laundering—domains, accounts, and interlinked forums—complements actions against the initial crime actors.

Current Status and Next Steps

The two administrators remain in custody in Georgia, with charges and potential prison terms connected to cybercrime laundering activities.
Ongoing investigations aim to trace further financial flows, identify additional co-conspirators, and disrupt related platforms connected to AudiA6 and Dark2Web.
Europol and partner agencies continue to monitor for attempts to reconstitute similar laundering services and to block new money-mule networks using stolen identities.

Notes on the Case

The AudiA6 operation demonstrates how criminal networks adapt by creating professional-grade laundering services to sanitize proceeds rapidly, turning illicit money into ostensibly legitimate funds with relative speed.
The international scope of the case reinforces the need for continued cross-border engagement among law enforcement, prosecutors, and financial regulators to disrupt the full lifecycle of cybercrime profits.

Authorities Dismantle AudiA6 Ransomware Crypto-Laundering Service

How AudiA6 Operated

The platform was marketed as a professional cryptocurrency mixing service. In practice, it functioned as a central hub for laundering criminal proceeds.
It accepted funds from cybercrime activities, then obscured their origin by routing them through a labyrinth of transactions.
The cleaned funds were returned to the rightful holders typically within about an hour, applying a service commission of 3–10%.
Investigators describe AudiA6 as built around thousands of fraudulent exchange accounts opened with stolen or purchased identities, forming a vast network to obfuscate fund trails.

International Investigation and Cooperation

The takedown involved law enforcement from 11 countries across Europe, the Americas, and Asia, supported by Europol and Eurojust.
A critical breakthrough came from the September 2025 Polish arrest of a Ukrainian national linked to AudiA6, which helped unlock the broader operation.
The Georgian phase of the investigation culminated in the arrest of two administrators, whose identities are central to the platform’s leadership. The operation also resulted in significant seizures and the seizure of seizure banners for AudiA6 and the associated underground forum Dark2Web.

Timeline of Key Events

September 2025: A Ukrainian national connected to AudiA6 is arrested in Poland, marking a pivotal point in the sting.
June 10, 2026: Authorities in Georgia arrest two individuals believed to be administrators of AudiA6 and of the underground forum Dark2Web. The operation also includes searches, seizures, and account takedowns as part of a broader crackdown.
June 11, 2026 (reported): DoJ and Europol outline the criminal scope, the defendants’ roles, and the ongoing custody and charged status.

Key Actions and Seizures (June 10, 2026)

Arrests: 2 individuals in Georgia, identified as administrators.
Property and Domain Seizures: 3 properties searched and 25 domains seized.
Asset Seizures: 80 vehicles and related properties seized.
Cryptocurrency Seizures: €86,000 and €692,000 in cryptocurrency seized or frozen.
Communications and Accounts: Telegram accounts used by the network blocked.
Administrative and Records: 6,000 Know-Your-Customer (KYC) records linked to money mule accounts were retrieved.

Suspects and Roles

The two administrators arrested in Georgia are believed to have led AudiA6 and were also involved with the underground forum Dark2Web, which cybercriminals used to advertise illicit services.
The U.S. Department of Justice has identified Ruslan Igorevich Tkachuk, 37, and Alexander Vladimirovich Ledenev, 25, as senior members of the AudiA6 platform.
Both individuals are in the custody of Georgian authorities and face potential sentences of up to 20 years for facilitating cybercrime laundering operations.

Money Trail and Identity Abuse

The platform processed roughly 10,333 deposited bitcoins, of which about 393.39 BTC (value at the time around $19.2 million) came directly from known darknet markets, ransomware groups, and other illicit sources.
Additional funds entered AudiA6 wallets from illicit sources via indirect deposits.
Approximately 6,000 KYC records tied to money mule accounts were recovered; many mules were recruited through stolen or purchased identities, with connections to Russian-speaking intermediaries.
The laundering network used multiple domain registrations to facilitate account creation on cryptocurrency exchanges, complicating traceability and platform-blocking efforts.

Impact and Legal Proceedings

The seizure and disruption of AudiA6 and the Dark2Web ecosystem represent a major blow to one of the more sophisticated money-laundering infrastructures supporting ransomware ecosystems.
DoJ statements indicate ongoing investigations into the precise flow of funds and the individuals who orchestrated and benefited from the operation.
The international nature of the case underscores the importance of cross-border cooperation in tackling cybercrime that operates across multiple jurisdictions.

Context and Significance

This case illustrates how ransomware ecosystems increasingly rely on dedicated money-laundering services to monetize extortion payments.
The combination of fraudulent account networks, swift transaction routing, and mass KYC data usage demonstrates both the reach and the forensic complexity of modern cybercrime operations.
Law enforcement emphasis on targeting the infrastructure that enables laundering—domains, accounts, and interlinked forums—complements actions against the initial crime actors.

Current Status and Next Steps

The two administrators remain in custody in Georgia, with charges and potential prison terms connected to cybercrime laundering activities.
Ongoing investigations aim to trace further financial flows, identify additional co-conspirators, and disrupt related platforms connected to AudiA6 and Dark2Web.
Europol and partner agencies continue to monitor for attempts to reconstitute similar laundering services and to block new money-mule networks using stolen identities.

Notes on the Case

The AudiA6 operation demonstrates how criminal networks adapt by creating professional-grade laundering services to sanitize proceeds rapidly, turning illicit money into ostensibly legitimate funds with relative speed.
The international scope of the case reinforces the need for continued cross-border engagement among law enforcement, prosecutors, and financial regulators to disrupt the full lifecycle of cybercrime profits.

Authorities dismantle 'AudiA6' ransomware crypto-laundering service

Related Posts

Why AI-driven threats are exposing the limits of MSP security stacks

Microsoft patches Exchange Server zero-day exploited in attacks

The 5 Best Practices for Secure Identity Verification

More from the Blog

Microsoft Adds Copilot Data Controls to All Storage Locations

Previously harmless Google API keys now expose Gemini AI data

Microsoft says bug in classic Outlook hides the mouse pointer

Get the next deep dive in your inbox

Stay Updated

Authorities dismantle 'AudiA6' ransomware crypto-laundering service

Related Posts

Why AI-driven threats are exposing the limits of MSP security stacks

Microsoft patches Exchange Server zero-day exploited in attacks

The 5 Best Practices for Secure Identity Verification

More from the Blog

Microsoft Adds Copilot Data Controls to All Storage Locations

Previously harmless Google API keys now expose Gemini AI data

Microsoft says bug in classic Outlook hides the mouse pointer

Get the next deep dive in your inbox

Stay Updated