Authorities Shut Down ‘AudiA6’ Ransomware Crypto-Laundering Ring

Law enforcement agencies have successfully dismantled a cryptocurrency laundering network known as “AudiA6,” which allegedly processed over $380 million for ransomware groups and other cybercriminals. The operation, coordinated by Europol, involved authorities from 11 countries across Europe, the Americas, and Asia, alongside support from Eurojust.

The AudiA6 service is believed to have functioned as a central money laundering hub between 2022 and 2025. According to Europol, the platform was linked to more than 15 separate international investigations into ransomware attacks. Investigators described it as an “industrial-scale” operation that relied on thousands of fraudulent exchange accounts opened using stolen or purchased identities.

The service marketed itself as a professional cryptocurrency mixing service, but its actual function was straightforward: it accepted proceeds from cybercrime, funneled them through complex transaction paths to obscure their origin, and returned the “cleaned” funds to clients within about an hour. The fee for this service ranged from 3% to 10% of the total amount.

Past reporting from Intel471 and blockchain investigator ZachXBT had already exposed AudiA6 for facilitating illegal activity. The current crackdown was triggered by the arrest of a Ukrainian national in Poland in September 2025, whose devices provided critical forensic evidence. This allowed investigators to identify key figures behind the operation and eventually locate and arrest them in Georgia.

As a result of yesterday’s coordinated action, authorities have arrested two individuals in Georgia, searched three properties, and seized 25 domains, 80 vehicles and properties, €86,000 ($99,000) in cryptocurrency, and frozen an additional €692,000 ($798,000). Telegram accounts used by the network have also been blocked.

The two arrested individuals, a Ukrainian and a Russian national, are believed to be administrators not only of AudiA6 but also of the underground forum “Dark2Web,” which cybercriminals used to advertise illicit services. Both websites now display seizure notices to visitors.

The U. S. Department of Justice named Ruslan Igorevich Tkachuk, aged 37, and Alexander Vladimirovich Ledenev, aged 25, as senior members of the AudiA6 platform. They are currently in Georgian custody and face sentences of up to 20 years in prison for facilitating cybercrime laundering operations.

According to the DoJ, “Out of the approximately 10,333 bitcoin deposited, approximately 393.39 BTC (valued at around $19,234,331 at the time of the transactions) were received directly from known darknet markets, ransomware organizations, cybercrime services, and other illicit sources, while additional funds were deposited indirectly from illicit sources into AudiA6 wallets.”

In addition to the two administrators, authorities retrieved 6,000 ‘Know-Your-Customer’ (KYC) records linked to money mule accounts. Europol says these accounts were created using stolen or purchased identities, with many connected to Russian-speaking intermediaries who recruited the mules specifically for this purpose. The massive network of money mules used multiple domains to register accounts on cryptocurrency exchanges, a detail Europol published to raise awareness and help platforms block similar activity in the future.