Europol dismantles AudiA6 crypto laundering network used by gangs
Authorities in Europe have dismantled AudiA6, a cryptocurrency laundering service used by ransomware gangs and other cybercriminal networks, News.Az reports, citing The Hacker News.
Europol said in a statement issued Thursday that the takedown of AudiA6 disrupted what it described as a “key financial pipeline used to wash hundreds of millions in illicit profits.” The agency estimated that the service had been used to launder more than €336 million (about $389 million) since it was launched in 2021.
According to Europol, “the platform became a central hub for ransomware actors and cybercriminals seeking to cash out stolen digital assets while hiding the money trail from authorities.”
RECOMMENDED STORIES
- Why $500 Allocated to This Crypto Under $1 is a Better Investment Than $500 Allocated to Cardano (ADA)
- Stablecoins and Bitcoin in 2026: How traders use USDT during crypto market volatility
- What awaits the Crypto market after Bitcoin’s collapse
- Sudden Changes in the U.S. Crypto Market: BTC Rebounds, Cloud Mining Returns Reach a Turning Point
The operators of AudiA6 are also suspected of running a dark web cybercrime forum known as Dark2Web, where illicit services were advertised and cybercriminals connected with other threat actors globally.
As part of the coordinated operation carried out on June 10, 2026, authorities conducted multiple actions, including:
- The arrest of two alleged administrators of Ukrainian and Russian nationality in Georgia
- Three property searches
- The takedown of 25 domains and seizure of more than 30 servers
- The seizure of more than 80 vehicles and multiple properties in Georgia
- The freezing of cryptocurrency assets worth €692,000 (about $798,000) and seizure of €86,000 (about $99,400) in cryptocurrency
- The blocking of Telegram accounts used by the network
- The replacement of AudiA6 and Dark2Web websites on both the clear web and dark web with a law enforcement seizure notice
In parallel, the U.S. Department of Justice announced charges against the two arrested individuals — Ruslan Igorevich Tkachuk, 37, and Alexander Vladimirovich Ledenev, 25 — on one count of conspiracy to launder monetary instruments and one count of sting money laundering. If convicted, both face a maximum sentence of 20 years in prison.
The DOJ stated that out of approximately 10,333 bitcoin deposited, about 393.39 BTC (valued at roughly $19.23 million at the time of the transactions) came directly from known darknet markets, ransomware groups, cybercrime services, and other illicit sources, with additional funds traced indirectly through AudiA6 wallets.
Europol said the crackdown was the result of an earlier enforcement action carried out by the Polish Police that led to the arrest of an Ukrainian national in September 2025 for their alleged involvement in money laundering activities connected to the AudiA6 group.
This made it possible for authorities to initiate a forensic examination of the seized electronic devices belonging to the suspect and identify additional individuals linked to the operation.
AudiA6 has been described as an industrial-scale cryptocurrency laundering operation that relied on thousands of fraudulent exchange accounts opened using stolen or purchased identities. The criminal service has been linked to more than 15 investigations worldwide related to ransomware attacks and large-scale cryptocurrency theft.
Prior to its disruption, AudiA6 was marketed as a cryptocurrency mixing service guaranteeing anonymity and speed. It allowed customers to transfer their ill-gotten proceeds to wallets controlled by the group and received "cleaned" funds in return within an hour through a "complex chain of transactions" designed to conceal the origin of the funds.
These transactions took place over private messaging platforms, with the operators charging commissions ranging from commissions of between 3 percent and 10 percent.
"More than 6,000 Know Your Customer (KYC) records linked to money mule accounts were identified during the investigation," Europol said. "Many of the mule accounts were connected to Russian-speaking intermediaries recruited specifically to help move criminal proceeds through cryptocurrency exchanges."
AudiA6 is also said to have relied on both commercial email providers and email addresses linked to domains under their control to register money mule accounts with various cryptocurrency exchanges. The names of the domains are listed below:
- designli.pictures
- pheontx.eu
- smplfy.in
- sumato-soft.org
- technobrains.dev
- lett.email
- trayo.app
- deliverly.top
- inboxly.top
- postfast.eu
- postino.click
- inboxally.agency
- mailora.eu
- postify.email
- quix.express
- flowcomm.click
- qube.black
- deliverlett.com
- lettermail.eu
In a report published in November 2021, Intel 471 disclosed that AudiA6 required a minimum balance of 27 bitcoins and that it charged a flat service fee between 3 percent and 5.5 percent. As recently as December 2025, a TRM Labs analysis found that funds stolen from the 2022 LastPass hack were routed through Cryptex and AudiA6.
The investigation was carried out by the United States Secret Service and the IRS Criminal Investigation, along with the Polish Police and law enforcement partners from Australia, Canada, France, Georgia, Germany, Iceland, Japan, Switzerland, and the U.K.
The findings illustrate the rise of industrial-scale cryptocurrency laundering services that enable the cybercrime economy, as well as the use of fraudulent exchange accounts, mule wallets and privacy-focused tools designed to cover up the money trail and bypass anti-money laundering controls.
"Ransomware groups and cybercriminal networks are increasingly relying on chain-hopping, decentralised exchanges and 'mixer-as-a-service' platforms to move illicit cryptocurrency across multiple blockchains within minutes, helping criminal profits disappear into the digital underground," Europol said.
By Nijat Babayev
Similar news
