Authorities dismantle 'AudiA6' ransomware crypto-laundering service in 11-country sweep

A crypto-laundering service that handled more than $380 million in dirty money for ransomware crews has been pulled offline by law enforcement, capping an investigation that spanned 11 countries across Europe, the Americas, and Asia. Europol says the platform, known as AudiA6, sat at the center of a money-laundering machine that connected at least 15 separate international ransomware and crypto-theft investigations between 2022 and 2025.

The pitch was simple, and that is exactly what made it dangerous. AudiA6 advertised itself as a "professional cryptocurrency mixing service." In practice, according to investigators, it accepted criminal proceeds, shuffled the funds through deliberately convoluted transaction routes to break the trail back to the source, and returned the coins "cleaned" to their owners in roughly an hour. The operators kept a 3 to 10 percent cut for the trouble.

What actually came down

The takedown built on an earlier arrest. In September 2025, Polish authorities detained a Ukrainian national tied to AudiA6, and forensic work on his seized devices exposed the people running the operation. That trail led to Georgia, where two more suspects were arrested in the action announced this week.

The combined operation, coordinated through Europol and Eurojust, produced a long list of results: two arrests in Georgia, searches of three properties, the seizure of 25 domains, and the confiscation of 80 vehicles and properties. Authorities seized roughly €86,000 (about $99,000) in cryptocurrency, froze another €692,000 (about $798,000), and shut down the Telegram accounts the network used to coordinate.

The U.S. Department of Justice identified the two men as Ruslan Igorevich Tkachuk, 37, and Alexander Vladimirovich Ledenev, 25, naming them as senior members of AudiA6. Both are in Georgian custody and face up to 20 years in prison. Investigators also link them to Dark2Web, an underground forum where criminals advertised illicit services. Both the AudiA6 and Dark2Web sites now serve a seizure notice.

The DoJ figures put the scale in concrete terms. Of roughly 10,333 bitcoin deposited into the service, about 393.39 BTC, worth around $19.2 million at the time of those transactions, came directly from known darknet markets, ransomware groups, and other cybercrime operations. More flowed in indirectly through intermediary wallets, which is the whole point of a laundering layer.

The part that matters for defenders

Mixing services are not the most technically sophisticated piece of the ransomware economy, but they are one of the most load-bearing. A ransomware crew can encrypt a hospital network and collect a payment, but that money is useless if it cannot be moved without lighting up every blockchain analytics firm watching the chain. Services like AudiA6 exist to solve that cash-out problem, which is why dismantling one ripples across so many unrelated investigations.

What made this operation industrial rather than improvised was its supply of fake identities. Europol describes "thousands of fraudulent exchange accounts opened using stolen or purchased identities," and investigators recovered around 6,000 Know-Your-Customer records tied to money mule accounts. Many of those mules were recruited by Russian-speaking intermediaries specifically to register accounts on legitimate exchanges, which the network then used to inject and extract funds.

That detail points to the most actionable outcome of the takedown. Europol published the set of domains the mule network used to register exchange accounts, explicitly so platforms can block them and screen for connected accounts. For anyone running compliance or fraud operations at an exchange, that list is the practical takeaway: cross-reference it against your account base, flag registrations that trace back to those domains, and treat clusters of accounts sharing the recovered KYC patterns as a single laundering pipeline rather than isolated users.

For security teams more broadly, the case is a reminder that mule recruitment is a human-layer problem that no detection rule catches on its own. The 6,000 KYC records did not come from a breach of the exchanges. They came from people who handed over their identities, knowingly or not, to intermediaries promising easy money. Onboarding controls, velocity checks on new-account funding, and behavioral monitoring after the first deposit are where these schemes get caught, not at the point of a single suspicious transaction.

The pressure on cash-out infrastructure keeps building

AudiA6 did not operate in obscurity before its takedown. Blockchain investigator ZachXBT and threat intelligence firm Intel 471 had both publicly flagged the service for facilitating illegal activity, and that open-source reporting tends to precede enforcement action by months. The pattern is consistent: independent researchers map the on-chain behavior, attribution sharpens, and eventually an arrest in one jurisdiction unlocks the rest of the network.

That is the strategic logic behind targeting laundering services instead of chasing individual ransomware payments. Encryptors are cheap to rebuild and operators rotate brands constantly. The infrastructure that converts stolen crypto back into spendable money is slower to replace, harder to anonymize, and shared across many groups at once. Every mixer that goes down raises the cost and the risk of the cash-out step for every crew that relied on it.

The AudiA6 case will not end ransomware, and a replacement service is almost certainly already courting the displaced customers. But the recovered KYC records, the published mule domains, and two administrators facing two decades in prison represent the kind of friction that compounds. The more expensive and exposed the laundering layer becomes, the thinner the margins get for the people running the attacks upstream.