Authorities Dismantle AudiA6 Crypto-Laundering Service Used by Ransomware Gangs
Law enforcement from 11 countries has dismantled AudiA6, a cryptocurrency laundering service that processed over $380 million for ransomware actors and other cybercriminals.
Law enforcement agencies across 11 countries have dismantled the AudiA6 cryptocurrency laundering service, which allegedly processed over $380 million for ransomware actors and other cybercriminals. The operation, coordinated by Europol and Eurojust, targeted a key financial infrastructure that enabled threat actors to obfuscate illicit cryptocurrency transactions. Two administrators, a Ukrainian and a Russian national, were arrested in Georgia, and authorities seized domains, vehicles, properties, and cryptocurrency assets.
AudiA6 operated as a "professional cryptocurrency mixing service" between 2022 and 2025, accepting cybercrime proceeds and moving them through complex transaction routes to obscure their origin. The service returned "cleaned" funds to holders in about an hour, charging a commission of 3-10%. Europol described the operation as an "industrial-scale cryptocurrency laundering operation built around thousands of fraudulent exchange accounts opened using stolen or purchased identities."
The investigation linked AudiA6 to more than 15 international investigations of ransomware attacks worldwide. Past reports from Intel471 and blockchain investigator ZachXBT had previously exposed the platform for facilitating illegal activity. The U.S. Department of Justice named Ruslan Igorevich Tkachuk, 37, and Alexander Vladimirovich Ledenev, 25, as senior members of the platform, both now in custody in Georgia facing up to 20 years in prison.
Authorities seized 25 domains, 80 vehicles and properties, and approximately €86,000 ($99,000) in cryptocurrency, while freezing an additional €692,000 ($798,000). They also blocked Telegram accounts used by the network and retrieved 6,000 Know-Your-Customer (KYC) records linked to money mule accounts. These accounts were created using stolen or purchased identities, many connected to Russian-speaking intermediaries who recruited individuals specifically for this purpose.
The takedown was made possible by the arrest in Poland in September 2025 of a Ukrainian national linked to AudiA6. Forensic examination of that suspect's devices helped investigators identify key individuals behind the operation and eventually locate and arrest them in Georgia. Both AudiA6 and the underground forum Dark2Web, which the administrators also ran, now display seizure notices to visitors.
This operation represents a significant blow to the financial infrastructure supporting ransomware and other cybercrime. By dismantling a major money-laundering channel, authorities have disrupted the ability of multiple ransomware families and threat actors to cash out their illicit gains. The case highlights the growing international cooperation in targeting the financial enablers of cybercrime, rather than just the attackers themselves.