More than $380 million — that is the sum law enforcement says the “AudiA6” cryptocurrency service handled as a laundering hub for ransomware actors and other cybercriminals before authorities dismantled it.
How AudiA6 ran an “industrial-scale” laundering operation
Europol describes AudiA6 as an “industrial-scale cryptocurrency laundering operation built around thousands of fraudulent exchange accounts opened using stolen or purchased identities.” The platform was advertised as a “professional cryptocurrency mixing service,” but investigators say it simply accepted criminal proceeds, routed funds through complex transaction chains that obscured origins, and returned cleaned assets to holders in roughly an hour after taking a 3–10% commission.
According to the U.S. Department of Justice, AudiA6 received roughly 10,333 bitcoin in deposits. Of that total, approximately 393.39 BTC — valued at about $19,234,331 at the time of those transactions — were traced directly to known darknet markets, ransomware groups, cybercrime services, and other illicit sources, with additional funds flowing indirectly from criminal activity.
International investigation and key operational breakthroughs
The probe involved authorities from 11 countries across Europe, America, and Asia and was supported by Europol and Eurojust. Europol says the platform functioned as a central money-laundering hub between 2022 and 2025 and that its activity has been linked to more than 15 distinct international investigations of ransomware attacks.
Investigators point to an arrest in Poland in September 2025 of a Ukrainian national as a turning point. Forensic analysis of that suspect’s devices helped identify key individuals tied to AudiA6 and led to locating and arresting administrators in Georgia. Independent reporting from Intel471 and blockchain investigator ZachXBT had previously exposed AudiA6’s role in facilitating illegal activity, according to the publicly released accounts of the action.
Arrests, seizures, and legal steps taken
- Arrested 2 individuals in Georgia — identified by the U.S. Department of Justice as Ruslan Igorevich Tkachuk, 37, and Alexander Vladimirovich Ledenev, 25. The DoJ named them as senior members of the AudiA6 platform; both are in Georgian custody and face sentences of up to 20 years for facilitating cybercrime laundering operations.
- Searched 3 properties and seized 25 domains; both the AudiA6 and the related forum “Dark2Web” now display seizure notices to visitors.
- Seized 80 vehicles and properties, and took custody of €86,000 (reported as $99,000) in cryptocurrency while freezing €692,000 (reported as $798,000) in additional crypto assets.
- Blocked Telegram accounts used by the network, and recovered approximately 6,000 Know-Your-Customer (KYC) records tied to money-mule accounts that Europol says were created using stolen or purchased identities.
What this means for cryptocurrency exchanges, cybercrime investigators, and ransomware victims
- Cryptocurrency exchanges — Europol published information about the multiple domains and mule-account patterns used to register exchange accounts; exchanges will be watching those indicators and, per Europol’s notice, are being asked to block the flagged accounts and domains to disrupt the same recruitment and account-creation channels.
- Cybercrime investigators — the case underlines the value of device forensics and international cooperation: the Poland arrest and device examination enabled cross-border identification, tracing, and subsequent arrests in Georgia, illustrating how digital evidence can pivot a dispersed probe to concrete operational gains.
- Ransomware victims and incident responders — AudiA6 was linked to more than 15 ransomware-related investigations worldwide; the takedown removes a central money-laundering node used to obscure ransom proceeds, which could complicate or aid asset tracing depending on how quickly remaining funds and records are uncovered.
Scale, accountability, and the questions that remain
The public record supplied with the takedown sketches a wide-reaching criminal service: thousands of fraudulent exchange accounts, roughly 10,333 BTC in deposits, about $380 million laundered over three years, and explicit ties to at least 15 ransomware and large-scale theft probes. Authorities have arrested two senior figures, seized domains and assets, and frozen sums of cryptocurrency — concrete steps toward accountability.
But the numbers in the filings also leave practical follow-ups: how much of the alleged $380 million can be recovered and returned to victims; where the additional administrators, recruiters, and money mules are located across the 11 investigating countries; and how exchanges will operationalize the domain and KYC indicators Europol shared. The arrests and seizures represent a sharp defensive blow against a major laundering conduit — and now the next phase will test whether prosecution, asset recovery, and exchange-side measures translate that blow into lasting disruption.
