Europol said the disruption cut off a "key financial pipeline used to wash hundreds of millions in illicit profits," after investigators concluded AudiA6 had laundered more than €336 million (~$389 million) since its 2021 launch.
June 10, 2026: coordinated actions and seizures
On June 10, 2026, law enforcement carried out a multi-pronged operation that targeted AudiA6 and an associated dark‑web forum called Dark2Web. The actions included the arrest of two alleged administrators of Ukrainian and Russian nationality in Georgia, three property searches, the takedown of 25 domains and the seizure of more than 30 servers. Authorities also seized over 80 vehicles and multiple properties in Georgia, froze cryptocurrency assets worth €692,000 ($798,000) and seized €86,000 ($99,400) in cryptocurrency. Telegram accounts used by the network were blocked, and both the clear‑web and dark‑web AudiA6 and Dark2Web sites were replaced with law enforcement seizure banners, Europol said.
AudiA6’s business model and infrastructure
Europol and partnering agencies described AudiA6 as an industrial‑scale cryptocurrency laundering service marketed as a fast "mixing" or "mixer‑as‑a‑service" platform that guaranteed anonymity. Customers transferred illicit proceeds to wallets controlled by the group and received “cleaned” funds in return—often within an hour—through a "complex chain of transactions" meant to obscure the origin of funds. Operators charged commissions variously reported between 3 percent and 10 percent, and past reporting cited a flat fee structure with a minimum balance requirement: an Intel 471 report in November 2021 said AudiA6 required a minimum balance of 27 bitcoins and charged a flat service fee between 3 percent and 5.5 percent.
Europol said the service relied on thousands of fraudulent exchange accounts opened with stolen or purchased identities, and that investigators identified more than 6,000 Know Your Customer (KYC) records linked to money mule accounts. Many mule accounts were connected to Russian‑speaking intermediaries recruited to move criminal proceeds through cryptocurrency exchanges. AudiA6 reportedly used both commercial email providers and addresses on domains controlled by the network to register mule accounts; Europol listed the implicated domains as:
- designli.pictures
- pheontx.eu
- smplfy.in
- sumato-soft.org
- technobrains.dev
- lett.email
- trayo.app
- deliverly.top
- inboxly.top
- postfast.eu
- postino.click
- inboxally.agency
- mailora.eu
- postify.email
- quix.express
- flowcomm.click
- qube.black
- deliverlett.com
- lettermail.eu
U.S. Department of Justice charges and transaction tracing
In tandem with Europol’s disruption, the U.S. Department of Justice charged two individuals: Ruslan Igorevich Tkachuk, 37, and Alexander Vladimirovich Ledenev, 25. The DoJ accused each of one count of conspiracy to launder monetary instruments and one count of sting money laundering; both face a maximum sentence of 20 years if convicted. The DoJ also provided transaction tracing: "Out of the approximately 10,333 bitcoin deposited, approximately 393.39 BTC (valued at around $19,234,331 at the time of the transactions) were received directly from known darknet markets, ransomware organizations, cybercrime services, and other illicit sources, while additional funds were deposited indirectly from illicit sources into AudiA6 wallets," the department said.
International law enforcement partners and the role of prior arrests
The operation drew on cooperation across multiple agencies and countries. The investigation was led by the United States Secret Service and IRS Criminal Investigation, alongside the Polish Police and law enforcement partners from Australia, Canada, France, Georgia, Germany, Iceland, Japan, Switzerland and the U.K. Europol credited an earlier enforcement action by the Polish Police in September 2025—an arrest of a Ukrainian national—for enabling a forensic examination of seized devices that identified additional individuals linked to the AudiA6 network.
Connections to ransomware, Dark2Web and prior analyses
Europol described AudiA6 as a central hub for ransomware actors and other cybercriminals seeking to cash out stolen digital assets while hiding money trails. The takedown identified links between AudiA6 and a dark‑web forum called Dark2Web, where illicit services were advertised and threat actors connected. Europol said AudiA6 has been tied to more than 15 investigations worldwide related to ransomware and large‑scale cryptocurrency theft. A December 2025 analysis by TRM Labs — cited in the report — found funds stolen from the 2022 LastPass incident were routed through Cryptex and AudiA6, underscoring the service’s role in complex laundering chains.
Europol framed the operation as evidence of the rise of industrial‑scale laundering platforms that use fraudulent exchange accounts, mule wallets and privacy‑focused techniques to bypass anti‑money‑laundering controls. "Ransomware groups and cybercriminal networks are increasingly relying on chain‑hopping, decentralised exchanges and 'mixer‑as‑a‑service' platforms to move illicit cryptocurrency across multiple blockchains within minutes," the agency said—a capability investigators say helped criminal profits "disappear into the digital underground."
The seizures on June 10 removed servers, domains, vehicles, property and a tranche of crypto funds, and produced criminal charges against two alleged administrators. Yet Europol’s own description of evolving laundering techniques raises a pointed question for enforcement: disrupting an identified hub can be decisive, but the methods that enabled AudiA6—to rapidly move funds through complex chains and recruit mule accounts—remain in the toolkits of the cybercrime economy.
