“Ransomware groups and cybercriminal networks are increasingly relying on chain-hopping, decentralized exchanges and ‘mixer-as-a-service’ platforms to move illicit cryptocurrency across multiple blockchains within minutes, helping criminal profits disappear into the digital underground,” Europol warned.
AudiA6: an "industrial-scale cryptocurrency laundering operation"
European and U.S. investigators say AudiA6 was a large-scale cryptocurrency laundering service that moved at least €336m ($389m) for cybercriminals between 2022 and 2025. Europol’s analysis tied the service to laundering for at least 15 ransomware operations and several major cryptocurrency theft schemes. Investigators described AudiA6 as exploiting thousands of stolen identities and accounts and operating with a speed and volume that reached beyond one-off laundering jobs into what the agency called an “industrial-scale” business model.
How AudiA6 handled funds: money mules, wallets and quick turnarounds
The service relied on a combination of human and technical methods to obscure the origin of stolen cryptocurrency. AudiA6 used money mules to transfer stolen cryptocurrency to wallets owned by the service, then moved funds through several wallets to complicate tracing. Customers contacted AudiA6 through private messaging apps and could expect to receive their laundered funds in under an hour. Operators charged commissions of up to 10% for those services.
Dark2Web: forum administration and the criminal marketplace
Investigators believe the individuals behind AudiA6 also administered a dark web forum called ‘Dark2Web.’ According to the investigation, Dark2Web functioned as a criminal marketplace used to advertise illicit services and connect cybercriminal actors worldwide, creating a direct marketplace link between service providers and the ransomware and theft operations that supplied illicit funds.
June 10 operation: arrests, seizures and technical takedowns
The coordinated action on June 10 was carried out by a coalition of agencies that included the US Secret Service, IRS Criminal Investigation, the Polish Police service, other European states and agencies, and was supported by Europol and Eurojust. Two alleged administrators—identified by nationality as Ukrainian and Russian—were arrested in the country of Georgia. Officers searched three properties, froze €692,000 ($800,000) in cryptocurrency and seized over €86,000 ($99,000) in cryptocurrency. The operation also took down 25 domains, seized more than 30 servers and blocked Telegram accounts used by the network. To mark the disruption, the clear web and dark web sites for AudiA6 and the Dark2Web forum were replaced with a law enforcement seizure banner.
What this means for ransomware operators, investigators, and victims
- Ransomware operators and cybercriminal networks: AudiA6’s rapid payouts (under an hour) and up-to-10% commission model show why such services are attractive. The arrests and domain/server takedowns remove a known conduit identified as laundering funds for at least 15 ransomware operations, but Europol’s warning underscores that criminals also rely on chain-hopping, decentralized exchanges and mixer-as-a-service platforms.
- Law enforcement and judicial authorities: The coordinated seizure demonstrates cross-border operational capacity—freezing and seizing cryptocurrency, arresting alleged administrators in a third country, taking down infrastructure and replacing sites with seizure banners. Agencies involved employed a combination of financial action (freezes/seizures), takedown of online infrastructure (domains, servers, Telegram accounts) and arrest operations in the field.
- Victims and affected enterprises: The investigation links AudiA6 directly to funds originating from ransomware and major theft schemes, meaning some ransom proceeds traced through AudiA6 may now be frozen or otherwise disrupted. At the same time, Europol’s assessment of rising industrial-scale laundering indicates that disrupting one service may not remove other pathways that criminals use to move proceeds.
The AudiA6 takedown provides a concrete example of how law enforcement can unmask and disrupt a high-volume laundering service: arrests, crypto freezes and infrastructure seizures were combined to make the service inoperable and to seize assets tied to the network. At the same time, Europol’s public characterization of the business model and its explicit warning about chain-hopping and mixer-as-a-service platforms frame the action as one front in an ongoing struggle against a fast-moving, decentralized criminal economy.
