On 10 June 2026, European law enforcement agencies coordinated by Europol dismantled AudiA6 — an industrial-scale cryptocurrency laundering service that had processed more than €336 million (~$389 million) in illicit funds since 2021. The service was used by ransomware groups and other cybercriminal networks to convert stolen digital assets into “clean” money. Two alleged administrators were arrested in Georgia, and servers, domains, and property were seized. The U.S. Department of Justice has charged both detainees — they each face up to 20 years in prison.
Timeline and scope of the operation
As Europol reported, the takedown of AudiA6 was the result of an earlier operation by the Polish police: in September 2025, a Ukrainian national suspected of involvement in laundering funds through AudiA6 was arrested in Poland. Forensic analysis of his seized electronic devices made it possible to identify additional members of the network and prepare a coordinated operation.
During the actions on 10 June 2026, the following measures were carried out:
- Arrest of two alleged administrators — citizens of Ukraine and Russia — in Georgia
- Three searches of premises linked to the operation
- Takedown of 25 domains and seizure of more than 30 servers
- Seizure of more than 80 vehicles and several real estate assets in Georgia
- Freezing of cryptoassets worth €692 000 ($798 000) and seizure of €86 000 ($99 400) in cryptocurrency
- Blocking of Telegram accounts used by the network
- Replacement of the AudiA6 and Dark2Web websites (both on the clear web and in the darknet) with a seizure banner
Charges and prosecution
The U.S. Department of Justice has brought charges against the two arrested suspects: Ruslan Igorevich Tkachuk (37) and Alexander Vladimirovich Ledenev (25). Each is charged with one count of conspiracy to commit money laundering and one count of sting money laundering. The maximum penalty is 20 years in prison.
According to the U.S. Department of Justice, of approximately 10 333 Bitcoins deposited through AudiA6, about 393,39 BTC (valued at the time of the transactions at roughly $19.2 million) came directly from known darknet marketplaces, ransomware groups, cybercrime services, and other illegal sources. Additional funds were routed to AudiA6 wallets indirectly, through intermediary layers.
How AudiA6 operated
AudiA6 was positioned as a cryptocurrency mixing service that guaranteed anonymity and speed. Clients transferred illegally obtained funds to wallets controlled by the group and received “cleaned” funds within an hour through a complex chain of transactions designed to obscure the origin of the money. Communication took place via private messengers, and the commission ranged from 3% to 10%.
A key element of the infrastructure was thousands of fraudulent accounts on cryptocurrency exchanges, opened using stolen or purchased personal data. The investigation uncovered more than 6 000 KYC (Know Your Customer) records linked to accounts in the names of straw persons. According to Europol, many of these accounts were associated with Russian-speaking intermediaries specifically recruited to move criminal funds through crypto exchanges.
To register these front accounts, the operators used both commercial email providers and email addresses on domains under their control.
Email infrastructure domains used by AudiA6
- designli.pictures, pheontx.eu, smplfy.in, sumato-soft.org, technobrains.dev
- lett.email, trayo.app, deliverly.top, inboxly.top, postfast.eu
- postino.click, inboxally.agency, mailora.eu, postify.email, quix.express
- flowcomm.click, qube.black, deliverlett.com, lettermail.eu
Links to Dark2Web and scale of investigations
According to Europol, the operators of AudiA6 are also suspected of administering the darknet forum Dark2Web, where cybercriminals advertised illegal services and established contacts with other threat actors worldwide. This link has not yet been confirmed by independent sources and is presented by law enforcement as a suspicion.
The service appears in more than 15 investigations worldwide related to ransomware attacks and large-scale cryptocurrency thefts. The investigation involved the U.S. Secret Service, IRS Criminal Investigation, the Polish police, and law enforcement agencies from Australia, Canada, France, Georgia, Germany, Iceland, Japan, Switzerland, and the United Kingdom.
Impact assessment and trends
The dismantling of AudiA6 is one of the largest operations against cryptocurrency money laundering infrastructure in recent years. The service did not serve a single group but an entire ecosystem: ransomware operators, darknet marketplace administrators, and organizers of cryptocurrency thefts all used a single pipeline to convert stolen funds.
Europol highlights an intensifying trend: ransomware groups and cybercriminal networks are increasingly using cross-chain transfers (chain-hopping), decentralized exchanges, and “mixing as a service” platforms to move illicit cryptocurrency across multiple blockchains in a matter of minutes.
Practical recommendations
- Cryptocurrency exchanges and financial platforms: review your account databases for registrations using the 19 domains listed above. Accounts registered with these domains are highly likely to be front accounts
- Compliance teams: strengthen verification of KYC documents, paying attention to signs of mass registration — uniform document templates and registrations from domains that do not belong to major email providers
- Blockchain analysts: add AudiA6 wallet addresses (as they are published by law enforcement) to monitoring lists to track residual transactions
- Incident response specialists: when investigating ransomware attacks, consider AudiA6 as one of the cash-out channels and check for overlaps with known service addresses
The dismantling of AudiA6 demonstrates that law enforcement agencies are capable of tracking and disrupting even complex, multi-layered cryptocurrency laundering schemes. However, the very fact that the service operated for five years with a turnover in the hundreds of millions of euros points to a systemic gap between the speed at which criminal infrastructure is created and the pace at which it is detected. Cryptocurrency exchanges should promptly review their user bases for accounts linked to the listed domains and tighten verification procedures to prevent the reuse of similar schemes.
