Blab Crypto
International Law Enforcement Seizes AudiA6 Crypto Laundering Service, Cutting Off $380 Million in Ransomware Proceeds
An international operation coordinated by Europol and Eurojust dismantled the cryptocurrency laundering service known as AudiA6, which processed more than $380 million in illicit proceeds between 2022 and 2025.
According to reports from BleepingComputer, the service was used by ransomware gangs and other cybercriminals to clean stolen digital assets. AudiA6 operated as a mixer‑as‑a‑service, accepting deposits, routing them through complex transaction chains, and returning cleaned funds to customers within roughly an hour. The platform charged a commission of 3 % to 10 % and was linked by Europol to more than 15 international ransomware investigations over a three‑year period.
The enforcement action seized 6,000 Know Your Customer (KYC) records tied to money‑mule accounts. Each account was created with a stolen or purchased identity, many of which were recruited through Russian‑speaking intermediary networks that opened exchange accounts on behalf of the criminal operation. In addition to the KYC records, authorities seized 25 domains, 80 vehicles and properties, and blocked the platform’s Telegram accounts. The U.S. Department of Justice (DOJ) reported that 692,000 euros in cryptocurrency were frozen and an additional 86,000 euros were seized.
Bitcoin deposits to AudiA6 totaled 10,333 BTC. Of those, only 393 BTC—valued at roughly $19.2 million at the time of deposit—originated directly from known darknet markets. The remaining funds had already been layered through prior transactions, illustrating how ransomware operators pre‑layer proceeds before submitting them to a specialist mixer. The 6,000 mule identities were essential because compliant exchanges require verified accounts to process withdrawals, and fabricated KYC records provided the necessary cover.
The turning point in the investigation came in September 2025 when Polish authorities arrested a Ukrainian national linked to the platform. Forensic examination of the suspect’s devices gave investigators a roadmap to the key operators, who were subsequently located and arrested in Georgia. The DOJ named the two arrested administrators as Ruslan Igorevich Tkachuk, 37, and Alexander Vladimirovich Ledenev, 25. Both individuals also administered Dark2Web, an underground forum where criminals advertised illicit services alongside the AudiA6 mixing operation.
The AudiA6 case highlights three pressure points for security and compliance teams. First, the recruitment of KYC mule accounts should be treated as a threat signal; organizations that handle identity verification should flag anomalous account‑opening velocity and document clustering of identity documents. Second, integrating blockchain‑intelligence feeds into incident response can expose destinations that have been flagged by commercial analytics firms before a ransom payment is made. Third, monitoring dark‑web forum activity can surface supply‑chain risk signals, as the forum co‑administered by the AudiA6 operators served as a distribution channel for laundering services and mule accounts.
At present, the seizure of AudiA6 removes a key financial pipeline that processed $380 million in ransomware proceeds. The operation demonstrates that identity theft infrastructure, not just cryptographic complexity, underpins large‑scale crypto laundering. Future regulatory and enforcement efforts may focus on tightening KYC requirements for exchanges and improving cross‑border cooperation to disrupt similar laundering networks.
According to reports from BleepingComputer, the service was used by ransomware gangs and other cybercriminals to clean stolen digital assets. AudiA6 operated as a mixer‑as‑a‑service, accepting deposits, routing them through complex transaction chains, and returning cleaned funds to customers within roughly an hour. The platform charged a commission of 3 % to 10 % and was linked by Europol to more than 15 international ransomware investigations over a three‑year period.
The enforcement action seized 6,000 Know Your Customer (KYC) records tied to money‑mule accounts. Each account was created with a stolen or purchased identity, many of which were recruited through Russian‑speaking intermediary networks that opened exchange accounts on behalf of the criminal operation. In addition to the KYC records, authorities seized 25 domains, 80 vehicles and properties, and blocked the platform’s Telegram accounts. The U.S. Department of Justice (DOJ) reported that 692,000 euros in cryptocurrency were frozen and an additional 86,000 euros were seized.
Bitcoin deposits to AudiA6 totaled 10,333 BTC. Of those, only 393 BTC—valued at roughly $19.2 million at the time of deposit—originated directly from known darknet markets. The remaining funds had already been layered through prior transactions, illustrating how ransomware operators pre‑layer proceeds before submitting them to a specialist mixer. The 6,000 mule identities were essential because compliant exchanges require verified accounts to process withdrawals, and fabricated KYC records provided the necessary cover.
The turning point in the investigation came in September 2025 when Polish authorities arrested a Ukrainian national linked to the platform. Forensic examination of the suspect’s devices gave investigators a roadmap to the key operators, who were subsequently located and arrested in Georgia. The DOJ named the two arrested administrators as Ruslan Igorevich Tkachuk, 37, and Alexander Vladimirovich Ledenev, 25. Both individuals also administered Dark2Web, an underground forum where criminals advertised illicit services alongside the AudiA6 mixing operation.
The AudiA6 case highlights three pressure points for security and compliance teams. First, the recruitment of KYC mule accounts should be treated as a threat signal; organizations that handle identity verification should flag anomalous account‑opening velocity and document clustering of identity documents. Second, integrating blockchain‑intelligence feeds into incident response can expose destinations that have been flagged by commercial analytics firms before a ransom payment is made. Third, monitoring dark‑web forum activity can surface supply‑chain risk signals, as the forum co‑administered by the AudiA6 operators served as a distribution channel for laundering services and mule accounts.
At present, the seizure of AudiA6 removes a key financial pipeline that processed $380 million in ransomware proceeds. The operation demonstrates that identity theft infrastructure, not just cryptographic complexity, underpins large‑scale crypto laundering. Future regulatory and enforcement efforts may focus on tightening KYC requirements for exchanges and improving cross‑border cooperation to disrupt similar laundering networks.
