Ransomware runs on more than malware. It runs on money movement. This week, European authorities cut a major artery.
Europol confirmed the disruption of AudiA6, a cryptocurrency laundering service used by ransomware gangs and wider cybercriminal networks. The takedown, described as severing a “key financial pipeline,” targeted a service estimated to have washed more than €336 million (~$389 million) since its 2021 launch. According to Europol, “the platform became a central hub for ransomware actors and cybercriminals seeking to cash out stolen digital assets while hiding the money trail from authorities.” (source)
What happened
On June 10, 2026, coordinated actions delivered a comprehensive strike against the AudiA6 operation:
- Arrest of two alleged administrators (Ukrainian and Russian nationals) in Georgia
- Three property searches
- Takedown of 25 domains and seizure of more than 30 servers
- Seizure of more than 80 vehicles and multiple properties in Georgia
- Freezing of cryptocurrency assets worth €692,000 ($798,000) and seizure of €86,000 ($99,400) in cryptocurrency
- Blocking Telegram accounts used by the network
- Replacement of the clear web and dark web sites of AudiA6 and Dark2Web with a law enforcement seizure banner
Investigators also suspect the AudiA6 operators administered Dark2Web, a dark web cybercrime forum where illicit services were advertised and threat actors connected globally.
U.S. charges
In parallel, the U.S. Department of Justice announced charges against the two arrested individuals — Ruslan Igorevich Tkachuk, 37, and Alexander Vladimirovich Ledenev, 25 — for one count of conspiracy to launder monetary instruments and one count of sting money laundering. If convicted, each faces a maximum possible sentence of 20 years in prison. The DoJ summarized flow-through funds as follows:
“Out of the approximately 10,333 bitcoin deposited, approximately 393.39 BTC (valued at around $19,234,331 at the time of the transactions) were received directly from known darknet markets, ransomware organizations, cybercrime services, and other illicit sources, while additional funds were deposited indirectly from illicit sources into AudiA6 wallets.” (source)
How AudiA6 operated
Authorities describe AudiA6 as an industrial-scale laundering service built on thousands of fraudulent exchange accounts created with stolen or purchased identities. The service has been linked to more than 15 investigations worldwide involving ransomware attacks and large-scale cryptocurrency theft.
Before the disruption, AudiA6 marketed itself as a crypto mixing service focused on anonymity and speed. Customers sent illicit proceeds to wallets controlled by the group and received “cleaned” funds — often within an hour — through a complex chain of transactions designed to obscure origin. Transactions were coordinated over private messaging platforms, with commissions between 3% and 10%.
Europol said investigators identified more than 6,000 Know Your Customer (KYC) records tied to money mule accounts, many connected to Russian-speaking intermediaries recruited to move criminal proceeds through exchanges.
To register mule accounts, the operators used both commercial email providers and email addresses tied to domains under their control, including:
- designli.pictures
- pheontx.eu
- smplfy.in
- sumato-soft.org
- technobrains.dev
- lett.email
- trayo.app
- deliverly.top
- inboxly.top
- postfast.eu
- postino.click
- inboxally.agency
- mailora.eu
- postify.email
- quix.express
- flowcomm.click
- qube.black
- deliverlett.com
- lettermail.eu
Additional intelligence aligns with that picture. In November 2021, Intel 471 disclosed that AudiA6 required a minimum balance of 27 BTC and charged a flat service fee between 3% and 5.5%. And as recently as December 2025, a TRM Labs analysis found that funds stolen from the 2022 LastPass breach were routed through Cryptex and AudiA6.
The investigative path
Europol said this crackdown followed an earlier action by the Polish Police, which led to the September 2025 arrest of a Ukrainian national for alleged money laundering tied to the AudiA6 group. Forensic analysis of seized electronic devices from that case helped identify additional individuals linked to the operation.
Who was involved
The investigation brought together the United States Secret Service and IRS Criminal Investigation, along with the Polish Police and law enforcement partners from Australia, Canada, France, Georgia, Germany, Iceland, Japan, Switzerland, and the U.K.
Why this matters
This case spotlights the maturation of industrial-scale crypto laundering that fuels cybercrime — powered by fraudulent exchange accounts, mule wallets, and privacy tooling built to evade anti-money laundering controls. As Europol noted, ransomware groups and cybercriminal networks are increasingly relying on chain-hopping, decentralized exchanges, and “mixer-as-a-service” platforms to move funds across blockchains within minutes — making illicit profits disappear into the digital underground.
Reference: View article