AudiA6 cryptocurrency – Law enforcement dismantled the “AudiA6” cryptocurrency mixing service tied to ransomware actors, alleging it laundered more than $380 million and connected to over 15 international ransomware and theft investigations. The crackdown followed arrests in Georgia,
For years, AudiA6 operated like a backstage machine for cybercrime: take the stolen money, reroute it through complicated transaction paths, and send it back “cleaned” in about an hour—minus a 3–10% commission.
Now that machine has been pulled apart. Law enforcement dismantled the “AudiA6” cryptocurrency service. which authorities allege was used by ransomware actors and other cybercriminals to launder more than $380 million. Europol says the service was linked to more than 15 distinct international investigations of ransomware attacks. and that the platform likely functioned as a central money-laundering hub between 2022 and 2025.
Europol describes what investigators uncovered as an industrial-scale cryptocurrency laundering operation built around thousands of fraudulent exchange accounts. Those accounts, Europol says, were opened using stolen or purchased identities. In its assessment, the criminal service was connected to more than 15 investigations worldwide involving ransomware attacks and large-scale cryptocurrency theft.
AudiA6 was marketed as a “professional cryptocurrency mixing service.” In practice. Europol says it did not change the underlying story of the funds. It accepted cybercrime proceeds. obscured their origin by moving them through complex routes. and returned them to holders as “cleaned” proceeds in roughly an hour. taking a 3–10% fee.
The case did not start in a vacuum. Past reporting from Intel471 and blockchain investigator ZachXBT exposed AudiA6 for facilitating illegal activity.
The operation’s reach, Europol says, extended across continents. The investigation involved authorities from 11 countries across Europe, America, and Asia, supported by Europol and Eurojust.
A turning point came after an arrest in Poland in September 2025. Europol says that arrest involved a Ukrainian national linked to AudiA6. Forensic examination of the suspect’s devices helped investigators identify key individuals behind the operation and eventually locate and arrest them in Georgia.
As a result of action taken “from yesterday,” authorities report a broad set of enforcement steps:
They arrested 2 individuals in Georgia, searched 3 properties, seized 25 domains, and seized 80 vehicles and properties. Officials also seized €86,000 ($99k) in cryptocurrency, froze €692,000 ($798k) in cryptocurrency, and blocked Telegram accounts used by the network.
The two arrested individuals—a Ukrainian and a Russian national—are believed to be administrators of AudiA6, as well as of the underground forum “Dark2Web,” which cybercriminals used to advertise illicit services.
Both the AudiA6 and Dark2Web websites now display a seizure notice to visitors.
In the United States. the Department of Justice named two senior members of the AudiA6 platform: Ruslan Igorevich Tkachuk. aged 37. and Alexander Vladimirovich Ledenev. aged 25. The DOJ says the two are in the custody of Georgian authorities and face sentences of up to 20 years in prison for facilitating cybercrime laundering operations.
The DOJ’s filing included figures tied to bitcoin flows. It said that out of approximately 10. 333 bitcoin deposited. approximately 393.39 BTC—valued at around $19. 234. 331 at the time of the transactions—were received directly from known darknet markets. ransomware organizations. cybercrime services. and other illicit sources. It also said additional funds were deposited indirectly from illicit sources into AudiA6 wallets.
Beyond the administrators, Europol says investigators retrieved 6,000 ‘Know-Your-Customer’ (KYC) records linked to money mule accounts. Europol says those accounts were created using stolen or purchased identities and that many are connected to Russian-speaking intermediaries who recruited them specifically for that purpose.
Europol adds that the money-mule network used multiple domains to register accounts on cryptocurrency exchanges, and that it published information about this domain activity to help platforms block such accounts.
The message from the enforcement actions is blunt: when the money is processed through a service designed to hide its origin, the work doesn’t end at the breach or the theft. It moves to the laundering layer—and that layer, authorities say, has now been hit.
AudiA6 ransomware cryptocurrency laundering Europol Eurojust darknet markets mixing service money mules KYC records Telegram accounts Ruslan Igorevich Tkachuk Alexander Vladimirovich Ledenev
So they just “mix” money and call it crypto? wild.
I don’t get how they can track it if it’s “anonymous.” Like if it’s that easy to find, why does ransomware still work?
Wait, AudiA6 like the car?? I saw something about a “hub” and assumed it was an Audi dealer laundering cash or something. But it’s a crypto mixer? Also “cleaned in an hour” sounds fake lol.
They said 380 million, 15 investigations, thousands of fake exchange accounts… so basically they built a whole little bank. And they get away with it for years until someone finally snatches the server? Seems like law enforcement only catches these things when it hits the news, not before. Also I’m seeing the names Intel471 and ZachXBT get mentioned and I’m like… are they cops too or just watchdogs? Either way, crypto mixing services should’ve been illegal way earlier.