Authorities Dismantle AudiA6 Crypto Laundering for Ransom

Authorities have dismantled “AudiA6,” a major cryptocurrency laundering service extensively relied upon by ransomware groups and cybercriminal networks. Its operations enabled the obscuring of illicit financial flows and the cashing out of stolen digital assets.

The international operation targeted what investigators described as an industrial-scale laundering platform that processed more than EUR 336 million between 2022 and 2025.

The service had become a key financial backbone for ransomware actors, enabling them to convert and move funds while evading detection by law enforcement and compliance systems.

The coordinated takedown on June 10 involved the United States Secret Service, IRS Criminal Investigation, Polish law enforcement, and multiple global partners, with operational support from Europol and Eurojust.

During the action, authorities arrested two suspected administrators of Ukrainian and Russian nationalities in Georgia, conducted property searches, and dismantled critical infrastructure supporting the network.

Investigators seized more than 30 servers, took down 25 domains, and froze and confiscated cryptocurrency assets worth hundreds of thousands of euros.

In addition, assets, including vehicles and properties linked to the suspects, were seized, and communication channels, such as Telegram accounts, were blocked.

Both the clear web and dark web platforms associated with AudiA6, as well as the “Dark2Web” forum, were replaced with official seizure notices.

Authorities Dismantle AudiA6 Group

According to investigators, AudiA6 operated as a professional crypto laundering service advertised on underground forums.

Cybercriminals, including ransomware affiliates, could transfer stolen cryptocurrency to wallets controlled by the service and receive “cleaned” funds within approximately one hour.

The laundering process relied on rapid, complex transaction chains designed to obscure the origin of funds across multiple wallets and exchanges.

The operators charged commissions ranging from 3 to 10 percent, making the service both efficient and profitable. The investigation also uncovered a large-scale network of fraudulent accounts used to facilitate laundering activities.

More than 6,000 Know Your Customer records were linked to money mule accounts created using stolen or purchased identities.

Many of these accounts were managed by intermediaries, often Russian-speaking, who helped move funds across cryptocurrency exchanges.

The group used a combination of commercial email services and custom domains to register accounts and bypass compliance checks.

Authorities have released several domains linked to this activity to help exchanges identify and block suspicious accounts.

Further analysis revealed that the individuals behind AudiA6 were likely also operating the “Dark2Web” cybercrime forum, which served as a marketplace for illicit services and a hub for connecting threat actors globally.

Europol linked the laundering platform to more than 15 investigations involving ransomware campaigns and large-scale cryptocurrency theft, underscoring its role as a central enabler within the cybercrime ecosystem.

The operation reflects a broader trend highlighted in Europol’s 2026 Internet Organized Crime Threat Assessment, which points to the growing professionalization of cryptocurrency laundering services.

Cybercriminal groups increasingly rely on techniques such as chain-hopping, decentralized exchanges, and mixer-based services to rapidly move funds across blockchains and evade anti-money laundering controls.

The takedown of AudiA6 disrupts a significant financial pipeline for ransomware groups. However, authorities warn that similar services continue to evolve, sustaining the global cybercrime economy.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.