Law enforcement has dismantled the “AudiA6” cryptocurrency service allegedly used by ransomware actors and other cybercriminals to make more than $380 million.
Europol says the service is linked to more than 15 different international investigations into ransomware attacks.
It is believed that the platform was operating as a central location for money laundering between 2022 and 2025.
“Investigators discovered what they described as an industrial cryptocurrency importation operation built around thousands of fraudulent exchange accounts opened using stolen or purchased identities,” Europol explained.
“The investigation by Europol linked the criminal activity to more than 15 investigations worldwide involving ransomware attacks and large-scale cryptocurrency theft.”
The service is marketed as a “professional cryptocurrency pooling service,” but all it did was accept the proceeds of cybercrime, move the money through complex transaction channels that hide its origin, and return it “cleaned” to the owners within an hour, minus a 3-10% service commission.
Previous reports from Intel471 and blockchain investigator ZachXBT have exposed the AudiA6 to run an illegal operation.
The investigation involved authorities from 11 countries across Europe, America, and Asia, supported by Europol and Eurojust.
Europol says that this action is due to the arrest in Poland in September 2025 of a Ukrainian person connected to the AudiA6.
The examination of the suspect’s equipment helped the investigators to identify the key people in this operation and they were finally found and arrested in Georgia.
As a result of yesterday’s action, authorities say:
- 2 people were arrested in Georgia
- We searched for 3 properties
- 25 sites were taken
- 80 vehicles and buildings were seized
- €86,000 ($99k) was taken in cryptocurrency
- Freeze €692,000 ($798k) in cryptocurrency
- Telegram accounts are blocked by the network
The two arrested individuals, a Ukrainian and a Russian, are believed to be the owners of the AudiA6, as well as the underground platform “Dark2Web,” which cybercriminals used to advertise illegal services.
Both the AudiA6 and Dark2Web websites now display a hold notification to visitors.
Source: Europol
The US Department of Justice named Ruslan Igorevich Tkachuk, 37, and Alexander Vladimirovich Ledenev, 25, as senior members of the AudiA6 platform.
The two individuals are currently in the custody of Georgia authorities and are facing up to 20 years in prison for facilitating cybercrime activities.
“Of these approximately 10,333 bitcoin deposits, approximately 393.39 BTC (worth approximately $19,234,331 at the time of the transaction) were obtained directly from known darknet markets, ransomware organizations, cybercrime services, and other illegal sources, while additional funds were indirectly deposited into the wallet.
Apart from the two managers, the authorities also recovered 6,000 ‘Know Your Customer’ (KYC) records linked to the accounts of the money mule.
Europol says these accounts were created using stolen or purchased identities, and many were linked to Russian-speaking contacts recruited for the purpose.
This huge network of money mules used many domains to register accounts in the cryptocurrency exchange, a fact that Europol published to raise awareness and help the platforms to block them.
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
