Europol Dismantles AudiA6 Crypto Laundry Used by Ransomware Gangs

An international law enforcement operation has dismantled AudiA6, a cryptocurrency laundering service that ransomware gangs and cybercriminal networks used to wash over €336 million since 2021. The June 10 takedown resulted in two arrests, seizure of 25 domains and 30+ servers, and the exposure of more than 6,000 money mule accounts, according to Europol's announcement.

Europol coordinated the operation across 11 countries, calling it a strike against "one of the cryptocurrency laundering services most trusted by ransomware gangs."

How AudiA6 Operated

The service marketed itself on underground cybercrime forums as a professional mixing operation. Customers contacted operators through private messaging platforms, transferred stolen cryptocurrency to AudiA6-controlled wallets, and received "cleaned" funds within roughly an hour.

That speed came from a complex transaction chain designed to obscure the money's origin. Multiple wallet hops, cross-chain swaps, and strategic timing made the funds difficult to trace.

Operators charged commissions between 3% and 10% per transaction depending on volume and urgency. At the upper end of that range, €336 million in total volume means tens of millions in profits. For context on how ransomware operations fund themselves, see our ransomware explainer.

The Arrests

Georgian authorities arrested two alleged administrators during the operation:

• Ruslan Igorevich Tkachuk, 37, Russian national
• Alexander Vladimirovich Ledenev, 25, Ukrainian national

Beyond the arrests, law enforcement seized:

• €692,000 (~$798,000) in frozen cryptocurrency
• €86,000 (~$99,400) in directly seized crypto
• 80+ vehicles
• Multiple properties in Georgia

The infrastructure takedown disabled 25 domains and more than 30 servers that processed the laundering transactions.

Ransomware Connections

Europol investigators linked AudiA6 to over 15 active investigations involving ransomware attacks and large-scale cryptocurrency theft. While the agency didn't name specific ransomware groups, the scale of operations suggests multiple major gangs relied on the service.

Analysis showed approximately 393.39 BTC (~$19.2 million) came directly from darknet markets, ransomware organizations, and other cybercrime services. The remaining volume likely originated from fraud operations and stolen credentials.

The investigation also uncovered 6,000+ KYC records connected to money mule accounts. Many of these accounts were linked to Russian-speaking intermediaries specifically recruited to move criminal proceeds through cryptocurrency exchanges. The recruitment tactics often involve social engineering techniques to convince individuals to participate in laundering schemes.

Why This Matters

Cryptocurrency laundering services are critical infrastructure for ransomware operations. Without a reliable way to convert stolen cryptocurrency into usable funds, the entire ransomware economy breaks down.

AudiA6's speed and reliability made it attractive to criminals who needed to move money quickly after an attack. The one-hour turnaround meant victims couldn't coordinate with law enforcement fast enough to freeze stolen funds.

This takedown follows a pattern of increasing pressure on ransomware financial infrastructure. Law enforcement has learned that disrupting payment flows hurts ransomware operations more than going after individual affiliates.

International Cooperation

The operation involved agencies from:

• Australia
• Canada
• France
• Georgia
• Germany
• Iceland
• Japan
• Poland
• Switzerland
• United Kingdom
• United States

Coordination ran through Eurojust and Europol, with multiple agencies contributing intelligence and operational support.

What Happens Next

The arrested administrators face prosecution in Georgia, with potential extradition requests from other participating countries. The seized KYC records will likely generate additional cases against money mule networks.

For ransomware gangs, AudiA6's shutdown means finding new laundering partners. That's not trivial—trust matters in criminal ecosystems, and building relationships with new services takes time.

Organizations defending against ransomware should take some comfort here. Every laundering service that goes down increases friction in the ransomware economy. But these services regenerate. The underlying demand for cryptocurrency laundering hasn't disappeared, and new operators will emerge to fill the gap.

For now, at least one major pipeline is closed.