In a significant international operation, authorities have dismantled ‘AudiA6,’ a major cryptocurrency laundering service extensively utilized by ransomware groups and cybercriminal networks to obscure illicit financial transactions and cash out stolen digital assets. Between 2022 and 2025, this industrial-scale platform processed over EUR 336 million, serving as a crucial financial conduit for cybercriminals seeking to evade detection.
The coordinated takedown on June 10 involved the United States Secret Service, IRS Criminal Investigation, Polish law enforcement, and multiple global partners, with operational support from Europol and Eurojust. During the operation, two suspected administrators of Ukrainian and Russian nationalities were arrested in Georgia. Authorities conducted property searches, dismantled critical infrastructure, seized more than 30 servers, took down 25 domains, and froze cryptocurrency assets worth hundreds of thousands of euros. Additionally, assets such as vehicles and properties linked to the suspects were confiscated, and communication channels, including Telegram accounts, were blocked. Both the clear web and dark web platforms associated with AudiA6, as well as the ‘Dark2Web’ forum, were replaced with official seizure notices.
Investigators revealed that AudiA6 operated as a professional crypto laundering service advertised on underground forums. Cybercriminals, including ransomware affiliates, could transfer stolen cryptocurrency to wallets controlled by the service and receive ‘cleaned’ funds within approximately one hour. The laundering process involved rapid, complex transaction chains designed to obscure the origin of funds across multiple wallets and exchanges. The operators charged commissions ranging from 3 to 10 percent, making the service both efficient and profitable. The investigation also uncovered a large-scale network of fraudulent accounts used to facilitate laundering activities. More than 6,000 Know Your Customer records were linked to money mule accounts created using stolen or purchased identities. Many of these accounts were managed by intermediaries, often Russian-speaking, who helped move funds across cryptocurrency exchanges. The group used a combination of commercial email services and custom domains to register accounts and bypass compliance checks. Authorities have released several domains linked to this activity to help exchanges identify and block suspicious accounts.
Further analysis revealed that the individuals behind AudiA6 were likely also operating the ‘Dark2Web’ cybercrime forum, which served as a marketplace for illicit services and a hub for connecting threat actors globally. Europol linked the laundering platform to more than 15 investigations involving ransomware campaigns and large-scale cryptocurrency theft, underscoring its role as a central enabler within the cybercrime ecosystem.
This operation reflects a broader trend highlighted in Europol’s 2026 Internet Organized Crime Threat Assessment, which points to the growing professionalization of cryptocurrency laundering services. The dismantling of AudiA6 marks a significant step in disrupting the financial infrastructure that underpins global cybercrime, demonstrating the effectiveness of international collaboration in tackling complex, transnational criminal networks.
