International operation dismantles AudiA6, a $390M crypto laundering network for ransomware gangs
An international law enforcement task force spanning 11 countries has shut down AudiA6, a large-scale crypto money laundering service that funneled more than 336 million euros (around $390 million) in dirty funds for cybercriminals between 2022 and 2025.
Authorities describe AudiA6 as a “mixer-as-a-service” platform tailored for ransomware operators and other online criminals. The service allowed users to “clean” stolen or illicit cryptocurrency in under an hour, charging commissions ranging from 3% to 10% for obscuring the origin and movement of funds.
Coordinated raids, arrests and seizures
On Wednesday, coordinated actions led to the arrest of two alleged AudiA6 administrators – Russian and Ukrainian nationals – in Georgia. Investigators seized 25 domains linked to the operation, more than 30 servers, and 80 vehicles believed to have been purchased with criminal proceeds. Law enforcement also froze roughly $900,000 worth of cryptocurrency tied to the scheme.
The investigation, coordinated through Eurojust and Europol, involved agencies from the United States, Australia, France, Poland, Georgia, Iceland, Canada, Germany, Japan, Switzerland and the United Kingdom. Officials say the operation marks one of the most significant recent blows against the crypto infrastructure used by ransomware groups.
Both the clear‑web and dark‑web versions of the AudiA6 platform now display seizure notices, as do the associated Dark2Web marketplace domains.
How AudiA6 laundered over 10,000 BTC
According to blockchain analytics data, AudiA6 wallets received about 10,333 BTC between 2021 and 2025, worth approximately $389 million at the time those transactions were processed. Rather than simply mixing coins in a traditional pool, AudiA6 positioned itself as a full-service laundering hub, automating the process of splitting, routing, and redistributing crypto to break the chain of traceability.
The platform became a go‑to destination for ransomware gangs seeking to cash out or redistribute extorted funds with minimal risk of detection. Cybercriminals would send in tainted funds, pay a fee, and receive “cleaned” assets that had been routed through multiple layers of wallets and accounts, often across several exchanges and blockchains.
Dark2Web: the linked criminal marketplace
Investigators say AudiA6 was not operating in isolation. The same cybercrime syndicate is alleged to have run Dark2Web, an underground forum used to advertise illicit services and connect cybercriminals worldwide.
Dark2Web functioned as a marketplace and networking hub, enabling actors involved in ransomware, data theft, malware development, and fraud to find one another, outsource tasks, and access tools, including money laundering options such as AudiA6. By integrating a laundering service with a criminal marketplace, the group created a closed ecosystem where criminals could plan attacks, execute them, and then rapidly move and conceal the profits.
6,000 fake KYC accounts and a network of money mules
A key enabler of the laundering pipeline was the large number of fraudulent accounts used on legitimate crypto platforms. Investigators identified more than 6,000 Know Your Customer (KYC) profiles linked to “money mule” accounts.
These accounts were often opened with stolen or purchased identity documents, or in some cases with the consent of individuals paid to lend their identities. Many of the mule accounts were allegedly controlled or brokered by Russian‑speaking intermediaries who specialized in moving criminal proceeds through centralized exchanges and other financial services.
By spreading funds across thousands of partially verified or fake accounts, AudiA6 reduced the chances that any single account would attract suspicion. When one account was flagged or frozen, funds had typically already been fragmented and redirected through other channels.
Connection to real‑world ransomware cases
Authorities say AudiA6 did not just handle theoretical or small‑scale activity. The Australian Federal Police reported that part of a ransom payment made by an Australian business in 2024 – following a ransomware extortion incident – was laundered through AudiA6.
This concrete link to a documented ransomware attack underscores how integral such services have become to the modern cybercrime economy. Without the ability to reliably launder proceeds, ransomware operations would struggle to convert their crypto takings into usable value, undermining the core business model that sustains them.
Ransomware landscape: fewer groups, more victims
The takedown comes against a backdrop of an increasingly concentrated ransomware ecosystem. Ransomware incidents were recorded in 97 countries during the first quarter of 2026, yet a disproportionate share of victims is now located in a handful of jurisdictions.
The United States has become the primary target, accounting for 64.7% of all recorded ransomware victims in Q1 2026, according to recent industry data. At the same time, security researchers report that the market is consolidating around a small number of dominant groups. The top 10 ransomware operations were linked to 71% of all victims during that period.
This consolidation means each successful law enforcement action can have a larger impact. Disrupting shared infrastructure – from affiliate programs to laundering services like AudiA6 – can simultaneously affect multiple ransomware brands and their supporting networks.
Why mixers and “laundering-as-a-service” are central to cybercrime
Services such as AudiA6 occupy a critical position in the ransomware supply chain. While ransomware operators build or rent malware, compromise systems, and negotiate payments, they still need to transform the resulting crypto into spendable funds without exposing their identities.
Mixers and laundering‑as‑a‑service offerings solve this problem by deliberately breaking the direct link between a ransom payment and its final destination. Through a complex series of transfers – often involving multiple blockchains, token swaps, and cross‑platform movements – the money trail becomes significantly harder to follow.
For law enforcement and blockchain analysts, this raises the technical bar. Instead of tracing a single chain of transactions, they must reconstruct sprawling webs of interactions across thousands of wallets and accounts, often involving exchanges in different jurisdictions and asset types.
Growing regulatory pressure on crypto intermediaries
The AudiA6 case highlights how laundering rings increasingly exploit weak KYC and anti‑money laundering (AML) controls at smaller or poorly regulated platforms. As large exchanges tighten compliance, criminals look for gaps: regional platforms, overburdened compliance teams, or services that rely heavily on automated checks and superficial document review.
Regulators worldwide are responding by pushing more rigorous KYC standards, enhanced due diligence for high‑risk customers, and closer monitoring of crypto‑to‑crypto transactions, not just cash‑out points. There is growing emphasis on:
– Identifying suspicious patterns associated with known mixing services
– Blocking transactions tied to sanctioned entities or high‑risk regions
– Sharing risk indicators and wallet intelligence between jurisdictions
– Requiring exchanges to have robust processes for detecting mule networks
For compliant exchanges, these developments increase operational burdens but also help protect them from becoming unwitting conduits for large-scale criminal flows.
How investigators are adapting to advanced laundering schemes
The AudiA6 takedown illustrates how law enforcement is evolving to counter more sophisticated crypto laundering. Key investigative techniques include:
– Blockchain analytics to cluster wallets, identify mixing patterns, and correlate on‑chain flows with off‑chain data
– Undercover operations and infiltration of criminal forums to map relationships and service offerings
– Cross‑border information-sharing to connect activity across exchanges, hosting providers, and domains in different countries
– Seizure of servers and infrastructure, allowing investigators to gain access to internal logs, communications, and wallet databases
By seizing more than 30 servers and 25 domains, authorities likely obtained rich technical evidence that can support further investigations, identify additional suspects, and map the broader network of users who relied on AudiA6.
Implications for businesses and crypto users
For legitimate businesses and everyday crypto users, the AudiA6 operation is a reminder that the regulatory perimeter around digital assets is tightening. Exchanges and service providers are under mounting pressure to:
– Strengthen identity verification processes and avoid relying solely on document uploads
– Monitor for high‑velocity, high‑fragmentation patterns typical of laundering operations
– Implement tools to detect wallets associated with mixers, ransomware groups, and fraudulent KYC clusters
– Respond rapidly to law enforcement requests and establish dedicated compliance response teams
End users may also face more stringent checks when moving large amounts of crypto, even if their funds are legitimate. While this can feel intrusive, such measures are part of a broader attempt to make it harder for criminal ecosystems to operate at scale.
What this means for ransomware operators
The dismantling of AudiA6 and Dark2Web does not eliminate ransomware, but it does raise the operational cost for those behind it. Without reliable laundering infrastructure:
– Criminals must take on more risk by handling cash‑outs themselves
– They may be forced to use riskier or more traceable services
– Negotiations with victims could become more complex if payment channels are constrained
Some operators may respond by moving to smaller, more fragmented laundering services or experimenting with privacy‑focused coins and decentralized protocols. However, fragmentation can also increase the chances of mistakes, leaks, and internal betrayals, creating new opportunities for enforcement.
A significant, but not final, blow against crypto crime
The AudiA6 case demonstrates both the adaptability of cybercriminals and the growing sophistication of international law enforcement. By targeting a central piece of laundering infrastructure and the marketplace built around it, authorities have disrupted a crucial component of the ransomware economy.
Yet, as history has shown, new services and forums are likely to emerge to fill the gap. The long‑term effect of this operation will depend on whether regulators, exchanges, investigators, and security researchers can sustain pressure on the financial layer of cybercrime – making it progressively more difficult, expensive, and risky to convert illicit digital assets into real‑world wealth.