Authorities Dismantle AudiA6 Crypto Laundering Service, $380M Seized

A 11-Country Enforcement Action

Authorities from 11 countries, coordinated by Europol and Eurojust, executed the enforcement action. According to BleepingComputer, AudiA6 functioned as a professional mixing platform that obscured fund origins and provided rapid returns to criminals.

Europol linked the service to more than 15 international ransomware investigations over three years. The platform’s defining characteristic wasn’t sophisticated technology but rather its reliance on an extensive identity fraud infrastructure: 6,000 KYC records tied to money-mule accounts.

The Identity Fraud Network

These fraudulent accounts were established using stolen or purchased identities. Many participants were actively recruited through Russian-speaking intermediary networks to open exchange accounts that could receive and withdraw laundered funds. Blockchain investigators ZachXBT and threat-intelligence firm Intel 471 had previously identified AudiA6 as facilitating these illegal activities.

The breakthrough came in September 2025 when Polish authorities arrested a Ukrainian national. Forensic analysis of the suspect’s devices provided investigators with a clear roadmap to the platform’s key operators. These operators were subsequently located and arrested in Georgia.

The Operators Behind the Service

The DOJ identified the arrested administrators as Ruslan Igorevich Tkachuk, 37, and Alexander Vladimirovich Ledenev, 25. Both men also managed Dark2Web, an underground forum where illicit services including AudiA6 were advertised and sold.

The enforcement action resulted in substantial seizures. Authorities took down 25 domains, seized 80 vehicles and properties, blocked associated Telegram accounts, and froze 692,000 euros in cryptocurrency. An additional 86,000 euros was confiscated.

How the Layering Worked

Ransomware laundering rarely involves direct transfers of all criminal funds in one step. The DOJ found that out of roughly 10,333 bitcoin deposited into AudiA6, only about 393 bitcoin (valued at approximately $19.2 million at the time) originated directly from known darknet markets.

This gap reveals a common layering strategy. Ransomware operators typically pre-layer funds through intermediate steps before using specialist mixers like AudiA6. The 6,000 mule identities were crucial to this process, providing the verified accounts needed for withdrawals from compliant exchanges. Without the identity fraud infrastructure, the service could not have functioned.

What Security Teams Should Learn

The AudiA6 case offers several critical lessons for organizations defending against ransomware:

Monitor account opening patterns. Security and compliance teams should treat KYC mule-account recruitment as a threat signal. Flag anomalous patterns in account opening velocity and suspicious clustering of identity documents.

Integrate blockchain intelligence. Add blockchain-intelligence feeds to incident response playbooks. This allows teams to assess destination risk before any ransom payment moves and trace funds through laundering pipelines.

Watch dark-web marketplaces. Monitoring underground forums for mentions of your organization’s IP ranges or credentials can surface the supplier side of the ransomware economy before attacks occur.

The arrests of Tkachuk and Ledenev mark a significant disruption to an ecosystem that processed ransomware payments worth hundreds of millions of dollars and depended entirely on industrialized identity theft to function at scale.