Full Report
Law enforcement has dismantled the “AudiA6” cryptocurrency service allegedly used by ransomware actors and other cybercriminals to launder more than $380 million. [...]
Analysis Summary
# Incident Report: Takedown of "AudiA6" Crypto-Laundering Service
## Executive Summary
Law enforcement agencies from 11 countries, supported by Europol and Eurojust, dismantled "AudiA6," a major cryptocurrency mixing and laundering hub. The service allegedly laundered over $380 million (approximately 10,333 BTC) for ransomware groups and darknet markets between 2022 and 2025. The operation resulted in two high-level arrests in Georgia, the seizure of 25 domains, and the freezing of nearly $800,000 in assets.
## Incident Details
- **Discovery Date:** September 2025 (Initial breakthrough via arrest)
- **Incident Date:** Active 2022 – June 2026 (Dismantled)
- **Affected Organization:** Cryptocurrency exchanges (via fraudulent accounts), Ransomware victims
- **Sector:** Financial Services / Cybercrime-as-a-Service (CaaS)
- **Geography:** Global (Operations focused in Poland, Georgia, Ukraine, and Russia)
## Timeline of Events
### Initial Access
- **Date/Time:** 2022
- **Vector:** Fraudulent Account Creation
- **Details:** The service established an "industrial-scale" operation by opening thousands of cryptocurrency exchange accounts using stolen or purchased identities to bypass KYC (Know Your Customer) protocols.
### Lateral Movement
- **Movement:** Funds were moved through complex, automated transaction routes across multiple fraudulent accounts to obscure the "trail of breadcrumbs" from the original crime to the final payout.
### Data Exfiltration/Impact
- **Impact:** Over $380 million laundered. The service served as a central pipeline for at least 15 international ransomware investigations and large-scale crypto thefts.
### Detection & Response
- **Detection:** Investigated by Intel471 and ZachXBT; later prioritized by Europol after linking the service to global ransomware attacks.
- **Response Actions:**
- **Sept 2025:** Arrest of a Ukrainian national in Poland.
- **June 2026:** Arrest of two senior administrators (Tkachuk and Ledenev) in Georgia.
- **June 2026:** Simultaneous seizure of 25 domains and 80 vehicles/properties; blocking of associated Telegram communication channels.
## Attack Methodology
- **Initial Access:** Use of stolen/purchased identities to create "money mule" accounts.
- **Persistence:** Maintained a presence on the "Dark2Web" forum to recruit users and advertise services.
- **Defense Evasion:** Used "mixing" techniques—accepting illicit proceeds and returning "clean" funds within one hour to minimize the window for detection.
- **Credential Access:** Utilized 6,000+ KYC records (stolen/purchased identity documents).
- **Lateral Movement:** Chaining transactions between thousands of accounts across various exchanges.
- **Impact:** Facilitation of financial crimes by providing an exit ramp for ransomware actors to convert crypto to spendable assets.
## Impact Assessment
- **Financial:** $380M+ laundered; €692,000 frozen; €86,000 seized in crypto; 80 vehicles/properties seized.
- **Data Breach:** Compromise and illicit use of 6,000+ personal identity records for KYC fraud.
- **Operational:** Disruption of the "Dark2Web" underground forum and the AudiA6 laundering pipeline.
- **Reputational:** Massive blow to the perceived anonymity of professional mixing services.
## Indicators of Compromise
- **Network Indicators:**
- `audia6[.]com` (and 24 other seized domains)
- `dark2web[.]com` (underground forum)
- **Behavioral Indicators:**
- High-volume crypto deposits from known ransomware wallets (e.g., LockBit, ALPHV) followed by rapid disbursement.
- Multiple exchange accounts registered with different identities but associated with the same IP clusters or hardware fingerprints.
## Response Actions
- **Containment:** Seizure of 25 domains to prevent further laundering transactions.
- **Eradication:** Arrest of administrators Ruslan Igorevich Tkachuk and Alexander Vladimirovich Ledenev.
- **Recovery:** Law enforcement now holds 6,000 KYC records which are being shared with exchanges to identify and close fraudulent accounts.
## Lessons Learned
- **CaaS Interdependence:** Ransomware ecosystems rely heavily on a small number of specialized "cleaning" services; removing one hub disrupts dozens of disparate threat actors.
- **Forensic Value:** The arrest of a single "tier-2" affiliate in 2025 provided the digital evidence (forensic exam of devices) necessary to map the entire admin infrastructure.
- **Identity Theft as an Enabler:** The scale of the laundering was only possible due to the massive availability of stolen identities for KYC bypass.
## Recommendations
- **For Crypto Exchanges:** Enhance "liveness" checks during KYC and cross-reference account metadata to identify patterns of "industrial-scale" account creation.
- **For Organizations:** Continue focus on ransomware prevention (EDR/Immutable Backups), as disrupting the laundering phase is a secondary, law-enforcement-led control.
- **For Law Enforcement:** Maintain international cooperation to target the jurisdictions (like Georgia) where cybercriminals frequently seek refuge.