Ransomware is a two-part business. The first part — breaking in, stealing data, deploying the locker — gets the headlines. The second part — turning the resulting cryptocurrency into clean, spendable money — is the quieter, indispensable plumbing. On June 10, 2026, a coordinated international operation went after the plumbing, and dismantled one of its busiest fixtures.

Europol and Eurojust, working with authorities across 11 countries, took down AudiA6, an industrial-scale cryptocurrency laundering service that prosecutors say washed more than €336 million (roughly $389 million) in criminal proceeds since 2021. Two suspected senior administrators were arrested, 25 domains and dozens of servers were seized, and a linked dark-web cybercrime forum was knocked offline in the same sweep. The takedown was announced publicly on June 11.

A laundromat built on stolen identities

AudiA6 marketed itself on cybercrime forums the way a legitimate fintech might pitch speed and reliability — except the product was anonymity. Customers transferred dirty cryptocurrency into operator-controlled wallets and received “cleaned” funds within roughly an hour, minus a commission of 3 to 10 percent.

What made it work at scale was identity fraud. Europol describes the platform as “an industrial-scale cryptocurrency laundering operation built around thousands of fraudulent exchange accounts opened using stolen or purchased identities.” Investigators recovered around 6,000 KYC records tied to the money-mule accounts that fed the service. Blockchain analysis traced some 10,333 BTC in deposits, with nearly 393 BTC (about $19 million) linked directly to darknet markets, ransomware operators, and other criminal sources.

Europol connects AudiA6 to more than 15 international cybercrime and ransomware investigations. Notably, authorities did not name specific ransomware brands as customers — so while the service plainly served the ransomware economy, anyone attributing it to a particular gang is going beyond what the evidence currently supports.

Arrests, seizures, and a side business in cybercrime forums

The operation’s centerpiece was the arrest of two suspected administrators in the Republic of GeorgiaRuslan Igorevich Tkachuk (37) and Alexander Vladimirovich Ledenev (25), described as one Russian and one Ukrainian national. (Reporting outlets disagree on which man holds which nationality, so we leave that pairing unstated.) Both face U.S. charges of conspiracy to launder monetary instruments and “sting” money laundering, each carrying up to 20 years. The thread that opened the case reaches back to a Ukrainian national arrested in Poland in September 2025.

The physical and digital seizures were substantial:

  • 25 domains seized and 30+ servers taken offline, now displaying law-enforcement seizure notices.
  • Roughly €778,000 in cryptocurrency frozen and seized.
  • More than 80 vehicles and multiple properties confiscated or searched in Georgia.
  • Associated Telegram accounts blocked.

Crucially, investigators believe the AudiA6 operators were also running Dark2Web, a dark-web forum used to advertise illicit services and broker connections between threat actors. Both platforms went down together — meaning the operation didn’t just seize a laundromat, it seized one of the marketplaces where customers were recruited.

Following the money, again

This is now the third major crypto-laundering disruption we’ve tracked in roughly six months, after Europol’s December 2025 dismantling of a cryptomixer and the €700 million fraud-network takedown days later. The pattern is deliberate. With initial-access brokers, affiliate lockers, and bulletproof hosting all hardened against takedown, the cash-out layer has become the pressure point — the chokehold where one disruption degrades the economics of dozens of unrelated crews at once.

The eleven participating jurisdictions — the United States, Australia, Canada, France, Georgia, Germany, Iceland, Japan, Switzerland, the United Kingdom, and Poland — reflect how that strategy now requires moving across borders faster than the money does. Cut the pipeline, and even a successful ransomware attack leaves the attacker holding crypto they can’t safely spend. That, increasingly, is the point.

Sources