Global Authorities Dismantle $380M Ransomware Crypto-Laundering Network AudiA6
In a coordinated crackdown, law enforcement agencies from 11 countries dismantled AudiA6, a sophisticated cryptocurrency mixing service that laundered over $380 million in ransomware and cybercrime proceeds between 2022 and 2025. The operation, led by Europol and Eurojust, exposed an industrial-scale identity fraud scheme underpinning the platform’s illicit transactions.
AudiA6 functioned as a professional crypto-mixer, accepting tainted funds, obscuring their origins through complex transaction routes, and returning "cleaned" proceeds to criminals within an hour charging a 3% to 10% commission. Unlike typical mixers, the service relied on 6,000 fraudulent exchange accounts, each created using stolen or purchased identities sourced through Russian-speaking intermediary networks. These accounts provided the necessary KYC (Know Your Customer) cover to process withdrawals, enabling the platform’s large-scale laundering.
The investigation linked AudiA6 to 15 international ransomware cases over three years. While only $19.2 million of the $380 million in processed funds came directly from darknet markets, the remaining transactions had already been pre-layered through smaller exchanges, peer-to-peer trades, and privacy coins before reaching AudiA6 highlighting its role as the final, industrial-scale laundering layer.
A breakthrough came in September 2025, when Polish authorities arrested a Ukrainian national connected to the platform. Forensic analysis of the suspect’s devices led to the identification and arrest of two key operators in Georgia: Ruslan Igorevich Tkachuk (37) and Alexander Vladimirovich Ledenev (25). Both also administered Dark2Web, an underground forum where criminals advertised AudiA6 alongside other illicit services.
The enforcement action resulted in the seizure of 25 domains, 80 vehicles and properties, and 692,000 euros in frozen cryptocurrency, along with an additional 86,000 euros in cash. Authorities also blocked the network’s Telegram accounts, disrupting its communication channels.
The case underscores how ransomware payments ultimately depend on industrialized identity theft not just cryptographic obfuscation to move funds into legitimate financial systems. The takedown marks a significant blow to the cybercriminal ecosystem, though authorities note that similar operations remain active.
Source: https://www.cybersecurity-insiders.com/audia6-ransomware-crypto-laundering-dismantled/
AUDI AG cybersecurity rating report: https://www.rankiteo.com/company/audi-ag
Chainalysis cybersecurity rating report: https://www.rankiteo.com/company/chainalysis
"id": "AUDCHA1782073550",
"linkid": "audi-ag, chainalysis",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Ransomware groups and '
'cybercriminals',
'industry': 'Cybercrime, Financial Services',
'name': 'AudiA6',
'type': 'Cryptocurrency mixing service'},
{'customers_affected': 'Cybercriminals',
'industry': 'Cybercrime',
'name': 'Dark2Web',
'type': 'Underground forum'}],
'attack_vector': 'Cryptocurrency mixing, Fraudulent exchange accounts, Stolen '
'identities',
'data_breach': {'number_of_records_exposed': '6,000 fraudulent exchange '
'accounts',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (personally identifiable '
'information used for KYC)',
'type_of_data_compromised': 'Stolen identities, Fraudulent '
'KYC data'},
'date_publicly_disclosed': '2025-09',
'description': 'In a coordinated crackdown, law enforcement agencies from 11 '
'countries dismantled AudiA6, a sophisticated cryptocurrency '
'mixing service that laundered over $380 million in ransomware '
'and cybercrime proceeds between 2022 and 2025. The operation '
'exposed an industrial-scale identity fraud scheme '
'underpinning the platform’s illicit transactions.',
'impact': {'financial_loss': '$380 million laundered',
'identity_theft_risk': '6,000 fraudulent exchange accounts created '
'using stolen identities',
'operational_impact': 'Disruption of cybercriminal laundering '
'operations'},
'investigation_status': 'Ongoing (disruption achieved, but similar operations '
'may remain active)',
'lessons_learned': 'Ransomware payments depend on industrialized identity '
'theft to move funds into legitimate financial systems. '
'Cryptocurrency mixers rely on fraudulent KYC processes to '
'operate at scale.',
'motivation': 'Financial gain, Money laundering',
'post_incident_analysis': {'corrective_actions': 'Seizure of assets, arrests '
'of key operators, domain '
'takedowns, disruption of '
'communication channels',
'root_causes': 'Use of stolen identities for '
'fraudulent exchange accounts, lack '
'of effective KYC enforcement, '
'reliance on cryptocurrency mixing '
'for laundering'},
'references': [{'source': 'Europol, Eurojust'}],
'regulatory_compliance': {'legal_actions': 'Arrests of key operators, asset '
'seizures',
'regulations_violated': 'Anti-money laundering '
'(AML) laws, KYC '
'regulations'},
'response': {'containment_measures': 'Seizure of 25 domains, 80 vehicles and '
'properties, 692,000 euros in frozen '
'cryptocurrency, 86,000 euros in cash; '
'blocking of Telegram accounts',
'law_enforcement_notified': True,
'third_party_assistance': 'Europol, Eurojust, law enforcement '
'agencies from 11 countries'},
'threat_actor': ['Ruslan Igorevich Tkachuk (37)',
'Alexander Vladimirovich Ledenev (25)',
'Ukrainian national (arrested in Poland)'],
'title': 'Global Authorities Dismantle $380M Ransomware Crypto-Laundering '
'Network AudiA6',
'type': 'Ransomware, Cryptocurrency Laundering, Identity Fraud'}