Ransomware crypto laundering has grown into an industrial-scale identity-fraud operation, not just a technical obfuscation layer. BleepingComputer reports that a coordinated action by authorities from 11 countries dismantled AudiA6, a service that processed more than $380 million in cybercrime proceeds between 2022 and 2025. The platform routed funds through thousands of fraudulent exchange accounts built on stolen and purchased identities.
How AudiA6 Processed $380 Million Across 15 Ransomware Crypto Laundering Investigations
Europol, the European Union’s law enforcement agency, linked AudiA6 to more than 15 international ransomware investigations spanning three years. The service operated as a professional cryptocurrency mixing platform. It accepted funds, moved them through complex transaction routes designed to obscure their origin, and returned cleaned proceeds to customers within roughly an hour, charging a commission of 3% to 10%.
The scale of the identity fraud infrastructure underneath the laundering service distinguishes this case from a standard crypto-mixer takedown. Authorities seized 6,000 Know Your Customer (KYC) records tied to money-mule accounts, each created using a stolen or purchased identity. Many of those identities were recruited through Russian-speaking intermediary networks that sourced participants specifically to open exchange accounts on behalf of the criminal operation. Blockchain investigator ZachXBT and threat-intelligence firm Intel 471 had each identified AudiA6 in prior reporting as a facilitator of illegal activity before the enforcement action landed.
The investigation’s turning point came in September 2025 when Polish authorities arrested a Ukrainian national linked to the platform. Forensic examination of that suspect’s devices gave investigators a roadmap to the key operators, who were subsequently located and arrested in Georgia. The U.S. Department of Justice (DOJ) named the two arrested administrators as Ruslan Igorevich Tkachuk, 37, and Alexander Vladimirovich Ledenev, 25. Both individuals also administered Dark2Web, an underground forum where criminals advertised illicit services alongside the AudiA6 mixing operation.
The enforcement action yielded 25 seized domains, 80 vehicles and properties, and the blocking of the network’s Telegram accounts. Authorities froze 692,000 euros in cryptocurrency and seized an additional 86,000 euros. The 11 participating countries were coordinated through both Europol and Eurojust, the European Union’s judicial cooperation agency.
The $19M Direct-Illicit Figure Exposes AudiA6’s Layering Architecture
Ransomware laundering operations do not typically receive criminal funds in a single clean transfer. The DOJ’s accounting shows that out of approximately 10,333 bitcoin deposited into AudiA6, only about 393 bitcoin – valued at roughly $19.2 million at transaction time – arrived directly from known darknet markets. The remaining funds arrived already layered through prior transactions.
That gap between $19 million in directly traced illicit receipts and $380 million in total throughput reflects how ransomware operators and their affiliates actually process proceeds. They typically pre-layer funds through intermediate steps – smaller exchanges, peer-to-peer transactions, privacy coins – before depositing at a specialist mixer. AudiA6 was not the first stop; it was the industrial-scale finishing layer. The 6,000 mule identities made this possible because compliant exchanges require verified accounts to process withdrawals, and those fabricated KYC records provided exactly that cover. Without clean identities to receive and re-send funds, the mixing architecture breaks down regardless of how complex the transaction routing becomes.
This is the architecture that the ransom payment debate rarely addresses directly: every ransom payment that moves to cash ultimately passes through a laundering layer like AudiA6, and that layer depends on industrialized identity theft, not just cryptographic complexity.
What Security and Compliance Teams Should Take From the AudiA6 Seizure
The AudiA6 case identifies three concrete pressure points where enterprise security and compliance programs can reduce exposure and support disruption of ransomware crypto laundering at the infrastructure level.
Treat KYC mule-account recruitment as a threat signal, not just a fraud concern – The 6,000 identity records seized show that mule-account recruitment operates at scale through Russian-speaking intermediary networks. Organizations that handle identity verification – financial institutions, exchanges, HR systems – should flag anomalous patterns in account-opening velocity and identity-document clustering. The AudiA6 case shows that identity infrastructure, not transaction complexity, is the durable constraint on ransomware laundering operations.
Wire blockchain-intelligence feeds into incident response before a ransom demand arrives – Intel 471 and ZachXBT identified AudiA6 as a criminal facilitator in public reporting before the enforcement action. Organizations facing a ransomware demand that would flow through a service already flagged by blockchain intelligence firms create potential compliance exposure. Pre-integrating commercial blockchain analytics into incident response playbooks – not just post-incident forensics – lets security teams assess destination risk before a payment moves.
Map dark-web forum activity as a supply-chain risk signal – Dark2Web, the forum co-administered by the AudiA6 operators, served as the distribution channel where cybercriminals sourced laundering services, mule accounts, and other criminal infrastructure. Threat-intelligence programs that monitor underground forum activity for mentions of your organization’s IP ranges or credential formats can surface the supplier-side of the ransomware economy. Tkachuk and Ledenev ran the forum and the mixer as a single integrated criminal business; defenders need visibility into both layers.
The arrest of Tkachuk and Ledenev in Georgia and the seizure of 25 domains marks one node taken out of an ecosystem that processed $380 million across three years through ransomware crypto laundering – the same ecosystem that every unresolved ransom payment feeds back into.
Join our LinkedIn group Information Security Community!
