Global Law Enforcement Dismantles Massive $390M Cryptocurrency Laundering Operation
Before being dismantled by international authorities, the AudiA6 cryptocurrency laundering operation processed more than $390 million for ransomware criminals through approximately 6,000 fraudulent KYC accounts.
A coordinated law enforcement effort spanning 11 nations has successfully dismantled AudiA6, a sophisticated money laundering network that facilitated the processing of more than 336 million euros ($390 million) in criminal proceeds during the period from 2022 through 2025.
Authorities announced on Wednesday that they had apprehended two individuals who served as administrators of the operation, both holding Russian and Ukrainian citizenship, during raids conducted in Georgia. The operation also resulted in the confiscation of 25 internet domains, over 30 computer servers, 80 motor vehicles, and the freezing of approximately $900,000 worth of digital currency, according to a statement released Thursday by the European Union Agency for Criminal Justice Coordination (Eurojust).
Operating as a "mixer-as-a-service" platform, AudiA6 provided cybercriminals conducting ransomware operations with a means to convert stolen cryptocurrency and obscure the trail of illegal funds from law enforcement agencies by offering to "launder" digital currency in approximately one hour in exchange for fees ranging from 3% to 10% of the transaction value.
Beginning in 2021, wallets associated with AudiA6 accumulated roughly 10,333 BTC, which represented a value of approximately $389 million based on the exchange rates at the times when the individual transactions took place, according to data provided by Chainalysis.
The criminal organization operating behind this service has also allegedly been running an independent marketplace platform called "Dark2Web", which serves as a venue for promoting illegal services and facilitating connections between cybercriminals across the globe, Eurojust's statement indicated.
Law enforcement agencies from the United States, Australia, France, Poland, Georgia, Iceland, Canada, Germany, Japan, Switzerland and the United Kingdom participated in the investigation, with coordination provided by Eurojust and Europol.
Fake KYC accounts used in scheme
Thousands of bogus accounts created with stolen or acquired identities enabled the cryptocurrency laundering network to operate.
Investigators uncovered more than 6,000 Know Your Customer (KYC) documents associated with "money mule accounts" throughout the course of the investigation, according to Eurojust's announcement.
A substantial number of these accounts had ties to intermediaries from Russian-speaking regions who were specifically enlisted to facilitate the transfer of criminal funds through cryptocurrency exchange platforms, the agency further noted.
According to the Australian Federal Police, which participated in the investigative operation, AudiA6 also allegedly processed a portion of ransom money paid by an Australian company in 2024 after falling victim to a ransomware extortion scheme.
Law enforcement seizure notices now appear on both the surface web and dark web iterations of the AudiA6 and Dark2Web domain names.
Ransomware consolidates around a few operators
During the first quarter of 2026, ransomware incidents were documented across 97 nations, though the geographical spread of attacks shows increasing centralization, with the United States representing 64.7% of all documented victims, based on research from Emsisoft.
According to a report issued in May by Check Point Research, "The ransomware ecosystem is once again consolidating around fewer, more dominant operators," with the ten most active ransomware organizations responsible for 71% of all victims recorded during Q1 2026.