⚠ Charged Operators in Custody : Hero Module
The following individuals are named in the U.S. criminal complaint (Eastern District of Pennsylvania) as senior administrators of AudiA6 and the Dark2Web cybercrime forum. Both were arrested in Batumi, Georgia on June 10, 2026 and are in Georgian custody pending a U.S. extradition request. The charges are accusations; both are presumed innocent unless proven guilty.
Ruslan Igorevich Tkachuk
Age 37 : senior administrator
RoleSenior member/manager of AudiA6 laundering service and Dark2Web forum
NationalityUkrainian
Assessed locationBatumi, Georgia (arrested)
ChargesConspiracy to launder monetary instruments; sting money laundering (18 U.S.C. 1956)
VenueU.S. District Court, E.D. Pennsylvania
Max sentence20 years
Legal statusIn Georgian custody; U.S. seeking extradition
SanctionsNo OFAC/EU/UK designation (June 2026)
Charged In Custody
Alexander Vladimirovich Ledenev
Age 25 : senior administrator
RoleSenior member/manager of AudiA6 laundering service and Dark2Web forum
NationalityRussian
Assessed locationBatumi, Georgia (arrested)
ChargesConspiracy to launder monetary instruments; sting money laundering (18 U.S.C. 1956)
VenueU.S. District Court, E.D. Pennsylvania
Max sentence20 years
Legal statusIn Georgian custody; U.S. seeking extradition
SanctionsNo OFAC/EU/UK designation (June 2026)
Charged In Custody
01

Executive Summary and Exchange Overview

Total BTC Processed
10,333 BTC
~$389.7M historical value, since 2021 (DOJ / Chainalysis)
Direct Illicit Deposits
393.39 BTC
~$19.2M traced directly from illicit sources (DOJ)
Europol Laundered Estimate
EUR 336M
For ransomware gangs, 2022 to 2025 (Europol/Eurojust)
AFP Laundered Estimate
USD 542M
~AUD 826M, 2022 to 2025 (Australian Federal Police)
TRM Illicit Exposure
$79M
Traced illicit counterparty exposure; ~80% ($63M) ransomware (TRM Labs)
KYC Money-Mule Accounts
6,000+
Verified accounts using stolen/purchased IDs (Europol / Chainalysis)
Overall Assessment
AudiA6 was an industrial-scale cryptocurrency laundering service ("mixer-as-a-service") and de facto illicit exchange that operated as a primary ransomware off-ramp from 2021 until its June 10, 2026 takedown. It was tightly integrated with the Dark2Web cybercrime forum, which the same operators ran as its marketing and customer-acquisition hub. Its core mechanism was industrial identity fraud: it layered criminal deposits through more than 6,000 KYC-verified money-mule accounts at mainstream exchanges, returning "clean" funds within about an hour for a commission. Unlike Garantex or the Cryptex/UAPS cluster, AudiA6's distinguishing structural weakness is that its operators were located in Georgia, a cooperating jurisdiction, not in a Russian safe harbor: this is why the takedown reached the human capital, not just the infrastructure. As of June 2026 there is no OFAC, EU, or UK sanctions designation against AudiA6 or its operators; this was a criminal disruption, not a sanctions action. No successor brand has been identified.
Service typeCryptocurrency laundering service / mixer-as-a-service / ransomware off-ramp (de facto illicit exchange and swap desk)
Associated platformDark2Web cybercrime forum (same operators); primary advertising venue
Aliases / brandingAudiA6, Audi6, "Audi A6"; Telegram support handle @audia6_obmen
Entity registration jurisdictionNone : unregistered, unlicensed illicit service (no financial license in any jurisdiction)
Infrastructure hosting jurisdictionServers and domains in United States, Iceland, Germany, and France; additional infrastructure administered from Georgia Confirmed
Assessed operator locationBatumi, Georgia (at arrest). Operator nationalities: Ukrainian (Tkachuk) and Russian (Ledenev)
Operational periodWallets active since 2021; central laundering hub 2022 to 2025 (Europol); disrupted June 10, 2026
Commission3% to 10% per most reporting; the U.S. criminal complaint references a fee of "up to five percent" Credible (figures differ by source)
Domains seizedApproximately 25 (AudiA6 and Dark2Web, clear web and dark web)
Servers seized30+ (AFP); "dozens" of servers and domains (Chainalysis)
OFAC / EU / UK designationNone as of June 2026 Confirmed (negative evidence): criminal disruption, not a sanctions case
State nexus tierNONE (no assessed state nexus; ecosystem-level Russian-speaking links only)
StatusDisrupted (June 10, 2026); no confirmed reconstitution
Blockchain analytics coverageChainalysis and TRM Labs (entity-specific reports); Europol on-chain analysis
02

Lineage and Organizational Heritage

No Named Predecessor Exchange : A Forum-Integrated Launderer

Key Finding
AudiA6 is not documented as a corporate successor to, or predecessor of, any named earlier mixer or exchange. Its defining heritage feature is integration: the same operators ran both the laundering service (AudiA6) and a cybercrime forum (Dark2Web) that served as its marketplace and contact point. That pairing of a laundering rail with a criminal demand-aggregation forum is the structural logic to track, not a brand-succession chain. Analytically, AudiA6 sits in the same category as the OFAC-designated Cryptex / UAPS / "Taleon" payment apparatus that was seized in 2024; Chainalysis explicitly draws that comparison. This is an ecosystem analogy, not evidence of shared ownership. Credible [Chainalysis]
2021
AudiA6 wallets begin receiving deposits; blockchain analysis dates the service's launch to this year. Confirmed [DOJ, Chainalysis]
2022 to 2025
AudiA6 operates as a central money-laundering hub for ransomware gangs and cybercriminal networks; Europol estimates EUR 336M processed in this window. Incoming volume peaks in 2023. Confirmed [Europol, TRM Labs]
Dec 2022 to May 2026
U.S. federal agents conduct six undercover transactions in which AudiA6 operators solicit dirty funds and knowingly confirm criminal origin. Confirmed [TRM Labs / DOJ complaint]
Sept 2025
A Ukrainian national linked to AudiA6 is arrested in Poland; forensic examination of his devices identifies the key operators and enables the later Georgia arrests. Confirmed [Europol]
Dec 2025
TRM Labs independently identifies "Audi6" as a ransomware off-ramp, tracing ~$7M of LastPass-stolen funds from Wasabi Wallet into the service via demixing, prior to the enforcement action. Confirmed [TRM Labs]
June 2, 2026
Prosecutors in the Eastern District of Pennsylvania file a criminal complaint charging Tkachuk and Ledenev with operating AudiA6. Confirmed [TRM Labs / DOJ]
June 10 to 11, 2026
Coordinated international takedown: two arrests in Georgia, three properties searched, ~25 domains and 30+ servers seized, 80 vehicles/properties seized, EUR 692K frozen and EUR 86K seized, Telegram accounts blocked. Confirmed [Europol, Eurojust, AFP, DOJ]

Evidentiary Pillars

Confirmed Wallet clusters. Blockchain analysis attributes approximately 10,333 BTC in deposits since 2021 to AudiA6-controlled wallets, with 393.39 BTC traced directly from known darknet markets, ransomware organizations, and cybercrime services. [DOJ, Chainalysis]

Confirmed Same-operator forum integration. U.S. and EU authorities state the AudiA6 administrators also managed Dark2Web; both services were seized together. [DOJ, Europol, Chainalysis]

Confirmed Investigative origin. The September 2025 arrest in Poland of a Ukrainian national linked to AudiA6, and the forensic exploitation of his devices, provided the lead that identified the Georgia-based operators. [Europol]

Credible Shared infrastructure. Approximately 25 domains and 30+ servers were tied to AudiA6 and Dark2Web. Public releases do not link this infrastructure to other named brands; cross-brand overlaps are not documented in open sources. [Europol, AFP]

Operator Profiles

AttributeRuslan Igorevich TkachukAlexander Vladimirovich Ledenev
Aliases / handlesNot publicly disclosed; tied to AudiA6 support presence (e.g., Telegram @audia6_obmen) CredibleNot publicly disclosed
Age3725
NationalityUkrainianRussian
Assessed locationBatumi, Georgia (residing/arrested)Batumi, Georgia (residing/arrested)
RoleSenior member/manager of AudiA6 laundering service and Dark2Web forumSenior member/manager of AudiA6 laundering service and Dark2Web forum
Charges (E.D. Pa.)Conspiracy to launder monetary instruments; sting money laundering (18 U.S.C. 1956)Conspiracy to launder monetary instruments; sting money laundering (18 U.S.C. 1956)
Max sentence20 years20 years
SanctionsNo OFAC/EU/UK designation as of June 2026No OFAC/EU/UK designation as of June 2026
Legal statusIn Georgian custody; U.S. seeking extradition to E.D. Pa.In Georgian custody; U.S. seeking extradition to E.D. Pa.

Charges are accusations in a criminal complaint; both defendants are presumed innocent unless and until proven guilty. [DOJ]

Disputed / Unresolved Assessments

A third individual, the Ukrainian national arrested in Poland in September 2025, is described as "linked to AudiA6" but is not publicly named, and his exact role (operator, mule recruiter, affiliate) is not established in open sources.
No successor or predecessor exchange is named. The Cryptex/UAPS comparison is an ecosystem analogy drawn by Chainalysis, not evidence of shared ownership or infrastructure.
03

Service Model and Business Operations

Exchange Mechanics

AudiA6 accepted criminal cryptocurrency (primarily Bitcoin) from clients, layered it through a large network of accounts at mainstream exchanges, and returned obfuscated or "clean" funds, typically within about an hour. The criminal complaint quotes its advertised offer "to take your dirty crypto and give you my clean one." Confirmed [DOJ, Chainalysis]

It is best characterized as a mixer-as-a-service plus a closed-book swap/OTC layer: it took custody of user funds, performed internal and external routing, and delivered outputs on demand. Underground advertising on Dark2Web framed it as a "cryptocurrency mixer & exchange" with "best rates, large reserves." Credible Single Source (forum advert) [Dark2Web advert / blackbones]

Commission

Most law enforcement and vendor reporting (Europol, AFP, Chainalysis, BleepingComputer) states a 3% to 10% commission. The U.S. criminal complaint, however, references a fee of "up to five percent of the amount of funds being laundered." Per the volume/figure sourcing rule, both are presented rather than reconciled. Credible [DOJ; Europol; Chainalysis; AFP]

KYC / AML Posture : Stated vs Observed

DimensionStated postureObserved behavior (LE / regulator sourced)
Compliance program Marketed as a "professional cryptocurrency mixing service"; emphasized anonymity, speed, and discretion. No KYC/AML program ever claimed. No customer due diligence or transaction monitoring of its own. The service existed to defeat traceability. Confirmed
Exchange KYC handling Not applicable (it claimed no compliance obligations). Systematically abused KYC at mainstream exchanges: created/acquired 6,000+ KYC-verified money-mule accounts using stolen or purchased identities, recruited via Russian-speaking intermediaries. Confirmed
Counterparty acceptance Open solicitation of criminal clients on Dark2Web. In six undercover transactions (Dec 2022 to May 2026), operators knowingly confirmed criminal origin of funds. When an agent asked whether cocaine-sale proceeds were acceptable, the operator replied: "Everything like that needs to go through a mixer." Confirmed
Primary Analytical Finding : KYC Gap
There is no gap between stated and observed compliance because AudiA6 never claimed compliance: its product was the absence of it. The analytically significant behavior is on the demand side: AudiA6 industrialized the exploitation of other exchanges' KYC, fielding 6,000+ verified mule accounts. Per the schema's KYC rule, observed behavior here is sourced from the DOJ criminal complaint and Europol findings, not from the service's own marketing.

Fiat Rail Analysis

Confirmed AudiA6's off-ramp ran through mule-controlled accounts at mainstream centralized exchanges; those accounts cashed out to bank accounts and payment systems, indirectly leveraging global fiat rails. [Europol, Chainalysis]

Confirmed Europol published specific domains the operators used to register the fraudulent mule accounts, to help exchanges screen and block them: designli.pictures, deliverly.top, and inboxly.top. [Europol, Chainalysis]

Credible (negative) No specific bank, correspondent, or named payment-processor relationship is documented in open sources. The fiat connection is mediated entirely through the mule accounts at the (unnamed) exchanges. Granular fiat-rail mapping is an intelligence gap (Section 10). [Europol, AFP]

Licensing and Regulatory Standing

AudiA6 held no financial-services license in any jurisdiction. All law enforcement and vendor reporting describes it explicitly as a criminal money-laundering service, not a regulated exchange. Confirmed [DOJ, Europol, AFP]

04

Technical Infrastructure and Platform Footprint

Domains, Hosting, and Servers

AssetDetailSource
Domains seized~25 domains across AudiA6 and Dark2Web (clear web and dark web); individual FQDNs not enumerated in public releasesEuropol / Eurojust / AFP
Servers seized30+ servers (AFP); "dozens" of servers and domains (Chainalysis)AFP, Chainalysis
Hosting jurisdictionsUnited States, Iceland, Germany, France (servers/domains targeted); additional administration from GeorgiaDOJ
Mule-registration domainsdesignli.pictures, deliverly.top, inboxly.top (used to register fraudulent exchange accounts)Europol / Chainalysis
TelegramSupport/contact handle @audia6_obmen; network Telegram accounts blocked in the takedownForum advert / DOJ / Europol

Architecture and Wallet Management

Confirmed Cybercriminals transferred stolen cryptocurrency into unhosted wallets managed by AudiA6; the network then layered funds through thousands of fraudulent exchange accounts (6,000+ KYC-verified mules) before returning obfuscated funds to clients within an estimated one-hour window. Chainalysis labels the model "mixer-as-a-service"; Europol calls it "industrial-scale." [Chainalysis, Europol]

Confirmed The laundering was traceable despite the obfuscation: in the LastPass case, TRM identified peeling chains and post-mix clusters feeding AudiA6 deposit wallets after CoinJoin mixing through Wasabi. [TRM Labs]

Public sources do not detail node operations (e.g., whether AudiA6 ran its own full nodes), hot/cold wallet segregation, or hosting providers/CDNs behind the seized domains and servers.

Resilience After Disruption

The June 2026 operation was a first-wave disruption: arrests, domain and server seizures, Telegram blocking, and asset freezes. As of the material reviewed, no successor service publicly claims to be AudiA6 reborn. Credible [Chainalysis, TRM Labs]

05

Financial Intelligence and On-Chain Analysis

Transaction Volume : By Source and Methodology

Per the volume sourcing rule, figures from different authorities and vendors are presented separately with methodology, not averaged or collapsed. These measure different things (total throughput vs. directly-traced illicit vs. estimated laundered).

FigureScope / methodologySource
10,333 BTC (~$389.7M)Total deposits to AudiA6 wallets since 2021; value at time of transactions (blockchain analysis)DOJ / Chainalysis
393.39 BTC (~$19.2M)Funds received directly from known darknet markets, ransomware orgs, cybercrime services, and other illicit sourcesDOJ
EUR 336MEstimated criminal crypto laundered for ransomware gangs, 2022 to 2025Europol / Eurojust
USD 542M (~AUD 826M)Broader laundered total, 2022 to 2025Australian Federal Police
$79M total (~$63M ransomware, ~80%)Traced illicit counterparty exposure; remainder is sanctions exposure, cybercrime services, darknet marketsTRM Labs
$16M+Value explicitly tied to ransomware and stolen fundsChainalysis

Three-Phase On-Chain Flow

Receipt → Layering → Extraction
Receipt: Criminal proceeds enter from ransomware operators (20 distinct groups identified by TRM), darknet markets, cybercrime services and forums, and theft crews (LastPass 2022, Swissborg hack). Deposits land in unhosted wallets managed by AudiA6.
Layering: Funds are spread across service wallets and 6,000+ KYC-verified mule accounts at centralized exchanges, appearing as ordinary customer activity. In sophisticated cases (LastPass), funds are first CoinJoin-mixed via Wasabi, then routed into AudiA6; the typology is rapid bursts of inbound transfers from unhosted wallets that are immediately withdrawn or swapped.
Extraction: Mule accounts cash out to fiat via the exchanges' bank/payment rails. AudiA6 also maintained direct transactional connections to sanctioned Russian exchanges Bitzlato and Garantex as cash-out vectors. [Chainalysis, TRM Labs, Europol]

Ransomware Inflows by Group (TRM on-chain)

GroupFunds sent to AudiA6Note
ALPHV / BlackCat$9.1MLargest sender; tied to Feb 2024 Change Healthcare attack
Qilin (Agenda)$7.1MRaaS; shared affiliate infrastructure with other strains
LockBit$4.4MInfrastructure disrupted Feb 2024
Chaos / BlackSuit$3.65MConsistent sender over time
RansomHub$975.9KConsistent sender
Akira$386.2KConsistent sender
The Gentlemen$99.6KConsistent sender
Exploit, Verified (forums)Not individually quantifiedEstablished cybercrime platforms also sent funds

TRM identified 20 distinct ransomware groups sending funds to AudiA6; the seven above are those with published figures. [TRM Labs]

Volume Trajectory and Illicit Share

Confirmed AudiA6's total incoming volume peaked in 2023 and declined through 2024 and 2025. Its illicit share moved the opposite way: under 1% in 2022, rising above 6% in 2024. Declining legitimate use alongside rising criminal use is a recurring signature of a service captured by high-risk clientele. [TRM Labs]

Designated Addresses, Seizures, and Risk Ratings

Confirmed No OFAC, EU, or UK sanctions list names AudiA6 wallet addresses as of June 2026; there are no SDN-designated AudiA6 addresses. Frozen/seized in the takedown: EUR 692,000 (~$798K) in cryptocurrency frozen and EUR 86,000 (~$99K) in cryptocurrency seized. [Europol, Eurojust, AFP]

Address-level wallet cluster lists for AudiA6 are not yet public; they likely reside in proprietary TRM/Chainalysis datasets and any future sanctions packages.
06

Client Profile and Criminal Use

Crimeware Verticals by Evidence Tier

VerticalSpecific actorsEvidence tierSource
Ransomware20 groups incl. ALPHV/BlackCat, Qilin, LockBit, Chaos/BlackSuit, RansomHub, Akira, The GentlemenConfirmedTRM, Chainalysis, Europol, DOJ
Darknet marketsUnnamed DNMs (part of the 393.39 BTC direct illicit inflow)ConfirmedDOJ, Chainalysis
Crypto theft / data theftLastPass 2022 breach proceeds (~$7M via Wasabi); Swissborg hackConfirmed (LastPass) / Credible (Swissborg)TRM Labs
Cybercrime forums / servicesDark2Web (integrated); Exploit, Verified sent funds; Exploit.in escrow exposureConfirmedChainalysis, TRM
Drug-proceeds launderingCocaine-sale proceeds (undercover solicitation)CredibleDOJ complaint / TRM

High-Profile Criminal Flows

Confirmed LastPass 2022 breach. TRM traced approximately $7M of a September 2025 wave of LastPass-stolen funds from Wasabi Wallet into AudiA6 using cluster-level demixing, timing/amount alignment, and post-mix wallet intelligence, identifying AudiA6 as a ransomware off-ramp before the enforcement action. [TRM Labs]

Confirmed Ransomware concentration. About 80% of AudiA6's traced illicit counterparty exposure ($63M of $79M) ties directly to ransomware. ALPHV/BlackCat alone sent $9.1M; the group's February 2024 Change Healthcare attack drew a reported $22M ransom. [TRM Labs]

Credible Australian ransomware victim. The AFP states AudiA6 laundered part of a ransom paid by an Australian business in 2024. [AFP]

Credible Swissborg hack. TRM lists the Swissborg hack among the 15+ international investigations connected to AudiA6. Single Source [TRM Labs]

Geographic Patterns

Operations centered on Georgia (operators arrested there); operator nationalities are Ukrainian and Russian. Money-mule recruitment ran through Russian-speaking intermediaries. Victims are globally distributed, with confirmed cases in the United States (Change Healthcare via BlackCat), Australia (2024 ransom), and the worldwide LastPass victim set. Confirmed [Europol, AFP, TRM Labs]

07

State Nexus Assessment

Assessed Tier : NONE
The assessed nexus is NONE. AudiA6 was not state-run, state-tasked, or state-protected. Its operators were based in Georgia, a cooperating jurisdiction whose authorities arrested them and supported the takedown. The Russian connection is ecosystem-level only: one Russian-national operator, Russian-speaking mule recruiters, and on-chain exposure to sanctioned Russian exchanges (Bitzlato, Garantex). That is materially different from the Garantex (probable cooperation) and Cryptex/UAPS (tolerated safe harbor) cases, where operators sat in Russia beyond reach. Here the host state cooperated, which is the central reason the operators, not just the infrastructure, were captured.

Three-Jurisdiction Separation

Jurisdiction typeFindingConfidence
Entity registrationNone : unregistered, unlicensed illicit serviceConfirmed
Infrastructure hostingUnited States, Iceland, Germany, France (servers/domains); administration from GeorgiaConfirmed
Assessed operator locationBatumi, Georgia (Ukrainian and Russian nationals)Confirmed

Negative Evidence

If a higher tier (tolerated safe harbor, probable cooperation, or direct control) applied, one would expect indicators such as: operators sheltering in a non-cooperating jurisdiction, documented state tasking or protection, selective targeting of state adversaries, or integration into a state sanctions-evasion program. None of these is present. The opposite is documented: Georgian authorities arrested the operators, and 11 countries cooperated. The on-chain exposure to Bitzlato and Garantex reflects shared criminal-market plumbing, not state direction. Analyst Inference

No evidence of FSB, Rosfinmonitoring, or any state organ directing, tasking, or protecting AudiA6 appears in open sources. The "None" assessment rests on affirmative cooperation by the host state plus the absence of any state-direction indicator.
08

Law Enforcement and Regulatory Response

June 10 to 11, 2026 Coordinated Action

InstrumentAuthority / agencyEffect
Criminal complaintUSAO E.D. Pennsylvania (filed June 2, 2026)Tkachuk and Ledenev charged: conspiracy to launder monetary instruments + sting money laundering (18 U.S.C. 1956); max 20 years each
ArrestsGeorgian authorities (with international partners)Two senior administrators arrested in Batumi, Georgia; held pending extradition
Infrastructure seizuresMultinational (servers/domains in US, Iceland, Germany, France)~25 domains and 30+ servers seized; AudiA6 and Dark2Web replaced with seizure banner; Telegram accounts blocked
Asset actionEuropol / Eurojust / AFPEUR 692K (~$798K) crypto frozen; EUR 86K (~$99K) crypto seized; 80 vehicles and properties seized; 3 properties searched
U.S. investigationU.S. Secret Service (Cyber Investigative Section; Frankfurt and Oklahoma City) + IRS-CIBlockchain and financial-records analysis underpinning the complaint
CoordinationEuropol, Eurojust; 11 countries (Australia, Canada, France, Georgia, Germany, Iceland, Japan, Poland, Switzerland, UK, US); DOJ OIA and ICHIP/OPDATParallel investigations and joint action day

Charge Detail and Prosecution

Confirmed The complaint alleges both defendants are senior members managing both AudiA6 and Dark2Web, and references a Dark2Web advertisement offering to conceal the criminal source of customers' cryptocurrency for a fee. Prosecuted by AUSAs Benjamin D. Traster and Sima Kazmir and SAUSA Richard Lorenz; announced by U.S. Attorney David Metcalf. The Southern District of Ohio provided significant assistance. [DOJ]

Investigative Origin

Confirmed Europol attributes the breakthrough to the September 2025 arrest in Poland of a Ukrainian national linked to AudiA6; forensic examination of his devices identified the key operators and led to their location and arrest in Georgia. Prior public exposure of AudiA6 came from Intel471 and investigator ZachXBT. [Europol, BleepingComputer]

Sanctions and Regulatory Status

Confirmed (negative) As of June 2026 there is no OFAC SDN, EU Official Journal, or UK FCDO designation naming AudiA6 or its operators, and no FinCEN advisory or Section 311 action. This was a criminal disruption, not a sanctions case, which distinguishes it from the Garantex and Cryptex/PM2BTC actions. [OFAC recent actions; absence in EU/UK lists]

Post-Disruption / Post-Sanction Reconstitution

Reconstitution Assessment
No confirmed reconstitution as of June 2026. No successor service publicly claims to be AudiA6 reborn, and no new brand or domain cluster has been credibly linked as a direct successor. Credible

Operator capacity is degraded, not just displaced. Because the two named operators are in custody in a cooperating jurisdiction (not at large in a safe harbor), this disruption reached the human capital. The residual risk is client migration: TRM frames the takedown as creating "new disruption opportunities" and expects displaced volume to redistribute toward other high-risk off-ramps and, increasingly, cross-chain bridges (which overtook mixers as the primary ransomware obfuscation layer in 2024). Analyst Inference
09

Connected Entities and Ecosystem Relationships

Two-tier model applied to every entry. Tier 1 : Transaction confidence: how confident are we that funds transited AudiA6 from/to the entity? Tier 2 : Facilitation assessment: a categorical characterization of AudiA6's role (Active facilitation / Structural enablement / Incidental processing). These are independent assessments and are never collapsed. Single-vendor claims are flagged [SINGLE SOURCE].

Entity Relationship type Tier 1: Transaction confidence Tier 2: Facilitation assessment Corroborating / disagreeing / not-published vendors
Ransomware groups (ALPHV/BlackCat, Qilin, LockBit, +17 others) Customers / off-ramp CONFIRMED
TRM wallet-level: BlackCat $9.1M, Qilin $7.1M, LockBit $4.4M; Europol/DOJ confirm ransomware off-ramp role.
Active facilitation
Marketed to ransomware actors; rapid-turnaround mule infrastructure built to serve them; undercover solicitation documented.
Corroborating: TRM, Chainalysis, Europol, DOJ. No vendor disagreement located.
Dark2Web forum Same-operator platform integration CONFIRMED
DOJ/Europol/Chainalysis: AudiA6 administrators also managed Dark2Web; both seized together.
Structural enablement
Served as the marketplace and customer-acquisition hub embedding the laundering service in the wider ecosystem.
Corroborating: DOJ, Europol, Eurojust, Chainalysis.
Exploit.in / Verified (cybercrime forums) Counterparties and escrow exposure CONFIRMED
Chainalysis: Dark2Web had heavy financial exposure to Exploit.in escrow. TRM: Exploit and Verified sent funds to AudiA6.
Structural enablement
Interlocking marketplaces routing criminal demand and proceeds to AudiA6.
Corroborating: Chainalysis, TRM. Two-vendor.
Garantex (OFAC/EU-sanctioned exchange) Downstream cash-out / peer infrastructure CONFIRMED
Chainalysis Reactor: AudiA6 maintained direct transactional connections to Garantex.
Structural enablement
Value routed to another sanctioned, low-KYC venue rather than evidence of a joint operation.
Corroborating: Chainalysis. Single Source for AudiA6-specific link; TRM/Elliptic not published on this pairing.
Bitzlato (sanctioned/disrupted exchange) Downstream cash-out / peer infrastructure CREDIBLE
Chainalysis: AudiA6 deeply intertwined with sanctioned Russian exchanges including Bitzlato.
Structural enablement
Cash-out vector within the same Eastern European cybercrime plumbing.
Corroborating: Chainalysis. Single Source; not separately quantified.
LastPass theft crew (Russian-cybercriminal-assessed) Stolen-funds depositor CONFIRMED
TRM demixing: ~$7M of LastPass-stolen funds traced Wasabi to AudiA6 (cluster-level demixing, timing/amount alignment).
Incidental processing / Structural enablement
AudiA6 received post-mix funds as a second-layer launderer; no evidence of bespoke coordination with the thieves.
Corroborating: TRM. Single Source (proprietary demixing).
Wasabi Wallet (CoinJoin mixer) Upstream mixer in shared laundering chains CONFIRMED
TRM: Wasabi was the first-layer mixer ahead of AudiA6 in the LastPass flow.
Incidental processing
General-purpose mixer used upstream; no evidence of coordination between Wasabi operators and AudiA6.
Corroborating: TRM. Single Source for the AudiA6 linkage.
Swissborg hack (theft incident) Stolen-funds source CREDIBLE
TRM lists Swissborg among 15+ investigations linked to AudiA6; flow not quantified publicly.
Incidental processing
Theft proceeds among the laundered inflows; role characterization pending detail.
Corroborating: TRM. Single Source.
Mainstream centralized exchanges (unnamed) Mule-account fiat off-ramp CONFIRMED
Europol/Chainalysis: 6,000+ KYC-verified mule accounts at mainstream exchanges used to layer and cash out.
Incidental processing
The exchanges were exploited via identity fraud, not knowing participants; specific platforms not named.
Corroborating: Europol, Chainalysis. Specific exchanges not enumerated (gap).
10

Trajectory Assessment

Market Position and Volume Trends

Confirmed Pre-takedown, AudiA6 was one of a small number of off-ramps that absorb most ransomware proceeds. TRM data shows the top five services capture 42% to 57% of ransomware off-ramp volume annually (rebounding to 51% in 2025), and AudiA6 was a high-risk node within that concentration: about 80% of its traced illicit exposure was ransomware. Its incoming volume peaked in 2023 and declined thereafter, while its illicit share rose from under 1% (2022) to over 6% (2024). [TRM Labs]

Disruption Impact

Structural Assessment
This was a high-impact disruption that, unusually, reached both the infrastructure and the operators. Domains, servers, vehicles, properties, and crypto were seized, and the two named administrators are in custody in a cooperating jurisdiction. The key structural difference from Garantex and Cryptex/PM2BTC is jurisdiction of the operators: because Tkachuk and Ledenev were in Georgia rather than Russia, the action degraded the human capital, not just the public-facing rails. The principal residual risk is therefore client migration to other services, not operator-led reconstitution of this specific brand.

Reconstitution Status

AudiA6 brand: No confirmed reconstitution. Infrastructure seized; no successor identified. Credible

Operator network: Degraded. Two senior administrators in custody pending extradition; one earlier Poland arrest. The unnamed Poland-arrested figure and any remaining affiliates are an open question. Confirmed

Ecosystem effect: Displacement expected. Displaced volume likely shifts to remaining high-risk off-ramps and cross-chain bridges. Analyst Inference [TRM Labs]

Intelligence Gaps

The ~25 seized domains and 30+ servers are not mapped to specific hosting providers or CDNs in public releases, limiting detection of any successor infrastructure.
No public enumeration of which mainstream exchanges' KYC systems were exploited via the 6,000+ mule accounts.
Address-level AudiA6 wallet cluster lists are not public; only aggregate figures and select flows have been released.
The identity and role of the Ukrainian national arrested in Poland (Sept 2025) are not public.
Whether any OFAC/EU/UK sanctions follow the criminal action is unknown as of June 2026.
The commission rate is reported inconsistently (3% to 10% vs. the complaint's "up to five percent"); the true fee schedule is not resolved.

Recent Reporting

[June 11, 2026] DOJ (E.D. Pa.) announces charges against Tkachuk and Ledenev; Chainalysis and TRM Labs publish entity-specific on-chain analyses; Europol, Eurojust, and the AFP issue takedown statements. [DOJ, Chainalysis, TRM, Europol, Eurojust, AFP]

[June 10, 2026] Coordinated international action: two arrests in Georgia, ~25 domains and 30+ servers seized, 80 vehicles/properties seized, EUR 692K frozen and EUR 86K seized, Telegram blocked. [Europol, AFP, BleepingComputer]

[June 2, 2026] EDPA criminal complaint filed charging the two operators under 18 U.S.C. 1956. [TRM Labs / DOJ]

[Dec 2025] TRM Labs independently identifies AudiA6 as a ransomware off-ramp, tracing ~$7M of LastPass-stolen funds from Wasabi into the service via demixing. [TRM Labs]

[Sept 2025] Polish authorities arrest a Ukrainian national linked to AudiA6; device forensics enable the later Georgia arrests. [Europol]

Sources

  1. U.S. DOJ, E.D. Pennsylvania: Two Charged in Connection With Cryptocurrency Money Laundering Service That Allegedly Laundered Over $389 Million : June 11, 2026
  2. Europol: Ransomware gangs cut off from EUR 336 million 'AudiA6' crypto laundering pipeline : June 2026
  3. Eurojust: Cryptocurrency money laundering site shut down thanks to coordinated investigation : June 2026
  4. Australian Federal Police: AFP assists Europol disruption of $542 million money laundering operation : June 2026
  5. Chainalysis: Global Law Enforcement Dismantles 'AudiA6' Crypto Laundering Network Linked to Ransomware Gangs : June 11, 2026
  6. TRM Labs: International Operation Dismantles EUR 336 Million Ransomware Laundering Pipeline AudiA6 : June 12, 2026
  7. TRM Labs: TRM Traces Stolen Crypto from 2022 LastPass Breach : December 24, 2025
  8. BleepingComputer: Authorities dismantle 'AudiA6' ransomware crypto-laundering service : June 11, 2026
  9. Help Net Security: Authorities dismantle crypto laundering service that moved EUR 336 million for cybercriminals : June 12, 2026
  10. The Hacker News: Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware Gangs : June 2026
  11. The Block: DOJ charges two in $389 million AudiA6 crypto laundering case : June 2026
  12. TRM Labs: New Disruption Opportunities in the Evolving Ransomware Ecosystem : April 8, 2026
  13. OFAC: Recent Actions (checked for AudiA6/operator designations : none located as of June 2026)
  14. Dark2Web/underground advert (verified thread): "AudiA6: Cryptocurrency Mixer & Exchange" (marketing copy : single source)

Profile produced using open-source intelligence. Confidence labels applied per schema: CONFIRMED (multiple independent sources), CREDIBLE (single strong source or multiple weaker sources), ANALYST INFERENCE (logical extrapolation from confirmed facts). All volume figures cited with source and methodology; figures from different vendors and authorities are not averaged. Two-tier connected entity model applied throughout Section 09 (Tier 1 transaction confidence + Tier 2 facilitation assessment). Status: Disrupted (June 10, 2026); no sanctions designation as of June 2026.