Executive Summary and Exchange Overview
| Service type | Cryptocurrency laundering service / mixer-as-a-service / ransomware off-ramp (de facto illicit exchange and swap desk) |
| Associated platform | Dark2Web cybercrime forum (same operators); primary advertising venue |
| Aliases / branding | AudiA6, Audi6, "Audi A6"; Telegram support handle @audia6_obmen |
| Entity registration jurisdiction | None : unregistered, unlicensed illicit service (no financial license in any jurisdiction) |
| Infrastructure hosting jurisdiction | Servers and domains in United States, Iceland, Germany, and France; additional infrastructure administered from Georgia Confirmed |
| Assessed operator location | Batumi, Georgia (at arrest). Operator nationalities: Ukrainian (Tkachuk) and Russian (Ledenev) |
| Operational period | Wallets active since 2021; central laundering hub 2022 to 2025 (Europol); disrupted June 10, 2026 |
| Commission | 3% to 10% per most reporting; the U.S. criminal complaint references a fee of "up to five percent" Credible (figures differ by source) |
| Domains seized | Approximately 25 (AudiA6 and Dark2Web, clear web and dark web) |
| Servers seized | 30+ (AFP); "dozens" of servers and domains (Chainalysis) |
| OFAC / EU / UK designation | None as of June 2026 Confirmed (negative evidence): criminal disruption, not a sanctions case |
| State nexus tier | NONE (no assessed state nexus; ecosystem-level Russian-speaking links only) |
| Status | Disrupted (June 10, 2026); no confirmed reconstitution |
| Blockchain analytics coverage | Chainalysis and TRM Labs (entity-specific reports); Europol on-chain analysis |
Lineage and Organizational Heritage
No Named Predecessor Exchange : A Forum-Integrated Launderer
Evidentiary Pillars
Confirmed Wallet clusters. Blockchain analysis attributes approximately 10,333 BTC in deposits since 2021 to AudiA6-controlled wallets, with 393.39 BTC traced directly from known darknet markets, ransomware organizations, and cybercrime services. [DOJ, Chainalysis]
Confirmed Same-operator forum integration. U.S. and EU authorities state the AudiA6 administrators also managed Dark2Web; both services were seized together. [DOJ, Europol, Chainalysis]
Confirmed Investigative origin. The September 2025 arrest in Poland of a Ukrainian national linked to AudiA6, and the forensic exploitation of his devices, provided the lead that identified the Georgia-based operators. [Europol]
Credible Shared infrastructure. Approximately 25 domains and 30+ servers were tied to AudiA6 and Dark2Web. Public releases do not link this infrastructure to other named brands; cross-brand overlaps are not documented in open sources. [Europol, AFP]
Operator Profiles
| Attribute | Ruslan Igorevich Tkachuk | Alexander Vladimirovich Ledenev |
|---|---|---|
| Aliases / handles | Not publicly disclosed; tied to AudiA6 support presence (e.g., Telegram @audia6_obmen) Credible | Not publicly disclosed |
| Age | 37 | 25 |
| Nationality | Ukrainian | Russian |
| Assessed location | Batumi, Georgia (residing/arrested) | Batumi, Georgia (residing/arrested) |
| Role | Senior member/manager of AudiA6 laundering service and Dark2Web forum | Senior member/manager of AudiA6 laundering service and Dark2Web forum |
| Charges (E.D. Pa.) | Conspiracy to launder monetary instruments; sting money laundering (18 U.S.C. 1956) | Conspiracy to launder monetary instruments; sting money laundering (18 U.S.C. 1956) |
| Max sentence | 20 years | 20 years |
| Sanctions | No OFAC/EU/UK designation as of June 2026 | No OFAC/EU/UK designation as of June 2026 |
| Legal status | In Georgian custody; U.S. seeking extradition to E.D. Pa. | In Georgian custody; U.S. seeking extradition to E.D. Pa. |
Charges are accusations in a criminal complaint; both defendants are presumed innocent unless and until proven guilty. [DOJ]
Disputed / Unresolved Assessments
Service Model and Business Operations
Exchange Mechanics
AudiA6 accepted criminal cryptocurrency (primarily Bitcoin) from clients, layered it through a large network of accounts at mainstream exchanges, and returned obfuscated or "clean" funds, typically within about an hour. The criminal complaint quotes its advertised offer "to take your dirty crypto and give you my clean one." Confirmed [DOJ, Chainalysis]
It is best characterized as a mixer-as-a-service plus a closed-book swap/OTC layer: it took custody of user funds, performed internal and external routing, and delivered outputs on demand. Underground advertising on Dark2Web framed it as a "cryptocurrency mixer & exchange" with "best rates, large reserves." Credible Single Source (forum advert) [Dark2Web advert / blackbones]
Commission
Most law enforcement and vendor reporting (Europol, AFP, Chainalysis, BleepingComputer) states a 3% to 10% commission. The U.S. criminal complaint, however, references a fee of "up to five percent of the amount of funds being laundered." Per the volume/figure sourcing rule, both are presented rather than reconciled. Credible [DOJ; Europol; Chainalysis; AFP]
KYC / AML Posture : Stated vs Observed
| Dimension | Stated posture | Observed behavior (LE / regulator sourced) |
|---|---|---|
| Compliance program | Marketed as a "professional cryptocurrency mixing service"; emphasized anonymity, speed, and discretion. No KYC/AML program ever claimed. | No customer due diligence or transaction monitoring of its own. The service existed to defeat traceability. Confirmed |
| Exchange KYC handling | Not applicable (it claimed no compliance obligations). | Systematically abused KYC at mainstream exchanges: created/acquired 6,000+ KYC-verified money-mule accounts using stolen or purchased identities, recruited via Russian-speaking intermediaries. Confirmed |
| Counterparty acceptance | Open solicitation of criminal clients on Dark2Web. | In six undercover transactions (Dec 2022 to May 2026), operators knowingly confirmed criminal origin of funds. When an agent asked whether cocaine-sale proceeds were acceptable, the operator replied: "Everything like that needs to go through a mixer." Confirmed |
Fiat Rail Analysis
Confirmed AudiA6's off-ramp ran through mule-controlled accounts at mainstream centralized exchanges; those accounts cashed out to bank accounts and payment systems, indirectly leveraging global fiat rails. [Europol, Chainalysis]
Confirmed Europol published specific domains the operators used to register the fraudulent mule accounts, to help exchanges screen and block them: designli.pictures, deliverly.top, and inboxly.top. [Europol, Chainalysis]
Credible (negative) No specific bank, correspondent, or named payment-processor relationship is documented in open sources. The fiat connection is mediated entirely through the mule accounts at the (unnamed) exchanges. Granular fiat-rail mapping is an intelligence gap (Section 10). [Europol, AFP]
Licensing and Regulatory Standing
AudiA6 held no financial-services license in any jurisdiction. All law enforcement and vendor reporting describes it explicitly as a criminal money-laundering service, not a regulated exchange. Confirmed [DOJ, Europol, AFP]
Technical Infrastructure and Platform Footprint
Domains, Hosting, and Servers
| Asset | Detail | Source |
|---|---|---|
| Domains seized | ~25 domains across AudiA6 and Dark2Web (clear web and dark web); individual FQDNs not enumerated in public releases | Europol / Eurojust / AFP |
| Servers seized | 30+ servers (AFP); "dozens" of servers and domains (Chainalysis) | AFP, Chainalysis |
| Hosting jurisdictions | United States, Iceland, Germany, France (servers/domains targeted); additional administration from Georgia | DOJ |
| Mule-registration domains | designli.pictures, deliverly.top, inboxly.top (used to register fraudulent exchange accounts) | Europol / Chainalysis |
| Telegram | Support/contact handle @audia6_obmen; network Telegram accounts blocked in the takedown | Forum advert / DOJ / Europol |
Architecture and Wallet Management
Confirmed Cybercriminals transferred stolen cryptocurrency into unhosted wallets managed by AudiA6; the network then layered funds through thousands of fraudulent exchange accounts (6,000+ KYC-verified mules) before returning obfuscated funds to clients within an estimated one-hour window. Chainalysis labels the model "mixer-as-a-service"; Europol calls it "industrial-scale." [Chainalysis, Europol]
Confirmed The laundering was traceable despite the obfuscation: in the LastPass case, TRM identified peeling chains and post-mix clusters feeding AudiA6 deposit wallets after CoinJoin mixing through Wasabi. [TRM Labs]
Resilience After Disruption
The June 2026 operation was a first-wave disruption: arrests, domain and server seizures, Telegram blocking, and asset freezes. As of the material reviewed, no successor service publicly claims to be AudiA6 reborn. Credible [Chainalysis, TRM Labs]
Financial Intelligence and On-Chain Analysis
Transaction Volume : By Source and Methodology
Per the volume sourcing rule, figures from different authorities and vendors are presented separately with methodology, not averaged or collapsed. These measure different things (total throughput vs. directly-traced illicit vs. estimated laundered).
| Figure | Scope / methodology | Source |
|---|---|---|
| 10,333 BTC (~$389.7M) | Total deposits to AudiA6 wallets since 2021; value at time of transactions (blockchain analysis) | DOJ / Chainalysis |
| 393.39 BTC (~$19.2M) | Funds received directly from known darknet markets, ransomware orgs, cybercrime services, and other illicit sources | DOJ |
| EUR 336M | Estimated criminal crypto laundered for ransomware gangs, 2022 to 2025 | Europol / Eurojust |
| USD 542M (~AUD 826M) | Broader laundered total, 2022 to 2025 | Australian Federal Police |
| $79M total (~$63M ransomware, ~80%) | Traced illicit counterparty exposure; remainder is sanctions exposure, cybercrime services, darknet markets | TRM Labs |
| $16M+ | Value explicitly tied to ransomware and stolen funds | Chainalysis |
Three-Phase On-Chain Flow
Layering: Funds are spread across service wallets and 6,000+ KYC-verified mule accounts at centralized exchanges, appearing as ordinary customer activity. In sophisticated cases (LastPass), funds are first CoinJoin-mixed via Wasabi, then routed into AudiA6; the typology is rapid bursts of inbound transfers from unhosted wallets that are immediately withdrawn or swapped.
Extraction: Mule accounts cash out to fiat via the exchanges' bank/payment rails. AudiA6 also maintained direct transactional connections to sanctioned Russian exchanges Bitzlato and Garantex as cash-out vectors. [Chainalysis, TRM Labs, Europol]
Ransomware Inflows by Group (TRM on-chain)
| Group | Funds sent to AudiA6 | Note |
|---|---|---|
| ALPHV / BlackCat | $9.1M | Largest sender; tied to Feb 2024 Change Healthcare attack |
| Qilin (Agenda) | $7.1M | RaaS; shared affiliate infrastructure with other strains |
| LockBit | $4.4M | Infrastructure disrupted Feb 2024 |
| Chaos / BlackSuit | $3.65M | Consistent sender over time |
| RansomHub | $975.9K | Consistent sender |
| Akira | $386.2K | Consistent sender |
| The Gentlemen | $99.6K | Consistent sender |
| Exploit, Verified (forums) | Not individually quantified | Established cybercrime platforms also sent funds |
TRM identified 20 distinct ransomware groups sending funds to AudiA6; the seven above are those with published figures. [TRM Labs]
Volume Trajectory and Illicit Share
Confirmed AudiA6's total incoming volume peaked in 2023 and declined through 2024 and 2025. Its illicit share moved the opposite way: under 1% in 2022, rising above 6% in 2024. Declining legitimate use alongside rising criminal use is a recurring signature of a service captured by high-risk clientele. [TRM Labs]
Designated Addresses, Seizures, and Risk Ratings
Confirmed No OFAC, EU, or UK sanctions list names AudiA6 wallet addresses as of June 2026; there are no SDN-designated AudiA6 addresses. Frozen/seized in the takedown: EUR 692,000 (~$798K) in cryptocurrency frozen and EUR 86,000 (~$99K) in cryptocurrency seized. [Europol, Eurojust, AFP]
Client Profile and Criminal Use
Crimeware Verticals by Evidence Tier
| Vertical | Specific actors | Evidence tier | Source |
|---|---|---|---|
| Ransomware | 20 groups incl. ALPHV/BlackCat, Qilin, LockBit, Chaos/BlackSuit, RansomHub, Akira, The Gentlemen | Confirmed | TRM, Chainalysis, Europol, DOJ |
| Darknet markets | Unnamed DNMs (part of the 393.39 BTC direct illicit inflow) | Confirmed | DOJ, Chainalysis |
| Crypto theft / data theft | LastPass 2022 breach proceeds (~$7M via Wasabi); Swissborg hack | Confirmed (LastPass) / Credible (Swissborg) | TRM Labs |
| Cybercrime forums / services | Dark2Web (integrated); Exploit, Verified sent funds; Exploit.in escrow exposure | Confirmed | Chainalysis, TRM |
| Drug-proceeds laundering | Cocaine-sale proceeds (undercover solicitation) | Credible | DOJ complaint / TRM |
High-Profile Criminal Flows
Confirmed LastPass 2022 breach. TRM traced approximately $7M of a September 2025 wave of LastPass-stolen funds from Wasabi Wallet into AudiA6 using cluster-level demixing, timing/amount alignment, and post-mix wallet intelligence, identifying AudiA6 as a ransomware off-ramp before the enforcement action. [TRM Labs]
Confirmed Ransomware concentration. About 80% of AudiA6's traced illicit counterparty exposure ($63M of $79M) ties directly to ransomware. ALPHV/BlackCat alone sent $9.1M; the group's February 2024 Change Healthcare attack drew a reported $22M ransom. [TRM Labs]
Credible Australian ransomware victim. The AFP states AudiA6 laundered part of a ransom paid by an Australian business in 2024. [AFP]
Credible Swissborg hack. TRM lists the Swissborg hack among the 15+ international investigations connected to AudiA6. Single Source [TRM Labs]
Geographic Patterns
Operations centered on Georgia (operators arrested there); operator nationalities are Ukrainian and Russian. Money-mule recruitment ran through Russian-speaking intermediaries. Victims are globally distributed, with confirmed cases in the United States (Change Healthcare via BlackCat), Australia (2024 ransom), and the worldwide LastPass victim set. Confirmed [Europol, AFP, TRM Labs]
State Nexus Assessment
Three-Jurisdiction Separation
| Jurisdiction type | Finding | Confidence |
|---|---|---|
| Entity registration | None : unregistered, unlicensed illicit service | Confirmed |
| Infrastructure hosting | United States, Iceland, Germany, France (servers/domains); administration from Georgia | Confirmed |
| Assessed operator location | Batumi, Georgia (Ukrainian and Russian nationals) | Confirmed |
Negative Evidence
If a higher tier (tolerated safe harbor, probable cooperation, or direct control) applied, one would expect indicators such as: operators sheltering in a non-cooperating jurisdiction, documented state tasking or protection, selective targeting of state adversaries, or integration into a state sanctions-evasion program. None of these is present. The opposite is documented: Georgian authorities arrested the operators, and 11 countries cooperated. The on-chain exposure to Bitzlato and Garantex reflects shared criminal-market plumbing, not state direction. Analyst Inference
Law Enforcement and Regulatory Response
June 10 to 11, 2026 Coordinated Action
| Instrument | Authority / agency | Effect |
|---|---|---|
| Criminal complaint | USAO E.D. Pennsylvania (filed June 2, 2026) | Tkachuk and Ledenev charged: conspiracy to launder monetary instruments + sting money laundering (18 U.S.C. 1956); max 20 years each |
| Arrests | Georgian authorities (with international partners) | Two senior administrators arrested in Batumi, Georgia; held pending extradition |
| Infrastructure seizures | Multinational (servers/domains in US, Iceland, Germany, France) | ~25 domains and 30+ servers seized; AudiA6 and Dark2Web replaced with seizure banner; Telegram accounts blocked |
| Asset action | Europol / Eurojust / AFP | EUR 692K (~$798K) crypto frozen; EUR 86K (~$99K) crypto seized; 80 vehicles and properties seized; 3 properties searched |
| U.S. investigation | U.S. Secret Service (Cyber Investigative Section; Frankfurt and Oklahoma City) + IRS-CI | Blockchain and financial-records analysis underpinning the complaint |
| Coordination | Europol, Eurojust; 11 countries (Australia, Canada, France, Georgia, Germany, Iceland, Japan, Poland, Switzerland, UK, US); DOJ OIA and ICHIP/OPDAT | Parallel investigations and joint action day |
Charge Detail and Prosecution
Confirmed The complaint alleges both defendants are senior members managing both AudiA6 and Dark2Web, and references a Dark2Web advertisement offering to conceal the criminal source of customers' cryptocurrency for a fee. Prosecuted by AUSAs Benjamin D. Traster and Sima Kazmir and SAUSA Richard Lorenz; announced by U.S. Attorney David Metcalf. The Southern District of Ohio provided significant assistance. [DOJ]
Investigative Origin
Confirmed Europol attributes the breakthrough to the September 2025 arrest in Poland of a Ukrainian national linked to AudiA6; forensic examination of his devices identified the key operators and led to their location and arrest in Georgia. Prior public exposure of AudiA6 came from Intel471 and investigator ZachXBT. [Europol, BleepingComputer]
Sanctions and Regulatory Status
Confirmed (negative) As of June 2026 there is no OFAC SDN, EU Official Journal, or UK FCDO designation naming AudiA6 or its operators, and no FinCEN advisory or Section 311 action. This was a criminal disruption, not a sanctions case, which distinguishes it from the Garantex and Cryptex/PM2BTC actions. [OFAC recent actions; absence in EU/UK lists]
Post-Disruption / Post-Sanction Reconstitution
Operator capacity is degraded, not just displaced. Because the two named operators are in custody in a cooperating jurisdiction (not at large in a safe harbor), this disruption reached the human capital. The residual risk is client migration: TRM frames the takedown as creating "new disruption opportunities" and expects displaced volume to redistribute toward other high-risk off-ramps and, increasingly, cross-chain bridges (which overtook mixers as the primary ransomware obfuscation layer in 2024). Analyst Inference
Connected Entities and Ecosystem Relationships
Two-tier model applied to every entry. Tier 1 : Transaction confidence: how confident are we that funds transited AudiA6 from/to the entity? Tier 2 : Facilitation assessment: a categorical characterization of AudiA6's role (Active facilitation / Structural enablement / Incidental processing). These are independent assessments and are never collapsed. Single-vendor claims are flagged [SINGLE SOURCE].
| Entity | Relationship type | Tier 1: Transaction confidence | Tier 2: Facilitation assessment | Corroborating / disagreeing / not-published vendors |
|---|---|---|---|---|
| Ransomware groups (ALPHV/BlackCat, Qilin, LockBit, +17 others) | Customers / off-ramp | CONFIRMED TRM wallet-level: BlackCat $9.1M, Qilin $7.1M, LockBit $4.4M; Europol/DOJ confirm ransomware off-ramp role. |
Active facilitation Marketed to ransomware actors; rapid-turnaround mule infrastructure built to serve them; undercover solicitation documented. |
Corroborating: TRM, Chainalysis, Europol, DOJ. No vendor disagreement located. |
| Dark2Web forum | Same-operator platform integration | CONFIRMED DOJ/Europol/Chainalysis: AudiA6 administrators also managed Dark2Web; both seized together. |
Structural enablement Served as the marketplace and customer-acquisition hub embedding the laundering service in the wider ecosystem. |
Corroborating: DOJ, Europol, Eurojust, Chainalysis. |
| Exploit.in / Verified (cybercrime forums) | Counterparties and escrow exposure | CONFIRMED Chainalysis: Dark2Web had heavy financial exposure to Exploit.in escrow. TRM: Exploit and Verified sent funds to AudiA6. |
Structural enablement Interlocking marketplaces routing criminal demand and proceeds to AudiA6. |
Corroborating: Chainalysis, TRM. Two-vendor. |
| Garantex (OFAC/EU-sanctioned exchange) | Downstream cash-out / peer infrastructure | CONFIRMED Chainalysis Reactor: AudiA6 maintained direct transactional connections to Garantex. |
Structural enablement Value routed to another sanctioned, low-KYC venue rather than evidence of a joint operation. |
Corroborating: Chainalysis. Single Source for AudiA6-specific link; TRM/Elliptic not published on this pairing. |
| Bitzlato (sanctioned/disrupted exchange) | Downstream cash-out / peer infrastructure | CREDIBLE Chainalysis: AudiA6 deeply intertwined with sanctioned Russian exchanges including Bitzlato. |
Structural enablement Cash-out vector within the same Eastern European cybercrime plumbing. |
Corroborating: Chainalysis. Single Source; not separately quantified. |
| LastPass theft crew (Russian-cybercriminal-assessed) | Stolen-funds depositor | CONFIRMED TRM demixing: ~$7M of LastPass-stolen funds traced Wasabi to AudiA6 (cluster-level demixing, timing/amount alignment). |
Incidental processing / Structural enablement AudiA6 received post-mix funds as a second-layer launderer; no evidence of bespoke coordination with the thieves. |
Corroborating: TRM. Single Source (proprietary demixing). |
| Wasabi Wallet (CoinJoin mixer) | Upstream mixer in shared laundering chains | CONFIRMED TRM: Wasabi was the first-layer mixer ahead of AudiA6 in the LastPass flow. |
Incidental processing General-purpose mixer used upstream; no evidence of coordination between Wasabi operators and AudiA6. |
Corroborating: TRM. Single Source for the AudiA6 linkage. |
| Swissborg hack (theft incident) | Stolen-funds source | CREDIBLE TRM lists Swissborg among 15+ investigations linked to AudiA6; flow not quantified publicly. |
Incidental processing Theft proceeds among the laundered inflows; role characterization pending detail. |
Corroborating: TRM. Single Source. |
| Mainstream centralized exchanges (unnamed) | Mule-account fiat off-ramp | CONFIRMED Europol/Chainalysis: 6,000+ KYC-verified mule accounts at mainstream exchanges used to layer and cash out. |
Incidental processing The exchanges were exploited via identity fraud, not knowing participants; specific platforms not named. |
Corroborating: Europol, Chainalysis. Specific exchanges not enumerated (gap). |
Trajectory Assessment
Market Position and Volume Trends
Confirmed Pre-takedown, AudiA6 was one of a small number of off-ramps that absorb most ransomware proceeds. TRM data shows the top five services capture 42% to 57% of ransomware off-ramp volume annually (rebounding to 51% in 2025), and AudiA6 was a high-risk node within that concentration: about 80% of its traced illicit exposure was ransomware. Its incoming volume peaked in 2023 and declined thereafter, while its illicit share rose from under 1% (2022) to over 6% (2024). [TRM Labs]
Disruption Impact
Reconstitution Status
AudiA6 brand: No confirmed reconstitution. Infrastructure seized; no successor identified. Credible
Operator network: Degraded. Two senior administrators in custody pending extradition; one earlier Poland arrest. The unnamed Poland-arrested figure and any remaining affiliates are an open question. Confirmed
Ecosystem effect: Displacement expected. Displaced volume likely shifts to remaining high-risk off-ramps and cross-chain bridges. Analyst Inference [TRM Labs]
Intelligence Gaps
Recent Reporting
[June 11, 2026] DOJ (E.D. Pa.) announces charges against Tkachuk and Ledenev; Chainalysis and TRM Labs publish entity-specific on-chain analyses; Europol, Eurojust, and the AFP issue takedown statements. [DOJ, Chainalysis, TRM, Europol, Eurojust, AFP]
[June 10, 2026] Coordinated international action: two arrests in Georgia, ~25 domains and 30+ servers seized, 80 vehicles/properties seized, EUR 692K frozen and EUR 86K seized, Telegram blocked. [Europol, AFP, BleepingComputer]
[June 2, 2026] EDPA criminal complaint filed charging the two operators under 18 U.S.C. 1956. [TRM Labs / DOJ]
[Dec 2025] TRM Labs independently identifies AudiA6 as a ransomware off-ramp, tracing ~$7M of LastPass-stolen funds from Wasabi into the service via demixing. [TRM Labs]
[Sept 2025] Polish authorities arrest a Ukrainian national linked to AudiA6; device forensics enable the later Georgia arrests. [Europol]
Sources
- U.S. DOJ, E.D. Pennsylvania: Two Charged in Connection With Cryptocurrency Money Laundering Service That Allegedly Laundered Over $389 Million : June 11, 2026
- Europol: Ransomware gangs cut off from EUR 336 million 'AudiA6' crypto laundering pipeline : June 2026
- Eurojust: Cryptocurrency money laundering site shut down thanks to coordinated investigation : June 2026
- Australian Federal Police: AFP assists Europol disruption of $542 million money laundering operation : June 2026
- Chainalysis: Global Law Enforcement Dismantles 'AudiA6' Crypto Laundering Network Linked to Ransomware Gangs : June 11, 2026
- TRM Labs: International Operation Dismantles EUR 336 Million Ransomware Laundering Pipeline AudiA6 : June 12, 2026
- TRM Labs: TRM Traces Stolen Crypto from 2022 LastPass Breach : December 24, 2025
- BleepingComputer: Authorities dismantle 'AudiA6' ransomware crypto-laundering service : June 11, 2026
- Help Net Security: Authorities dismantle crypto laundering service that moved EUR 336 million for cybercriminals : June 12, 2026
- The Hacker News: Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware Gangs : June 2026
- The Block: DOJ charges two in $389 million AudiA6 crypto laundering case : June 2026
- TRM Labs: New Disruption Opportunities in the Evolving Ransomware Ecosystem : April 8, 2026
- OFAC: Recent Actions (checked for AudiA6/operator designations : none located as of June 2026)
- Dark2Web/underground advert (verified thread): "AudiA6: Cryptocurrency Mixer & Exchange" (marketing copy : single source)
Profile produced using open-source intelligence. Confidence labels applied per schema: CONFIRMED (multiple independent sources), CREDIBLE (single strong source or multiple weaker sources), ANALYST INFERENCE (logical extrapolation from confirmed facts). All volume figures cited with source and methodology; figures from different vendors and authorities are not averaged. Two-tier connected entity model applied throughout Section 09 (Tier 1 transaction confidence + Tier 2 facilitation assessment). Status: Disrupted (June 10, 2026); no sanctions designation as of June 2026.