Summary
- An international coalition of law enforcement agencies, including the U.S. DOJ, Secret Service, Europol, CBZC, and others, dismantled “AudiA6,” a major cryptocurrency laundering platform.
- Authorities arrested two alleged administrators in the Republic of Georgia. The coordinated strike also seized digital infrastructure across multiple countries and took down “Dark2Web,” a darknet forum used to advertise the laundering service.
- Blockchain analysis indicates that since 2021, the AudiA6 network processed approximately 10,333 bitcoin (historically valued at roughly $389 million), acting as a trusted “mixer-as-a-service” for the broader cybercriminal ecosystem.
- The network’s obfuscation methodology relied heavily on utilizing over 6,000 KYC-verified money mule accounts to rapidly wash stolen digital assets through centralized cryptocurrency exchanges.
On June 11, 2026, global law enforcement agencies, including the United States Department of Justice (DOJ), Secret Service, and Europol, announced the successful disruption of “AudiA6,” one of the most prolific cryptocurrency laundering services utilized by the cybercriminal underground. The sweeping operation, bolstered by critical intelligence sharing and blockchain analysis from private sector partners, targeted both the digital infrastructure and the personnel managing the network, severely degrading a primary financial pipeline used to wash illicit profits from global ransomware attacks and cryptocurrency thefts.
The coordinated action culminated in the arrest of two suspected senior administrators — a 37-year-old Ukrainian national and a 25-year-old Russian national — in the Republic of Georgia. Alongside these arrests, authorities replaced the websites for AudiA6 and the associated “Dark2Web” cybercrime forum with seizure banners, while systematically taking down dozens of servers and domains across the United States and Europe.
Dark2Web served as a watering hole for ransomware affiliates, hackers, and other cybercriminals. They used the service to connect, trade, and advertise their services. Their union with the AudiA6 money laundering service provided these threat actors with the opportunity to offramp while skirting detection.
This is not the first time global law enforcement has jointly targeted the payment apparatus supporting large cybercrime enterprises. In 2024, the admin for Universal Anonymous Payment System, “Taleon,” and its affiliated money laundering service, Cryptex, were sanctioned by OFAC, and the infrastructure supporting both services was seized. Disruptions of the payment rails relied upon by thousands of cyber threat actors are felt throughout crime-ridden corners of the internet.
Unpacking the AudiA6 and Dark2Web laundering pipeline
AudiA6 operated as a highly professionalized node within the illicit digital economy, offering a “mixer-as-a-service” model that charged a 3 to 10 percent commission. The service blatantly catered to cybercriminals, with the criminal complaint noting that AudiA6 advertised its ability “to take your dirty crypto and give you my clean one.”
According to the DOJ, blockchain analysis shows that AudiA6-controlled wallets received approximately 10,333 bitcoin since its launch in 2021, representing roughly $389 million in historical value. Of this, investigators traced at least 393 BTC (historically valued at over $19 million) flowing directly from known ransomware actors, darknet markets, and other cybercrime services into the AudiA6 ecosystem.
The Dark2Web connection
AudiA6’s administrators also managed “Dark2Web,” an underground cybercrime forum used to advertise the laundering service and connect with prospective clients. Analyzing Dark2Web’s on-chain footprint reveals how deeply integrated this network was within the broader cybercriminal ecosystem.
As seen in the Chainalysis Reactor graph above, Dark2Web was connected not only to individual cybercrime actors and ransomware affiliates, but to the Russian darknet market ecosystem as a whole. Notably, the site had heavy financial exposure to Exploit.in, another prominent Russian-language cybercrime forum that operates an escrow service, highlighting how these illicit marketplaces interlock to facilitate cybercrime.
Industrial-scale laundering
To process the volume of illicit funds flowing from these networks, the AudiA6 operators built an industrial-scale laundering mechanism. Europol noted that the network relied heavily on exploiting legitimate cryptocurrency exchanges. Cybercriminals transferred stolen cryptocurrency into unhosted wallets managed by AudiA6. The network then layered the funds through thousands of fraudulent exchange accounts, utilizing over 6,000 KYC-verified money mules before returning the obfuscated funds to clients within an estimated one-hour window.
This methodology allowed AudiA6 to successfully wash substantial proceeds for an array of criminal elements, including over $16 million explicitly tied to ransomware and stolen funds.
As the graph below illustrates, AudiA6 maintained direct transactional connections to a variety of high-risk illicit services. Beyond ransomware groups, the laundering pipeline was deeply intertwined with sanctioned Russian exchanges like Bitzlato and Garantex, further cementing its role as a critical cash-out vector for Eastern European cybercrime syndicates.
Impact on cryptocurrency compliance
For compliance teams operating at virtual asset service providers (VASPs) and global exchanges, the AudiA6 investigation highlights the severe, ongoing threat posed by industrial-scale identity fraud. The network’s successful deployment of over 6,000 money mule accounts underscores the need for continuous behavioral monitoring that extends beyond initial onboarding.
Compliance programs must calibrate their transaction monitoring systems to detect the specific typologies associated with this operation — namely, rapid bursts of inbound transfers from unhosted wallets that are immediately withdrawn or swapped. Furthermore, Europol has publicly identified several domains (such as designli.pictures, deliverly.top, and inboxly.top) utilized by the administrators to register these fraudulent accounts. Exchanges should actively screen their user databases against these indicators to identify, review, and block any lingering infrastructure connected to this syndicate.
Chainalysis will continue to monitor the on-chain fallout from today’s enforcement actions.
FAQs
What was the AudiA6 cryptocurrency network?
AudiA6 was a specialized money laundering platform and “mixer-as-a-service” heavily utilized by the global cybercrime ecosystem. It allowed threat actors, including ransomware syndicates and scammers, to conceal the origin of stolen digital assets in exchange for a commission.
How much cryptocurrency did AudiA6 launder?
Blockchain analysis cited by U.S. authorities indicates that since 2021, AudiA6 wallets received approximately 10,333 bitcoin, which carried an estimated value of nearly $389 million at the time the transactions occurred.
How did the network obscure the origin of the funds?
The operators utilized an industrial-scale money mule network to break the blockchain money trail. Stolen funds were deposited into AudiA6 wallets and rapidly layered through over 6,000 KYC-verified, fraudulent exchange accounts before being returned to the criminal clients as “clean” funds.
Who was arrested during the global takedown?
Authorities in the Republic of Georgia arrested two suspected senior administrators of the AudiA6 service: a Ukrainian national and a Russian national. The U.S. government is currently seeking their extradition.
What is the connection between AudiA6 and Dark2Web?
Dark2Web was an underground cybercrime forum that the AudiA6 administrators allegedly managed. The forum served as a digital marketplace where the administrators advertised their cryptocurrency laundering services and connected with prospective criminal clients. Both services were seized by law enforcement.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.
