The $380 million ransomware laundering pipeline billed itself as a "mixing service." Investigators say it ran on stolen identities and recruited money mules, and that the Poland to Georgia forensic chain is a replicable model, not a one off win.
A single arrest in Poland in September 2025 broke open a cryptocurrency laundering pipeline that had moved an estimated $380 million in ransomware proceeds through a service called AudiA6, a hub stitched together not by sophisticated cryptography but by thousands of fake exchange accounts opened with stolen identities and a network of recruited money mules, according to Europol's announcement on the operation and BleepingComputer's reporting on the coordinated takedown.
The case is a useful corrective to the standard "crypto-mixer takedown" framing. AudiA6 advertised itself as a "professional cryptocurrency mixing service" and promised cleaned returns in about an hour for a 3 to 10 percent commission. What investigators say actually moved the money was a KYC-fraud and money-mule operation: thousands of exchange accounts opened with stolen or purchased identities, fed by Russian-speaking intermediaries who recruited the mules, with on-chain transaction chains layered on top to give the surface a cryptographic gloss. The BleepingComputer report cites Intel471, which had profiled AudiA6 pre-takedown as one of four active ransomware-laundering mixers alongside Absolutio, Blender, and Mix-btc, charging a flat 3 to 5.5 percent fee with multi-coin support including Bitcoin, Ethereum, and Monero. That positioning is a tier below the ChipMixer or Tornado Cash hubs, but the volume makes the case instructive rather than minor.
The forensic chain that cracked it is worth tracing. The anchor was a September 2025 arrest in Poland of a Ukrainian national linked to AudiA6. Forensic examination of that suspect's devices identified the key individuals behind the service, which set up the June 10, 2026 action in Georgia, where two admins, Ukrainian and Russian nationals who also ran the underground forum Dark2Web, were taken into custody, per Europol's newsroom statement. The June 10 operation involved authorities from 11 countries in Europe, the Americas, and Asia, coordinated by Europol and Eurojust.
The U.S. side landed on June 11, 2026, with the Department of Justice charging Ruslan Igorevich Tkachuk, 37, and Alexander Vladimirovich Ledenev, 25 as senior members of the laundering service in the Eastern District of Pennsylvania. Both are facing up to 20 years; the case is at the charged-and-arraigned stage, not a conviction. According to the DoJ filing summarized by BleepingComputer, roughly 10,333 BTC flowed into AudiA6, of which about 393.39 BTC, around $19.2 million at transaction-time pricing, came directly from known darknet markets, ransomware operators, and other illicit services, with additional illicit funds arriving through indirect paths.
The seizure tally is concrete. Authorities blocked 25 domains, 80 vehicles and properties, roughly €86,000 (about $99,000) in cryptocurrency seized, and €692,000 (about $798,000) in additional crypto frozen, with Telegram accounts tied to the operation also taken down. Both the AudiA6 and Dark2Web sites now display a seizure banner. Forensic recovery of 6,000 KYC records from the platform gave investigators a map of the mule-account network underneath, per the BleepingComputer writeup.
The headline figure deserves a footnote. Europol framed the result as cutting €336 million off the laundering pipeline; the DoJ and BleepingComputer use roughly $380 million as the laundered-volume anchor. The two numbers are not in conflict so much as measuring different things, with the higher USD figure reflecting Bitcoin's appreciation between the time those proceeds moved and the present, and the EUR figure functioning as the cross-jurisdictional headline. Either way, the service is linked to more than 15 international investigations of ransomware attacks and large-scale crypto theft, and operated as a hub from 2022 to 2025.
What the case exposes, and what the standard press-release framing tends to smooth over, is that "mixing" as a laundering model is increasingly a KYC-fraud story wearing a cryptographic label. The 11-country operation did not crack on-chain anonymity in any cryptographic sense; it cracked the fake-account infrastructure that gave the on-chain activity a veneer of normalcy on exchange-side compliance checks. The Poland-to-Georgia forensic path, one anchoring arrest, device forensics that named the rest, and a coordinated multinational seizure action, is a replicable playbook. Blockchain investigator ZachXBT had previously flagged AudiA6 for facilitating illicit activity, and the Intel471 mixer profile had named it as one of the active ransomware-laundering options. The remaining question is how many of the next tier of services run on the same mule-and-fake-account skeleton, and how many jurisdictions have the patience to climb a forensic chain that starts with one arrest in one country and ends with seizures in eleven.