Global sting dismantles $390M crypto money-laundering ring

An international law enforcement operation spanning 11 countries has shut down AudiA6, a crypto-laundering network that processed 336 million euros in illicit funds between 2022 and 2025. Authorities arrested two administrators—one Russian and one Ukrainian—during raids in Georgia, while investigators seized 25 domain names, more than 30 servers, and 80 vehicles. About $900,000 in cryptocurrency was frozen as part of the coordinated action.

Eurojust confirmed the takedown, describing AudiA6 as a “mixer-as-a-service” that enabled cybercriminals to cash out stolen crypto and obscure the movement of funds by offering to “clean” crypto within roughly an hour for commissions ranging from 3% to 10%. Chainalysis traced the network’s activity to wallets that received approximately 10,333 BTC, valued at around $389 million at the time those transactions occurred. The operation also implicated a separate dark-web marketplace forum known as Dark2Web, used to advertise illicit services and connect cybercriminals worldwide, according to Eurojust.

The investigation drew in law enforcement agencies from the United States, Australia, France, Poland, Georgia, Iceland, Canada, Germany, Japan, Switzerland and the United Kingdom, coordinated through Eurojust and Europol. This level of cross-border cooperation underscores how crypto-enabled crime now operates with integrated, multinational networks rather than isolated cells.

Key takeaways

• AudiA6’s crypto-laundering network was dismantled across 11 countries, with 25 domains seized, more than 30 servers taken offline, and 80 vehicles confiscated; two administrators were arrested in Georgia.
• Between 2022 and 2025, the scheme processed approximately 336 million euros in illicit funds; roughly 10,333 BTC flowed through AudiA6 wallets, valued at about $389 million at the time.
• The operation relied on thousands of fake KYC identities and “money mule” accounts tied to Russian-speaking intermediaries moving funds through exchanges.
• AudiA6 served as a conduit for ransomware proceeds and is linked to Dark2Web, a forum used to connect cybercriminals and advertise illicit services.
• The crackdown comes as ransomware activity in Q1 2026 shows growing concentration among a handful of operators, with the United States accounting for the largest share of victims and a small cadre of groups driving most incidents.

Global crackdown dismantles a sophisticated crypto-laundering operation

The European Union Agency for Criminal Justice Cooperation—Eurojust—announced that the operation involved a coordinated, multinational effort to disrupt what prosecutors described as a high-volume laundering pipeline. The seizure of a broad digital infrastructure—domains and servers—was paired with physical seizures and arrests, reflecting the blend of cyber and traditional-law-enforcement methods now common in crypto-crime prosecutions. The case highlights how virtual assets can be moved, masked, and cashed out across borders, often leveraging services that promise rapid “cleaning” of funds for a fee.

Europol, which coordinated the multinational action, said the operation targeted both the on-chain and off-chain components of the crime network, including the services that enable criminals to convert digital assets into fiat while attempting to obscure provenance. The alliance of agencies underscores the increasingly joint nature of crypto-crime disruption and the importance of shared intelligence across jurisdictions.

How AudiA6 operated and what it moved

At the center of the scheme was AudiA6’s “mixer-as-a-service,” a kind of digital laundering facility that offered to launder cryptocurrency within about an hour. The service was described as taking a commission of 3% to 10% for turning tainted coins back into usable funds. The scale of operation is underscored by the wallet data: since 2021, AudiA6 wallets received more than 10,333 BTC, which Chainalysis estimated as about $389 million in value at the time those transactions occurred.

The operation extended beyond a single platform. Investigators identified a parallel dark-web marketplace ecosystem centered on Dark2Web, which prosecutors said facilitated illicit services and connected criminals worldwide. By taking advantage of both regular and dark-web channels, AudiA6 was able to route funds through a variety of digital ingress routes, complicating tracing and enforcement efforts.

Europol’s public materials show that the cross-border nature of the work required a broad investigatory umbrella, with agencies from multiple continents contributing to the case. The collaboration reflects how law enforcement methods now blend traditional asset seizure with digital forensics and international information-sharing, all aimed at disrupting entire laundering pipelines rather than isolated transactions.

Fraudulent identities, KYC abuse, and money mules

The AudiA6 investigation also shone a spotlight on the abuse of Know Your Customer processes. Eurojust said the ring facilitated thousands of fraudulent accounts constructed from stolen or purchased identities, enabling “money mule” activity that carried illicit proceeds through crypto exchanges. The investigation identified more than 6,000 KYC records tied to money-mule accounts, illustrating how criminals exploit identity data to blend criminal flows with legitimate activity.

Intermediaries—predominantly Russian-speaking—were recruited to execute the laundering flows, helping to route funds and avoid detection. The use of compromised identities and mule networks has emerged as a recurring theme in cross-border crypto-crime, complicating compliance efforts at exchanges and custodians alike.

In a related note, Australian Federal Police confirmed that AudiA6 was involved in laundering at least part of a ransom paid in 2024 following a ransomware incident targeting an Australian business. The AFP described the operation as a key component of the broader takedown, illustrating how ransom payments can feed into multilayered laundering schemes across jurisdictions.

Both the standard and dark-web versions of AudiA6 and Dark2Web domains have since been replaced with seizure banners, signaling the seizure of operational capability and the removal of the laundering infrastructure from active use.

Ransomware dynamics: consolidation among a few operators

The AudiA6 case arrives amid a broader trend in ransomware activity. Data indicates that ransomware incidents persisted across 97 countries in the first quarter of 2026, but the attack footprint is increasingly concentrated. The United States accounted for 64.7% of all victims in Q1 2026, a signal that a relatively small number of operators are driving most campaigns, according to Emsisoft’s quarterly assessment. Check Point Research, in its May briefing, likewise observed that the top 10 ransomware groups were responsible for about 71% of victims in the period.

The consolidation pattern matters for defenders and policymakers because it suggests that disruptors’ success hinges on interdicting a core set of operators, rather than chasing a broad, diffuse threat landscape. It also underscores the importance of cross-border cooperation and rapid information-sharing to hit the most consequential actors in the ecosystem.

For readers tracking crypto-crime trajectories, the AudiA6 takedown demonstrates how enforcement is evolving—from piecemeal takedowns to coordinated, multi-jurisdictional seizures that target the infrastructure, the networks, and the identities that enable laundering flows. The case also highlights the ongoing risk posed by KYC abuse and mule networks, which remain a persistent vulnerability for exchanges and FinTechs alike.

As authorities continue to map and dismantle these networks, observers should watch for how exchanges, wallet providers, and borderless payment rails adapt their compliance controls, and whether new collaborative efforts emerge to tackle the transnational scale of such operations.

What remains uncertain is how quickly the remaining strands of AudiA6’s ecosystem will be fully disrupted and what downstream effects this may have on ransomware operators’ ability to cash out. With cross-border enforcement now more tightly coordinated, investigators may have a clearer path to tracing flows that leap across jurisdictions and technologies.

For now, the headlines reflect both a successful disruption of a sophisticated laundering pipeline and a reminder of how quickly malicious actors adapt to evolving crypto-financial infrastructures. Watch closely how the investigation’s lessons translate into improved enforcement tools, tighter KYC controls, and broader industry cooperation in the coming months.

This article was originally published as Global sting dismantles $390M crypto money-laundering ring on Crypto Breaking News – your trusted source for crypto news, Bitcoin news, and blockchain updates.