Eurojust, Europol lead takedown of €336M AudiA6 crypto mixer

Authorities from 11 countries have dismantled AudiA6, a cryptocurrency “mixer-as-a-service” used by ransomware groups to obscure payments. Two alleged administrators were arrested in Georgia on June 10, and 25 domains tied to the service were seized, Eurojust reported.

Investigators also took control of more than 30 servers, impounded 80 vehicles and froze about €778,000 ($900,000) in digital assets linked to the scheme. Both the clear web and dark web portals for AudiA6 and the related “Dark2Web” domains now display seizure notices.

The case was coordinated through Eurojust and Europol and involved agencies from the United States, Australia, France, Poland, Georgia, Iceland, Canada, Germany, Japan, Switzerland and the United Kingdom. The operation targeted infrastructure in multiple jurisdictions using blockchain analysis, digital forensics and financial records.

AudiA6 promoted rapid crypto laundering, offering to “clean” funds in about an hour for a 3% to 10% commission, according to investigators. Analysis of blockchain data shows that wallets associated with the service received roughly 10,333 bitcoin since 2021, worth about $389 million at the time of those transactions.

Authorities estimate AudiA6 processed around €336 million ($390 million) in illicit cryptocurrency between 2022 and 2025, much of it linked to ransomware payments. Law enforcement agencies report the service was widely used by ransomware actors to hide payment trails and cash out extortion proceeds.

Investigators uncovered large-scale identity fraud supporting the network. More than 6,000 Know Your Customer records tied to money-mule accounts were identified, many created with stolen or purchased identities and operated by Russian-speaking intermediaries to move funds through exchanges.

The Australian Federal Police linked AudiA6 to laundering part of a ransom paid by an Australian business in 2024 following an extortion incident. That trace formed one element of the broader case connecting ransomware operators, the mixer and mule accounts.

In parallel, the group behind AudiA6 allegedly ran “Dark2Web,” a forum used to advertise illicit services and connect criminal actors. Authorities dismantled the forum alongside the mixer infrastructure and replaced its domains with banners.

Ransomware attacks remain widespread and concentrated. Attacks were recorded in 97 countries in the first quarter of 2026, with the United States accounting for 64.7% of identified victims. The 10 most active groups were linked to 71% of all known victims in the period.

Eurojust and Europol highlight that the case relied on cross-border cooperation, with agencies sharing blockchain analysis, server logs, wallet addresses and financial records. Evidence from seized servers and accounts will support prosecutions and further tracing of funds.