Warning

Please be vigilant about TRM impersonation scams, especially those claiming to assist with fund recovery. More info

Solutions
Products
RESOURCES
Customers
Company
Request a demo
en
Search
Search
Insights
June 12, 2026

International Operation Dismantles EUR 336 Million Ransomware Laundering Pipeline AudiA6

TRM data shows just five services absorb more than 50% of ransomware off-ramp volume each year
TRM Team
International Operation Dismantles EUR 336 Million Ransomware Laundering Pipeline AudiA6

Key takeaways

  • Europol announced today that an international law enforcement operation dismantled AudiA6, a cryptocurrency laundering service that processed EUR 336 million for ransomware gangs and was linked to more than 15 international cybercrime investigations, including stolen proceeds from the 2022 LastPass breach and the Swissborg hack
  • Despite more than 600 services being available each year, ransomware groups routed between 42% and 57% of their off-ramp volume through just five services annually — a concentration pattern that persisted through multiple enforcement cycles and rebounded to 51% in 2025
  • TRM data shows ransomware payments totaled USD 1.3 billion in 2025, while ransom payments held steady at approximately USD 850 million
  • TRM's on-chain analysis independently identified Audi6 as a ransomware off-ramp in December 2025, tracing USD 7 million in LastPass-stolen funds to the exchange using proprietary demixing techniques
  • TRM data shows cross-chain bridges have replaced mixers as the primary obfuscation layer in ransomware laundering: bridge flows reached USD 100 million in 2025, overtaking mixer volumes for the first time in 2024

{{horizontal-line}}

Europol announced today that an international law enforcement operation dismantled AudiA6, a cryptocurrency laundering service that processed EUR 336 million for ransomware gangs and was linked to more than 15 international cybercrime investigations, including stolen proceeds from the 2022 LastPass breach and the Swissborg hack.

In addition to the Europol takedown, on June 2, 2026, prosecutors in the Eastern District of Pennsylvania filed a criminal complaint charging Igorevich Tkachuk, 37, of Ukraine, and Alexander Vladimirovich Ledenev, 25, of Russia, with operating AudiA6. Both defendants were arrested this week in Batumi, Georgia, and prosecutors will seek extradition. The defendants are charged with money laundering under 18 U.S.C. § 1956. AudiA6 also operated Dark2Web, a cybercrime forum where users paid to commission crimes against specific targets.

In six undercover transactions conducted between December 2022 and May 2026, federal agents documented operators actively soliciting dirty funds and knowingly confirming the criminal origin of proceeds. When one undercover agent asked whether proceeds from cocaine sales were acceptable, the operator responded: "Everything like that needs to go through a mixer." In other exchanges, agents explicitly represented that funds derived from criminal activity, and operators confirmed they would process them.

AudiA6 is a high-risk exchange, and its illicit exposure profile distinguishes it from general-purpose services. Approximately 80% of AudiA6's traced illicit counterparty exposure — USD 63 million of USD 79 million total — ties directly to ransomware. Sanctions exposure, cybercrime services, and darknet market activity account for most of the remainder.

Its volume trajectory reinforces that profile. AudiA6's total incoming volume peaked in 2023 and declined through 2024 and 2025. Its illicit share moved in the opposite direction — under 1% in 2022, rising to over 6% in 2024. Legitimate use declined while criminal use increased — this is a recurring signature of services captured by high-risk clientele.

The LastPass connection illustrates how that footprint becomes traceable. TRM's on-chain analysis of the 2022 LastPass breach traced a September 2025 wave of stolen funds — approximately USD 7 million — from Wasabi Wallet to AudiA6 using cluster-level demixing, timing and amount alignment, and post-mix wallet intelligence. That analysis identified AudiA6 as a ransomware off-ramp independent of and prior to the Europol operation.

Ransomware payments remain elevated, off-ramp ecosystem is concentrated

TRM data shows ransomware groups reached approximately USD 1.3 billion (down from USD 1.9 billion in 2024), while ransom payments held steady at approximately USD 850 million. At the same time, victim postings on leak sites rose by 44%, indicating growing activity alongside declining payment rates.

AudiA6 shows how the ransomware financial infrastructure processing these illicit gains works: by concentrating proceeds through a handful of nodes that have the liquidity, tolerance for criminal activity, and reach that criminal networks require.

TRM's analysis of ransomware off-ramp flows shows a consistent pattern. Between 600 and 760 distinct services receive ransomware-attributed funds in any given year. The top five services alone account for between 42% and 57% of total off-ramp volume annually. The top ten handle between 62% and 75%.

Despite hundreds of available services, the top five consistently absorb more than 40% of all ransomware off-ramp volume. Source: TRM Labs, 2020–2025.

Concentration dipped to 42% in 2023 as enforcement actions disrupted several key nodes, then rebounded to 51% in 2025.

Criminal networks gravitate toward services that offer the liquidity and reliability their operations require, and those services accumulate the volume that makes them further attractive. Enforcement has disrupted individual nodes repeatedly. The concentration pattern itself has held across five consecutive years.

From mixers to bridges

The composition of ransomware off-ramp activity has shifted alongside enforcement pressure. Mixers dominated through 2021, absorbing USD 152 million in ransomware-attributed flows. Enforcement actions — including the shutdown of ChipMixer in March 2023 — drove that figure down to USD 48 million in 2024. Cross-chain bridges likely filled the gap opened by these shutdowns.

Bridge-based ransomware laundering overtook mixers for the first time in 2024 and reached USD 100 million in 2025. Source: TRM Labs, 2020–2025.

Bridge flows reached USD 100 million in 2025, more than double 2021 levels. For the first time, bridge volumes were higher than mixer volumes for the year. Unlike purpose-built mixing services, cross-chain bridges serve a broad range of legitimate use cases, which makes enforcement through a single targeted action more complex. The shift doesn't eliminate the traceability of ransomware proceeds, but it distributes obfuscation across infrastructure that isn't exclusively illicit.

BlackCat, Qilin, and LockBit sent largest volumes to AudiA6

TRM's on-chain data identifies 20 distinct ransomware groups that sent funds to AudiA6. The three largest were ALPHV BlackCat (USD 9.1 million), Qilin (USD 7.1 million), and LockBit (USD 4.4 million). In addition to these three, prolific groups such as Akira (USD 386.2K), Chaos/Blacksuit (USD 3.65 million), The Gentlemen (USD 99.6K), and RansomHub (USD 975.9K) also sent funds to AudiA6 consistently over time. The established cybercrime platforms Exploit and Verified also sent funds to AudiA6, highlighting the key role that AudiA6 played in the larger cybercriminal ecosystem.

ALPHV BlackCat's attacks included a February 2024 strike on Change Healthcare that disrupted healthcare systems across the United States, drawing a reported USD 22 million ransom payment. Qilin (aka Agenda) emerged in mid-2022 as a ransomware-as-a-service (RaaS) operation – TRM's on-chain analysis identified shared affiliate infrastructure linking Qilin payments to at least two other active ransomware groups, consistent with the RaaS model's use of affiliates who deploy multiple strains simultaneously. LockBit accumulated over USD 200 million in ransom payments before a coordinated operation disrupted its infrastructure in February 2024.

Concentration points offer enforcement opportunities

AudiA6 shows that ransomware proceeds concentrate in a small number of identifiable services because only some services fully meet their operational requirements. This concentration creates recurring investigative footholds.

TRM's demixing analysis published in 2025 identified AudiA6 as one of those footholds. By tracing LastPass-stolen funds through Wasabi's mixing layer and matching post-mix patterns to AudiA6 deposit addresses, TRM identified the same infrastructure the operation subsequently dismantled. The technique — cluster-level demixing at scale, timing and amount alignment across hops — reveals infrastructure reuse across ransomware campaigns more broadly.

That bridge trend, however, makes enforcement more complicated. Bridges obfuscate movement across infrastructure in a way that makes it hard to identify a single point of failure. Despite movement towards bridges, identifying an underlying concentration pattern is still best practice for investigators. As long as ransomware proceeds flow disproportionately through a small, identifiable set of nodes, coordinated enforcement has a viable target.

{{horizontal-line}}

Frequently asked questions (FAQs)

1. What was AudiA6?

AudiA6 is a cryptocurrency laundering service that processed EUR 336 million for ransomware gangs and was linked to more than 15 international cybercrime investigations. Approximately 80% of its traced illicit exposure tied directly to ransomware, with the remainder split across sanctions exposure, cybercrime services, and darknet market activity.

2. Who operated AudiA6?

US prosecutors charged Igorevich Tkachuk, 37, of Ukraine, and Alexander Vladimirovich Ledenev, 25, of Russia with operating the service. Both were arrested in Batumi, Georgia; prosecutors are seeking extradition on money laundering charges under 18 U.S.C. § 1956. AudiA6 also operated Dark2Web, a cybercrime forum where users paid to commission crimes against specific targets.

3. How did TRM identify AudiA6 before the operation?

In December 2025, TRM’s on-chain analysis traced approximately USD 7 million in LastPass-stolen funds from Wasabi Wallet to AudiA6 using cluster-level demixing, timing and amount alignment, and post-mix wallet intelligence — independent of and prior to the Europol enforcement action.

4. Why do ransomware groups concentrate through so few services?

Criminal networks gravitate toward services that offer the liquidity and operational reliability their business model requires. Between 600 and 760 distinct services receive ransomware-attributed funds in any given year, yet the top five consistently absorb 42–57% of total off-ramp volume. That concentration persisted through multiple enforcement cycles and rebounded to 51% in 2025.

5. What is the shift from mixers to cross-chain bridges?

Mixer volumes in ransomware laundering fell from USD 152 million in 2021 to USD 48 million in 2024, driven partly by enforcement actions including the ChipMixer shutdown. Bridge flows filled much of that gap, reaching USD 100 million in 2025 — overtaking mixer volumes for the first time. Unlike purpose-built mixers, bridges serve broad legitimate use cases, which makes single-node enforcement more complex.

6. Which ransomware groups used AudiA6?

TRM identified 20 distinct groups. The three largest by volume were ALPHV BlackCat (USD 9.1 million), Qilin (USD 7.1 million), and LockBit (USD 4.4 million). Other groups including Akira, Chaos/Blacksuit, and RansomHub also sent funds to AudiA6 consistently over time.

This is some text inside of a div block.

Related posts

arrow right
BLOG
April 8, 2026

New Disruption Opportunities in the Evolving Ransomware Ecosystem

arrow right
BLOG
December 24, 2025

TRM Traces Stolen Crypto from 2022 LastPass Breach — On-chain Indicators Suggest Russian Cybercriminal Involvement

arrow right
BLOG
March 16, 2023

ChipMixer Takedown: On-Chain Analysis Shows Ransomware Syndicates and DNMs Used Mixer to Launder Illicit Proceeds

No posts to show
No posts to show
No posts to show
No posts to show
No posts to show
Subscribe and stay up to date with our insights
No items found.
Digital illustration showing a pie chart, masked criminal figure, and crypto coin symbol on a data grid background—representing crypto crime analytics.
REPORT
See the trends and typologies that shaped the illicit crypto ecosystem in 2025
READ THE REPORT →
Blue diamond with a circle overlayed in white on a dark blue background
REPORT
Unlocking more clarity for institutional adoption with key crypto policy shifts in 2025
READ THE REPORT →
3D illustration of a blue magnifying glass hovering over a digital fingerprint on a dark background, symbolizing crypto investigations or forensic analysis.
FLIP BOOK
Learn more about common crypto-enabled scam typologies in our "Investigating Crypto Scams" flip book
Get your copy →
Illustration of a stablecoin represented by a dollar symbol surrounded by icons for growth, risk alert, user profiles, and a security shield with a target, connected through a network of hexagons — symbolizing the interconnected risks and compliance considerations in digital asset ecosystems.
USE CASE
Learn how TRM helps compliance teams monitor exposure, detect threats, and safeguard their organizations
TRM for stablecoin risk management →
A worn silver wrench tool on a brown-red background, as a metaphor for violent crime
BLOG
Learn about the recent rise of "wrench attacks" and crypto-related violent crime
Read the post →
Illustration of a financial institution icon and a compliance document with checkboxes, symbolizing regulatory due diligence and financial compliance in the digital asset ecosystem.
GUIDE
Learn best practices for evaluating the legal, operational, and financial integrity of crypto entities before engagement
Get the guide →
A judge's gavel rests beside a stack of gold-colored cryptocurrency tokens, including Bitcoin, Dogecoin, Ethereum, and others, symbolizing the intersection of digital assets and regulatory or legal oversight.
REGULATORY ACTION TRACKER
Stay updated on the latest crypto-linked regulatory actions available in the public domain
Check it out →
Screenshot of the splash page used by law enforcement agencies following the takedown of Garantex, with bold red lettering reading, "This domain has been seized," along with the logos of various international law enforcement agencies involved in the action.
BLOG
Learn more about the global law enforcement operation that took down Garantex
Read the post →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
2025 Crypto Crime Report: Explore how the crypto crime landscape evolved over the past year
DIG IN NOW →
Bright blue fiber optic cables on a dark blue background, with flashes of white sparks interspersed throughout.
REPORT
As AI technology becomes more sophisticated, so will the ways in which criminals use it. See what TRM is doing to counter AI-enabled crime.
FIGHT AI WITH AI →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
The crypto crime landscape saw significant shifts in 2024, including decreases in illicit volumes. Dig into the data here.
PREVIEW THE CRYPTO CRIME REPORT →
Cork board with mugshots of Heather "Razzlekhan" Morgan and Ilya Lichtenstein, with their names written in handwritten script below their photos, and push pins on the board connected by red string.
DOCUMENTARY
Stream “Biggest Heist Ever” and get a behind-the-scenes peek from the TRM team
CHECK IT OUT →
A light blue two dimensional circle (representing a stablecoin) floating against dark blue and white curved lines (representing waves), with thin dotted blue and white lines overhead to represent wind.
REPORT
Explore the macro trends and jurisdictional developments that shaped the global crypto policy landscape in 2024
READ THE REPORT →
Illustration on a dark blue background showing a bug and exclamation mark (representing illicit activity), a globe with pin points, a coin, and a bar chart.
REPORT
See the countries with the highest rates of crypto adoption — and the highest rates of exposure to illicit activity
READ THE REPORT NOW →
A blue rectangle with geometric shapes in the background and dots connected by thin lines in the foreground, representing connections on the bockchain.
WHITE PAPER
Explore four ways TRM improves compliance in the modern sanctions enforcement era
Download the white paper →
Illustration of a pig butchering chart featuring various cryptocurrency logos in each section, with a bright blue sheriff's badge on top, symbolizing law enforcement's role in combating fraud.
CASE STUDY
See how Deputy District Attorney Erin West and the REACT Task Force are fighting back against pig butchering
WATCH THE VIDEO →
Illustration of an eye, skull and crossbones, and a pie chart on a light blue background, symbolizing the dangers of crypto scams and financial fraud.
REPORT
Explore the key trends that shaped that the illicit crypto economy in 2023
GET THE REPORT →
Close-up photograph of the United States Capitol building with snow falling
BLOG
Learn why cryptocurrency has become a central issue in the 2024 US election
READ THE POST
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Take a deep-dive into the Russian-speaking illicit crypto ecosystem
READ THE FULL REPORT
Outline of pig with law enforcement shield overlaid
Case Study
Learn more about how the REACT Task Force is tackling pig butchering
Read the case study
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Explore recent ransomware trends in the Russian-speaking crypto ecosystem—including the role of ransomware groups in cybercrime around the world
GET THE REPORT
Person typing on a laptop keyboard with dark blue filtered overlay
BLOG POST
Learn about summer 2024’s spate of ransomware attacks, and the proliferation of RaaS around the world
READ THE POST
REPORT
Learn about cryptocurrency’s role in the international synthetic drug precursor market
GET THE REPORT