A cryptocurrency laundering service allegedly used by ransomware groups has been taken down after a coordinated international investigation. The operation targeted a criminal network behind a site known as “AudiA6,” which investigators say helped cybercriminals disguise stolen digital assets and move illicit funds out of sight.
The service worked as a cash-out channel for stolen cryptocurrency. Customers would send digital assets to wallets controlled by the group and receive “cleaned” funds back in about an hour, after the money passed through a chain of transactions designed to obscure its origin.
How the laundering service worked
Investigators said the operators charged commissions between 3% and 10% for the service. They also alleged that the same criminal group ran a separate cybercrime forum called “Dark2Web,” described as a marketplace for advertising illicit services and linking offenders across borders.
The investigation also found that the laundering network relied on thousands of fake accounts opened with stolen or purchased identities. More than 6,000 Know Your Customer records linked to money mule accounts were identified, and many of those accounts were tied to Russian-speaking intermediaries recruited to move funds through cryptocurrency exchanges.
The group reportedly used both commercial email providers and email addresses linked to domains under its control to register the mule accounts. Authorities are now making those domains public so exchanges can identify and block accounts associated with the laundering operation.
| Domain | Domain |
|---|---|
| designli.pictures | technobrains.dev |
| pheontx.eu | lett.email |
| smplfy.in | trayo.app |
| sumato-soft.org | deliverly.top |
| quix.express | inboxally.agency |
| mailora.eu | postino.click |
| postify.email | flowcomm.click |
| qube.black | deliverlett.com |
| lettermail.eu |
Arrests, seizures and frozen crypto
Actions on 10 June in Georgia led to two alleged administrators being arrested and three properties searched. Authorities also took down 25 domains, seized more than 30 servers, and confiscated over 80 vehicles and multiple properties in Georgia.
In addition, EUR 692,000 in cryptocurrency was frozen and more than EUR 86,000 in cryptocurrency was seized. Eurojust said the coordinated work helped prepare judicial measures across several jurisdictions and supported the final action against the network.
Cross-border coordination behind the case
Eurojust supported investigative authorities, the United States Secret Service and IRS Criminal Investigation through its US Liaison Desk, while the Polish National Desk worked with the Polish Central Cybercrime Bureau and the Regional Prosecutor’s Office in Łódź. The Georgian Liaison Desk also worked with the Investigation Department of the Office of the Prosecutor General of Georgia ahead of the action day.
Several coordination meetings were held at Eurojust to prepare judicial measures in France, Poland, Georgia and Iceland. The work also supported Mutual Legal Assistance requests in several jurisdictions, according to www.eurojust.europa.eu.
Europol’s European Cybercrime Centre analysed the criminal money trail, traced illicit crypto flows and helped map the laundering infrastructure used to move profits across borders. Europol’s cybercrime and cryptocurrency experts also supported intelligence development before the final phase of the investigation.
Authorities involved
Authorities from the United States, France, Poland, Georgia and Iceland took part in the coordination. The group included the U.S. Attorney’s Office for the Eastern District of Pennsylvania, the United States Secret Service, IRS Criminal Investigation, the FDIC Office of Inspector General, Homeland Security Investigations, the Paris Cybercrime Unit, the Gendarmerie National Cybercrime Unit, the Regional Prosecutor’s Office in Łódź, the Georgian Office of the Prosecutor General, the Director of Public Prosecutions and the Reykjavík Metropolitan Police.
The case highlights how laundering services can be run alongside wider cybercrime ecosystems, with fake identities, mule accounts, and cross-border infrastructure all used to hide the flow of stolen cryptocurrency.