11-Country operation shuts AudiA6 mixer and Dark2Web forum in laundering probe
Eurojust alleges 336 million euros in illicit flows and says investigators found 6,000+ mule-linked KYC records.
A coordinated operation spanning 11 countries dismantled the AudiA6 “mixer-as-a-service” and the associated Dark2Web marketplace forum, targeting infrastructure used to launder ransomware-linked proceeds. Authorities allege AudiA6 processed more than 336 million euros in illicit funds from 2022 to 2025 and seized domains, servers, vehicles, and roughly $900,000 in cryptocurrency.
Key Takeaways
- An 11-country joint operation coordinated through Eurojust and Europol shut down AudiA6 and the related Dark2Web marketplace forum.
- Investigators allege AudiA6 processed over 336 million euros (about $390 million) in illicit funds between 2022 and 2025.
- Two alleged administrators were arrested in Georgia, alongside seizures of 25 domains, 30+ servers, and 80 vehicles, plus a roughly $900,000 crypto freeze.
- More than 6,000 KYC records tied to “money mule accounts” were identified, linked to stolen or purchased identities.
11 Countries Move on AudiA6 and Dark2Web
An international law-enforcement operation involving the United States, Australia, France, Poland, Georgia, Iceland, Canada, Germany, Japan, Switzerland, and the United Kingdom shut down AudiA6 and a connected forum called Dark2Web. The coordination ran through Eurojust and Europol, pointing to a cross-border case built around infrastructure, not a single jurisdiction’s exchange or payment rail.
Authorities arrested two alleged administrators in Georgia described as a Russian national and a Ukrainian national. Investigators also seized 25 domains and more than 30 servers, took 80 vehicles, and froze roughly $900,000 in cryptocurrency. Both the clearnet and dark web versions of AudiA6 and Dark2Web were replaced with seizure banners.
The scope matters for market structure because it targets shared plumbing. Taking down a “mixer-as-a-service” and the forum used to advertise illicit services is an attempt to degrade the cash-out stack that multiple criminal groups can reuse, rather than chasing one ransomware crew at a time.
What AudiA6 Sold: One-Hour ‘Cleaning’ for a 3%–10% Cut
Eurojust described AudiA6 as a “mixer-as-a-service” that offered to “clean” crypto within about an hour for a 3% to 10% commission. In practice, that product is about speed and reliability. Ransomware operators and brokers need turnover that is fast enough to reduce seizure risk and flexible enough to route into the next hop, whether that is another service, an OTC intermediary, or exchange-linked accounts.
Eurojust also tied the same syndicate to Dark2Web, a marketplace forum used to advertise illicit services and connect cybercriminals worldwide. Pairing a laundering service with a distribution forum is a force multiplier. It shortens the path from “need a cash-out” to “here’s the vendor,” which is exactly what enforcement is trying to break.
The Scale on Chain: 10,333 BTC Routed Through AudiA6 Wallets
Authorities allege AudiA6 processed over 336 million euros (about $390 million) in illicit funds between 2022 and 2025. Separately, Chainalysis estimated AudiA6 wallets received approximately 10,333 BTC since 2021, valued around $389 million at the time of the transactions.
That throughput frames AudiA6 as a meaningful laundering venue, even if the immediate crypto freeze disclosed so far, roughly $900,000, is small relative to the alleged total volume. For traders and compliance teams, the mismatch is familiar. Infrastructure takedowns often start with access disruption and evidence capture, while larger asset recovery can lag or never fully materialize.
Eurojust said the laundering relied on thousands of fraudulent accounts using stolen or purchased identities, with more than 6,000 KYC records linked to “money mule accounts.” Many were connected to Russian-speaking intermediaries recruited to move proceeds through crypto exchanges. That detail is the bridge between on-chain obfuscation and off-chain liquidity, and it is where exchange risk tends to surface.
Signals Traders Should Track After a Mixer Takedown
The first signal is whether there are follow-on enforcement notices or sanctions designations tied to AudiA6 and Dark2Web infrastructure, including additional wallet clusters, domains, or service rebrands. The initial seizures suggest investigators had enough access to map dependencies, which can expand the blast radius beyond the two seized brands.
Second, watch for exchange compliance advisories that reference mule-KYC patterns or specific indicators linked to the 6,000-plus identified records. If major venues operationalize those indicators, the friction shows up as slower throughput for suspect flows and higher false-positive pressure for borderline counterparties.
Third, on-chain monitoring should focus on whether deposits spike into other mixing services or newly created clusters that mimic AudiA6’s “fast clean” promise. Disruption tends to reroute volume before it reduces it.
Finally, updates from Eurojust and Europol on charges, named suspects, or expanded asset-freeze totals will clarify whether this is a one-off disruption or the start of a broader campaign against laundering rails.
What This Enforcement Pattern Means for Liquidity Routes and Compliance Risk
I treat this as an infrastructure strike, not a headline-grabbing win against one ransomware brand. The combination of a mixer shutdown, a forum takedown, and 6,000-plus mule-linked KYC records points to enforcement leaning into shared cash-out rails that multiple groups rely on.
The threshold that matters is whether the takedown produces durable second-order effects: exchange rule-tightening around mule patterns and visible on-chain rerouting into a small set of replacement services. If access disruption and compliance responses persist, the setup starts to look structural rather than narrative-driven, and that is when liquidity routes and counterparty risk actually reprice.
