An international law enforcement coalition supported by Eurojust and Europol successfully dismantled a prominent digital asset laundering infrastructure that facilitated the movement of millions of euros in criminal funds. The coordinated operation targeted a service known as AudiA6, which allegedly processed vast volumes of illicit cryptocurrency for global cybercriminals between 2022 and 2025. Authorities executed synchronized enforcement actions across multiple jurisdictions to disrupt the operational capabilities of the network and seize its underlying infrastructure. This sweeping intervention highlights the growing capability of international judicial and police agencies to track complex virtual asset flows and dismantle the specialized financial facilitators that service the underground cybercrime economy.

AudiA6 Operations and the Infrastructure of Digital Asset Laundering

The specialized platform functioned as a primary financial gateway for ransomware syndicates and other malicious actors seeking to obscure the origin of their digital wealth. Operating under the name AudiA6, the network allowed its users to deposit compromised virtual currencies into controlled wallets, initiating a rapid obfuscation process that returned clean funds within roughly one hour. To achieve this, the operators managed a sophisticated transactional architecture designed to break the analytical chain of custody utilized by financial intelligence units. For providing this layer of financial anonymity, the administrators levied heavy transactional fees ranging between three percent and ten percent of the total volume processed.

Beyond operating the transactional masking service, the criminal network maintained a parallel digital infrastructure known as Dark2Web. This secondary platform functioned as a global cybercrime forum and digital marketplace, offering a centralized hub where threat actors could advertise illicit services, trade stolen data, and establish illicit operational partnerships. By combining a high-traffic underground marketplace with an integrated, high-speed laundering utility, the syndicate created an end-to-end service ecosystem for international cybercriminals. This dual-track operational model allowed the group to monetize multiple stages of the cybercrime lifecycle, capturing profits from both the initial illicit commerce and the subsequent cleaning of the proceeds.

The physical footprint of the network was heavily concentrated within Eastern Europe, though its technological infrastructure spanned multiple continents. During a synchronized action day, law enforcement personnel executed targeted searches and arrests to neutralize the core administrative layer of the organization. These enforcement actions resulted in the seizure of a massive technological apparatus, including dozens of servers and the formal takeover of numerous internet domains utilized to host the illicit platforms. Furthermore, authorities targeted the personal wealth accumulated by the operators, freezing significant quantities of virtual currencies and seizing substantial physical assets, including high-value real estate and a large fleet of transport vehicles.

International Judicial Cooperation and Cross-Border Asset Tracing

The successful disruption of the AudiA6 platform required an unprecedented level of judicial and operational coordination across multiple regulatory zones. Eurojust served as the central hub for international judicial cooperation, utilizing its specialized liaison desks to bridge communication between North American and European prosecution authorities. The United States Secret Service and the Internal Revenue Service Criminal Investigation Division collaborated closely with European counterparts through dedicated agency desks. This institutional framework enabled prosecutors to navigate the distinct legal requirements of different nations, facilitating the rapid issuance of mutual legal assistance requests necessary to secure electronic evidence and freeze cross-border assets.

Operational planning for the final enforcement phase involved close collaboration between Central European prosecutors and authorities in the Caucasus region. The Regional Prosecutor’s Office in Lodz and the Polish Central Cybercrime Bureau directed the core investigative workflow, building upon an initial breakthrough that occurred during the detention of a key co-perpetrator in late 2025. The operational data gathered from that initial arrest allowed investigators to map the broader network structure, eventually leading to the issuance of international arrest warrants. This legal mechanism provided the foundation for the subsequent detention of the primary platform administrators during the final phases of the global operation.

Simultaneously, specialized cybercrime units analyzed the digital financial trails left by the network to expose the flow of illicit capital. Experts from the European Cybercrime Centre utilized advanced blockchain analytics to track the movement of virtual assets through the complex network of intermediary wallets. This technical analysis helped law enforcement map the cross-border digital infrastructure, revealing how illicit funds moved from ransomware victims into the platform and out to global cryptocurrency exchanges. The intelligence development provided by these specialized units proved critical in identifying the physical locations of the servers hosting the platforms, enabling simultaneous takedowns across jurisdictions as diverse as France, Iceland, and Georgia.

Synthetic Identity Creation and Global Exchange Exploitation

The operational core of the laundering service relied heavily on the large-scale exploitation of commercial virtual currency exchanges through identity fraud. To facilitate the movement of hundreds of millions of euros without triggering automated compliance alerts, the syndicate established thousands of fraudulent accounts using compromised or purchased personal data. Investigators uncovered over six thousand distinct know your customer compliance profiles that were linked directly to money mule accounts managed by the network. These mule accounts served as the primary interface between the illicit platform and the legitimate financial system, allowing the group to deposit, trade, and withdraw virtual assets at scale.

To manage this vast network of fraudulent accounts, the organization recruited specialized networks of Russian-speaking intermediaries who acted as money mules and account managers. These individuals were responsible for maintaining the operational status of the accounts and executing transactions according to instructions from the platform administrators. The group utilized a mixture of popular commercial email providers and a sophisticated network of proprietary internet domains to register these mule profiles across various global trading platforms. By routing registrations through domains under their direct control, the administrators could automate account management and rapidly bypass standard verification protocols.

The identification of these registration domains has provided global regulatory bodies and compliance officers with critical data to secure their networks. Legal authorities have made the specific web domains public to assist financial institutions in identifying and terminating legacy accounts associated with the syndicate. These domains included specialized technological labels such as designli. pictures, pheontx.eu, smplfy. in, and sumato-soft.org, alongside communication-focused extensions like technobrains.dev, lett.email, trayo.app, deliverly.top, and inboxly.top. Additional infrastructure was hosted on networks including postfast.eu, postino.click, inboxally. agency, mailora.eu, postify.email, quix.express, flowcomm.click, qube.black, deliverlett.com, and lettermail.eu. By cross-referencing historical transaction data against these specific domain profiles, compliance teams can identify hidden historical exposure to the AudiA6 network.

Compliance Typologies for Anti-Money Laundering Professionals in Virtual Asset Investigations

Anti-money laundering compliance officers and financial intelligence analysts must maintain heightened awareness regarding specific operational patterns deployed by professional digital asset laundering syndicates. The AudiA6 case reveals several key methodologies that illicit facilitators use to exploit virtual asset service providers and traditional financial institutions. Recognizing these indicators during transactional monitoring or customer due diligence reviews is essential for detecting sophisticated cross-border laundering operations.

• Mass Registration of Accounts via Niche Corporate Domains: Illicit networks frequently utilize proprietary, recently registered domains with tech-focused or logistical naming structures to open multiple user profiles across different financial institutions.
• Rapid Velocity Turnover of Deposited Virtual Assets: Accounts controlled by laundering platforms show a pattern of receiving high-value digital asset transfers followed by total disbursement within an hour to unrelated external wallets.
• High Concentration of Russian-Speaking Intermediary Networks: The utilization of geographically concentrated networks of third-party account holders to manage corporate or individual profiles indicates potential money mule coordination.
• Linked Infrastructure Between Marketplaces and Transactional Services: Operational overlaps where digital asset wallets frequently interact with both underground web hosting environments and high-volume trading platforms.
• Repeated Exploitation of Stolen Know Your Customer Profiles: Multiple accounts presenting identical or slightly altered identity documentation across distinct jurisdictions, often sharing similar digital footprint patterns or access locations.

---

Key Points

• Global authorities dismantled the AudiA6 platform, which laundered over three hundred thirty-six million euros in criminal cryptocurrency.
• The syndicate operated Dark2Web, a parallel underground forum used by international cybercriminals to trade illicit services.
• Enforcement actions resulted in the arrest of two administrators, the seizure of thirty servers, and the takedown of twenty-five domains.
• Investigators exposed over six thousand fraudulent compliance profiles used to open money mule accounts at major digital exchanges.
• The operation involved coordinated judicial cooperation across the United States, Poland, France, Iceland, and Georgia.

---

Related Links

• Eurojust Press Releases and Legal Cooperation Updates
• Europol European Cybercrime Centre Operations Archive
• Internal Revenue Service Criminal Investigation Enforcement Actions
• Office of the Prosecutor General of Georgia Bureau Reports
• United States Attorneys Office for the Eastern District of Pennsylvania

Other FinCrime Central Articles About Crypto Laundering Exchanges

• Operation Endgame Shuts Down 1025 Servers in Laundering Crackdown
• Philippines SEC Launches Major Crackdown on Illegal Crypto Platforms
• U.S. DOJ Seizes Several Domains of Russian-Linked Crypto Exchanges in Major Crackdown against Money Laundering

Source: Eurojust

Some of FinCrime Central’s articles may have been enriched or edited with the help of AI tools. It may contain unintentional errors.

Want to promote your brand, or need some help selecting the right solution or the right advisory firm? Email us at info@fincrimecentral.com; we probably have the right contact for you.