Two alleged administrators were arrested in Georgia on 10 June after investigators targeted the platform’s clear web and dark web infrastructure, seized domains, blocked Telegram accounts and replaced AudiA6 and Dark2Web pages with law-enforcement seizure banners. The action struck at a service that investigators say operated as a trusted cash-out pipeline for criminal groups seeking to convert traceable cryptocurrency into funds that appeared clean.
The suspects, Ruslan Igorevich Tkachuk, 37, a Ukrainian national, and Alexander Vladimirovich Ledenev, 25, a Russian national, were living in Batumi, Georgia, when they were detained. Prosecutors in the Eastern District of Pennsylvania have charged them by criminal complaint with conspiracy to launder monetary instruments and sting money laundering. US authorities plan to seek their extradition.
The coordinated operation involved the US Secret Service, IRS Criminal Investigation, Europol, Eurojust and law-enforcement partners across Australia, Canada, France, Georgia, Germany, Iceland, Japan, Poland, Switzerland and the United Kingdom. Investigators searched three properties, took down 25 domains, seized more than 30 servers, froze cryptocurrency worth about €692,000 and seized more than €86,000 in digital assets. More than 80 vehicles and several properties in Georgia were also confiscated.
AudiA6 is alleged to have processed illicit funds between 2022 and 2025, with law-enforcement blockchain analysis tying the service to more than 15 international cybercrime investigations. The platform is said to have catered to ransomware operators, darknet market users and cybercrime services by offering rapid laundering through complex transaction chains. Customers allegedly sent stolen cryptocurrency to wallets controlled by the group and received cleaned funds back, often within about an hour, for commissions ranging from 3 per cent to 10 per cent.
Investigators also found more than 6,000 know-your-customer records linked to money mule accounts used to move funds through cryptocurrency exchanges. Those records suggest the laundering network relied on accounts opened with stolen, purchased or otherwise compromised identities, allowing criminals to exploit regulated exchange infrastructure while distancing themselves from the origin of the assets.
The case has exposed the role of specialist laundering brokers in sustaining ransomware, where the ability to cash out can be as important as the malware used to break into victim systems. Criminal groups increasingly depend on intermediaries able to move funds through mixers, exchanges, mule accounts and cross-border payment routes while frustrating attempts to link blockchain transactions to real-world identities.
Court documents say AudiA6 wallets received about 10,333 bitcoin, valued at roughly $389.7 million at the time of the transactions, since the service was launched in 2021. Of that amount, about 393.39 bitcoin, worth roughly $19.2 million at transaction-time valuations, allegedly came directly from known darknet markets, ransomware organisations, cybercrime services and other illicit sources, with more funds arriving indirectly from criminal activity.
The alleged operators are also accused of administering Dark2Web, a cybercrime forum used to advertise illegal services and connect actors across the underground market. AudiA6 was promoted there as a service capable of disguising the source of cryptocurrency that might otherwise be linked to criminal proceeds. The forum’s takedown widens the operation beyond a single laundering desk, hitting both the financial channel and one of the marketplaces that helped feed it clients.
The action followed an earlier arrest in Poland in September 2025. Investigators used electronic devices seized in that case to identify other people allegedly involved in the laundering network, while judicial coordination enabled measures across several jurisdictions before the June operation in Georgia.
The takedown fits a wider enforcement pattern aimed at the financial infrastructure behind ransomware rather than only the hacking groups themselves. Blockchain intelligence has allowed investigators to trace funds across public ledgers, but criminals continue to adapt by using mule networks, cross-chain transfers, nested services and private communications channels. Ransomware payments remained substantial in 2025 despite greater resistance from victims, while leak-site activity and opportunistic attacks kept pressure on companies, public bodies and critical service providers.
The allegations against Tkachuk and Ledenev have not been tested in court. If convicted in the United States, each defendant faces a maximum possible sentence of 20 years in prison. Georgian custody and extradition proceedings will determine the next stage of the case, while seized servers and financial records are expected to support parallel investigations into ransomware payments and cybercrime laundering routes across multiple jurisdictions.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
