Decoding the world of cybersecurity

Europol disrupts ransomware laundering pipeline

European law enforcement has helped dismantle AudiA6, a crypto laundering service suspected of processing more than €336 million for ransomware and cybercrime groups.

Europol disrupts ransomware laundering pipeline
Summary
  • Europol and Eurojust supported an international operation against AudiA6, a suspected crypto laundering service used by ransomware actors.
  • Authorities say the service laundered more than €336 million between 2022 and 2025 and charged commissions of 3% to 10%.
  • The operation targets the financial infrastructure that allows ransomware groups to turn extortion into spendable assets.

Europol and Eurojust have supported an international operation against AudiA6, a cryptocurrency laundering service suspected of helping ransomware groups and cybercriminals cash out more than €336 million in criminal proceeds.

The operation targeted a service that investigators say operated between 2022 and 2025 as a laundering pipeline for stolen digital assets. Eurojust said AudiA6 was used by cybercriminals involved in ransomware attacks to convert illicit cryptocurrency into apparently cleaned funds while obscuring transaction trails from authorities.

Action on 10 June centred on Georgia. Authorities arrested two alleged administrators, searched three properties, took down 25 domains, seized more than 30 servers, froze €692,000 in cryptocurrency, seized more than €86,000 in cryptocurrency, and took control of vehicles and property assets. Eurojust said the operators allegedly charged commissions of between 3% and 10% for the laundering service.

The case reaches beyond one laundering site. Eurojust said the criminal group behind AudiA6 is also alleged to have administered Dark2Web, a cybercrime forum used to advertise illicit services and connect criminal actors. Europol said its European Cybercrime Centre analysed the money trail, mapped laundering infrastructure, and supported European law enforcement with intelligence before the final phase of the investigation.

The legal outcome remains pending. The arrested suspects are alleged administrators, not convicted operators. The full customer base has not been publicly identified, and authorities have not mapped the complete victim set by sector or country. Even with those limits, the case gives a useful view of where ransomware disruption is moving: away from victim-by-victim response and towards the service economy that lets extortion groups function.

Ransomware depends on more than malware developers and affiliates. It requires access brokers, hosting, negotiation channels, leak sites, cryptocurrency movement, and conversion routes. Laundering services reduce the friction between a successful extortion event and the criminal group’s ability to spend or reinvest proceeds. Removing that layer does not stop ransomware, but it raises cost, increases risk, and may expose historic transaction links.

The European dimension is substantial. Eurojust coordinated judicial cooperation across several jurisdictions, including France, Poland, Georgia, Iceland, and the United States. Europol’s role reflects the cross-border nature of ransomware finance, where a victim may sit in one country, the affiliate in another, the laundering infrastructure elsewhere, and the asset conversion route across multiple exchanges or wallets.

That structure creates a difficult risk environment for organisations. Ransomware is often discussed in operational terms — backup recovery, segmentation, endpoint detection, privileged access, and crisis communications. Those controls remain essential, but the criminal business model is shaped by financial infrastructure. When laundering pipelines are concentrated, law enforcement can create pressure points that individual victims cannot.

The case also has procurement and third-party relevance. Many organisations still assess ransomware exposure mainly through direct technical controls, while the ecosystem attacking them behaves like a distributed services market. The same market can sell access, monetise stolen data, process payments, and recycle tools into new campaigns. Executive risk reporting that treats ransomware as a single malware event understates how repeatable the model has become.

European enforcement against AudiA6 will not remove the incentive for extortion. Other laundering routes will remain, and criminal groups will adapt. The operational value now lies in the intelligence extracted from seized infrastructure, the wallet tracing, and any links to previous incidents. That evidence can support follow-on action against affiliates, infrastructure providers, and money mules.

Ransomware disruption is increasingly financial as well as technical. Defenders still need to keep intruders out and recover services when controls fail, while public authorities are trying to make the business of extortion harder to run.

×