DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:12:51ZSOURCES: 14CRITICAL: 31
⚠ ACTIVE ALERTS
@GossiTheDog CRITICAL — Sampled credentials from the FortiBleed dataset and confirmed they are authentic. Many of… /// @MsftSecIntel CRITICAL — Tracking FortiBleed downstream activity. Buyers of the FortiGate credential sets are… /// @TalosSecurity CRITICAL — FortiBleed is just one piece of a broader IAB operation. The same Russian-speaking actor… /// @MalwareHunterTeam CRITICAL — The Gentlemen RaaS internal data leak (May 2026, ~16GB) confirmed operators actively… /// @CrowdStrike CRITICAL — Gentlemen RaaS affiliates are deploying GentleKiller variants that specifically target…
31Critical Threats
18Active CVEs
19IOCs Tracked
11New Advisories
INTEL FEED/THREAT ACTORS/AudiA6 / Dark2Web Criminal Organization
TLP:WHITETHREAT ACTOR DOSSIER // AUDIA6-CRYPTO-LAUNDERINGFIRST SEEN: Unknown — linked to September 2025 Polish Police arrest triggering investigation

AudiA6 / Dark2Web Criminal Organization

ALSO KNOWN AS: Dark2Web forum operators
FROM:DMZ INTELLIGENCE DESK
ORIGIN:Ukraine / Russia (arrested individuals: Ruslan Igorevich Tkachuk, Ukrainian, and Alexander Vladimirovich Ledenev, Russian)
ATTRIBUTION:ORGANIZED CRIME
STATUS:DORMANT
FIRST OBSERVED:Unknown — linked to September 2025 Polish Police arrest triggering investigation
TECHNICALRESOURCESPERSISTENCESTEALTHIMPACT
TECHNICAL65/100
RESOURCES65/100
PERSISTENCE68/100
STEALTH60/100
IMPACT74/100

SUBJECT PROFILE

AudiA6 was an industrial-scale cryptocurrency laundering operation linked to more than 15 global investigations related to ransomware attacks and large-scale crypto theft. On June 10, 2026, Europol and the U.S. DOJ coordinated the arrest of two administrators — Ruslan Igorevich Tkachuk and Alexander Vladimirovich Ledenev — in Georgia, froze €692,000 in cryptocurrency assets, and seized the AudiA6 and associated Dark2Web cybercrime forum. The operation originated from a September 2025 Polish Police arrest of a Ukrainian national whose seized devices identified additional operators.

Financially motivated industrial-scale cryptocurrency laundering service used by ransomware groups and cybercriminal networks to clean illicit proceeds via chain-hopping, decentralized exchanges, and mixer-as-a-service

OPERATIONAL HISTORY

Cryptocurrency mixing and chain-hopping (T1600), fraudulent exchange accounts using stolen/purchased identities (T1078), mixer-as-a-service platform operation, dark web marketplace operation (Dark2Web forum), multi-blockchain asset movement to obscure illicit funds

FINANCIAL SECTOR (AS LAUNDERING SERVICE)
RANSOMWARE ECOSYSTEM
CRYPTO THEFT OPERATIONS

KNOWN INFRASTRUCTURE

AudiA6 mixing service (clear web and dark web — seized June 10, 2026), Dark2Web cybercrime forum (seized June 10, 2026), thousands of fraudulent cryptocurrency exchange accounts using stolen identities; €692,000 frozen, €86,000 seized

ATTRIBUTED CAMPAIGNS

FILE DATE: SEP 2025
Polish Police Initial Arrest
Ukrainian national arrested in Poland for money laundering activities connected to AudiA6; seized devices identify additional operators Tkachuk and Ledenev.
FILE DATE: JUN 2026
Europol/DOJ Coordinated Takedown
June 10, 2026: Europol and DOJ coordinate arrest of two AudiA6 ██████████████████████ seize/replace AudiA6 and Dark2Web sites with law enforcement banners, freeze €692,000 in crypto assets; DOJ charges both with conspiracy to launder monetary instruments.
SHARE BRIEF:✕ Post on Xin Share on LinkedIn