Digital Breadcrumbs: How Investigators Connected Servers Across Iceland, Germany, and the U.S. to Cryptocurrency Laundering Suspects
Two individuals have been arrested and charged with operating "AudiA6," an international cryptocurrency mixing service that allegedly laundered over $389 million in criminal proceeds between 2021 and 2026. Through a painstaking digital investigation spanning multiple countries, federal agents traced the operation from its public-facing websites through layers of infrastructure to identify the two men running the scheme from a Georgian coastal city.
The Defendants and Arrests
Ruslan Igorevich Tkachuk, 37, a Ukrainian national, and Alexander Vladimirovich Ledenev, 25, a Russian national, were arrested Wednesday in Batumi, Georgia, where both resided. The U.S. Attorney's Office for the Eastern District of Pennsylvania is seeking their extradition to face conspiracy to launder monetary instruments and sting operation money laundering charges. If convicted, each defendant faces up to 20 years in prison.
How the Scheme Operated
AudiA6 operated two interconnected services: a cryptocurrency mixing platform and management of Dark2Web, a cybercrime forum where criminals could solicit illegal services. The organization charged customers up to 5% commissions to "mix" or obfuscate the origins of their cryptocurrency holdings, making funds appear untraceable to law enforcement.
The Mixing Process
The mixing service accepted deposits from criminals and processed them through multiple transactions designed to hide their illicit origins. The scheme generated at least $10 million in profit for the operators over five years, with higher commission rates applied to smaller transactions.
Evidence from Undercover Operations
Federal agents conducted six undercover transactions with AudiA6 between December 2022 and May 2026, communicating primarily in Russian. In one April 2026 exchange, an undercover agent explicitly asked if the service would accept stolen Bitcoin from scams. The operator responded "don't care" and proceeded to launder approximately $5,000 worth while keeping a $300 fee. In another instance, an agent inquired about laundering cocaine proceeds, and the operator accepted the transaction, laundering $5,100 in Bitcoin while retaining $400 in commission.
The Scale of Criminal Activity
Approximately 10,333 Bitcoin, valued at roughly $389.7 million at the time of transaction, was deposited into AudiA6 wallets since the service launched in 2021.
Sources of Laundered Funds
Blockchain analysis revealed concerning origins for the funds:
- $19.2 million came directly from known sources including dark web markets, ransomware operations, and cybercrime services
- Additional millions were traced indirectly from criminal sources through multiple transactions
The variety of criminal sources reflected the service's willingness to launder proceeds from virtually any illegal activity, from stolen assets to drug trafficking to ransomware extortion.
The Digital Trace: From Websites to Suspects
Federal investigators painstakingly traced the AudiA6 operation by following its digital infrastructure across continents. The investigation revealed how even attempts to obscure criminal activity can leave exploitable traces.
Initial Discovery Through Cloudflare
The investigation began when law enforcement examined the clearweb domains used by AudiA6 and discovered the group relied on Cloudflare, a content delivery network, to protect its sites against distributed denial-of-service attacks. In September 2022, agents obtained records from Cloudflare showing that traffic for the AudiA6 website was being directed to a server owned and operated by 1984 ehf, an Iceland-based corporation.
Breaking the Iceland Connection
In December 2024, following a U.S. mutual legal assistance request, Iceland provided the Secret Service with a complete copy of the 1984 ehf server. The server contained the webserver infrastructure running AudiA6's websites, along with communication applications including Jabber messaging, a temporary email service, and a Customer Relationship Management (CRM) system. The same server also hosted three separate Dark2Web services.
The German Storage Box Breakthrough
The crucial breakthrough came through the server's backup system. The 1984 ehf server used an application called Vesta Control Panel to automatically generate and store backups, which were then sent to a German storage box maintained by Hetzner, a German hosting company, with the address "u328135.your-storagebox.de."
When German authorities, responding to another mutual legal assistance request, provided records for this storage box, the subscriber information revealed it was rented to Alexander Ledenev of Batumi, Republic of Georgia, using the email address [email protected]. This directly linked one of the defendants to the infrastructure.
The Storage Box Contents: A Complete Record
The storage box copy obtained by authorities contained a meticulously organized folder structure that essentially served as a complete operational archive of both AudiA6 and Dark2Web:
| Folder Name | Contents |
|---|---|
| "a6" | AudiA6 website backups, mixing/exchange application code, and operational databases |
| "dw" | Dark2Web forum server backups, including complete database records |
| "dw_services" | Applications used by Dark2Web members to facilitate cybercrime |
| "wallet_garant" | Backups of Dark2Web's escrow/guarantee service |
| "white" | Non-criminal websites, including a Georgian car rental service |
The Second Defendant Identified
The "white" folder proved instrumental in identifying the second defendant. Within backups of a Georgian car rental service website, investigators found email correspondence that included a message from Ruslan Tkachuk in which he provided a scanned Georgian temporary residence card displaying his name and photograph. This directly linked him to the infrastructure.
The Criminal Infrastructure Revealed
A review of the "a6" folder's operational records uncovered the scale and sophistication of the operation. The backups contained:
- A customer relationship management database listing 25 employee accounts identified by nicknames, showing AudiA6 operated with an established staff structure
- 6,000 cryptocurrency exchange account logins and credentials, appearing to be fraudulent accounts created specifically to move illicit funds through legitimate exchanges without detection
- Scans of passports and personal selfie photographs of individuals whose names corresponded to the exchange account database, providing evidence of identity fraud on a massive scale
The Limited Operational Websites
Interestingly, backups of the actual AudiA6 mixing and exchange websites revealed they were poorly maintained and minimally functional, consistent with what federal undercover agents discovered during their investigation. Rather than using the public websites, customers were directed through private encrypted channels including Telegram, Jabber, and Tox messaging applications to conduct actual transactions with the operators, who managed everything through backend systems never exposed to the public.
A Critical Flaw in the Operation
Despite marketing themselves as providing untraceable transactions, AudiA6 failed to achieve their stated security goal. According to federal investigators, the mixed cryptocurrency could be directly traced through exchange records and blockchain analysis. This means the service's primary value proposition (obscuring fund origins) was fundamentally ineffective against sophisticated law enforcement investigation.
More critically, the defendants' reliance on backup systems, cloud storage, and infrastructure spanning multiple countries created the digital trail that ultimately led investigators to their identities and location.
International Coordination and Takedown
The arrests were coordinated with a simultaneous international operation involving 11 countries and multiple federal agencies. The coordinated action included:
- Searches of three properties
- Seizure of servers and domains across the United States, Iceland, Germany, and France
- Blocking of Telegram accounts associated with the network
- Freezing of cryptocurrency assets and seizure of digital devices
- Replacement of AudiA6's and Dark2Web's websites with law enforcement seizure banners
Participating agencies and countries included the U.S. Secret Service, IRS Criminal Investigation, Europol, and law enforcement partners from Australia, Canada, France, Georgia, Germany, Iceland, Japan, Poland, Switzerland, and the United Kingdom. The Justice Department's International Computer Hacking and Intellectual Property program coordinated prosecutorial support across borders.
Legal Status
As of the June 11, 2026 announcement, neither Tkachuk nor Ledenev had attorneys listed in court records. Both men remain in Georgian custody pending extradition proceedings to Pennsylvania.
Comments
0 commentsLeave a Comment