Article
Darkside Ransomware: Caviar Taste on Your Big-Game Budget
Arete Analysis

Summary
Explore Darkside ransomware, an operation utilizing sophisticated tactics to target high-revenue organizations. Arete’s threat intelligence data reveals high ransom demands, extensive business downtime, and universal data exfiltration.
By all appearances, the proprietors of Darkside ransomware mean business.
With their sights set on organizations with US$4M+ in revenue, they’re about high-value, big-game targets and they’ve got the skills and experience to bring in some big hauls.
The Darkside group demonstrates seasoned experience, polished business acumen, and an ability to quickly respond to both negative and positive stimuli within their sphere of market influence. They exhibit similarities to notable ransomware operations, such as LockBit and REvil, and they take an outwardly aggressive posture toward the security industry, taunting companies like BitDefender and Coveware.
Statistical data on Darkside ransomware from Arete engagements
The information below is based on Darkside events that the Arete IR team has investigated since November 2020. Our incident response and data analytics practices work together to track key data points and collect statistics on variants for every ransomware engagement.
Sectors of clients affected by this threat:
Professional Services | Manufacturing
Average Ransom Demand: US $6,527,402.02
Highest Ransom Demand: US $10,054,804
Lowest Ransom Demand: US$3,000,000
Average business downtime: 5 days
Data exfiltration observed in 100 percent of cases
Key observations
Based on the Arete Cyber Threat Intelligence (CTI) team’s assessments:
Darkside ransomware operators are likely conducting long-tail reconnaissance of the victim environment for up to two (2) weeks prior to deploying their payloads.
The earliest known point of malicious activity for a select event was noted when forensic discovery indicated installation of the MetaSploit framework on the victim’s domain controller fifteen (15) days prior to enterprise-wide, automated deployment of Darkside.
Yes, we expect Darkside to be big-game hunters. Forbes quoted them as saying they will target “only those who can afford to pay.” Their recruitment advertisements echo this assertion.
Darkside proprietors and operators come from an established pedigree.
They are transparent in their description of operational mistakes and they renumerate operators for lost revenue.
They taunt BitDefender and Coveware directly with aggressive and forthright assertions of their intent.
As recently as December 27, 2020, a Russian-speaking cybercriminal actor using the handle ‘darksupp’ invited media outlets and data recovery organizations to follow a new “Press Center” section at the Darkside “name-and-shame” leak site. Darksupp allegedly stated that this press center would enable media and recovery firms to ask questions about recent attacks while also giving recovery organizations access to a dedicated chat room, where they could enroll in a “loyalty program” for discounts on data decryption.
The group has underwritten their aspirations with a substantial surety bond (approx. US$350k) and assert that they are willing to increase their guarantee to inspire further confidence in the right partners.
Their first and now exclusive appearance on XSS (reboot of DamageLab) along with exploitation of their endorsements/acceptance from known Russian-speaking actors underpins the Arete CTI team’s current assessment of their maturity and client knowledge.
On November 10, 2020, a Russian-speaking cybercriminal actor using the handle ‘darksupp’ announced the launch of an official recruitment effort for affiliates to participate in the Darkside Ransomware-as-a-Service (RaaS) affiliate program.
Darksupp received a forum-public favorable review on XSS from actor Quake3 (aka LockBit), proprietor of the LockBit RaaS platform.
The proprietor(s) behind the ‘darksupp’ persona tout seasoned experience with and feature influence from notable ransomware operations, such as LockBit and REvil.
Darkside operator affiliates are likely using Whitebit (e.g., Whitebit[.]com) to cash out, given observed wallet transactions and ledger analysis by Arete.
Detailed information
On August 8, 2020, operators of the Darkside ransomware announced their malware in a press release on the dark web. They stated that they had created their ransomware because they could not find the perfect product for their needs and had made millions of dollars by partnering with other well-known ransomware groups. In the same release, they also said they would not be targeting the healthcare, education, non-profit, and government sectors.
On November 11, 2020, Darkside announced their RaaS model, inviting partners and affiliates to work with them. They also announced the development of a distributable data storage system, calling out the use of servers in Iran and unrecognized republics to prevent victim organizations from taking down their operations.

Figure 1. Darkside announces their service.

Figure 2. Darkside announcement of their RaaS product, distributed storage system, and invitation to partners and affiliates to work with them.
After this announcement, multiple news outlets began reporting that the group was using servers in sanctions countries like Iran. In response, the Darkside group updated their storage announcement on November 15, 2020, stating:
The storage system is still in the planning stages and has not yet launched.
They are not citizens of Iran, and leaked company data is not and will not be hosted in Iran.
They are still considering where to host the leaked data, but it would not be in a region on the sanctions list.

Figure 3. Darkside makes an updated announcement, that they will think where to host leaked data on servers that are not in sanctions countries.
The above business model makes total sense from the threat actors’ perspective. If the data were stored on servers in regions on the U.S. Treasury Department’s Office of Foreign Asset Control (OFAC) sanctions list, the actors would be unable to obtain ransom payments from victims.
The Arete CTI team and other researchers in the community found that the group has been advertising their services on well-known Russian hacker forums, with posts written in Russian.

Figure 4. Darkside group advertising on a well-known hacking forum (Source: SentinelOne)

Figure 5. A Google translation of Darkside advertisement on a well-known Russian hacking forum (Source: SentinelOne)
Based on language analysis, a native Russian-language speaker wrote the posts. What’s more, the group’s ransomware is designed to avoid infecting systems in Commonwealth of Independent States (CIS) countries, including Russia. In the past, other Eastern European threat actor groups have done the same to try to avoid getting in trouble with local law enforcement agencies. The Arete CTI team also conducted blockchain analysis of previous ransom payments and did not find any ties between sanctioned entities/money service businesses (MSBs) and Darkside money-laundering operations.
As leaders in the community and especially in the current COVID-19 climate, we need to join forces to properly inform the public without causing worldwide panic and help ensure our clients’ quick recovery from attacks and return to normal business operations. If a company were to make a rash decision about ransom payments based on negligent reporting, it could prevent file restoration and ultimately, shutter a business and cost employees their livelihood.
Darkside high-level technical overview
While tactics, techniques, and procedures (TTPs) may vary amongst operators, it’s important to note that Darkside caters to semi-exclusive affiliates, likely of Russian or Eastern European origin. They likely pool their technical experience — both successes and failures — from this exclusive cultural enclave to orchestrate their intrusions and execute on their objective as outlined below:
Darkside ransomware is primarily geared toward Windows systems, however, the proprietor ‘darksupp’ claims the ability to develop payloads that also target Linux OS variants.
We have observed the builder module screens for the control panel, and we are aware of the existence of Linux ELF-executable payloads. We assess this to be true, with high confidence.
Given observed use of MetaSploit and potentially other Offensive Security Tool (OST) frameworks — always contingent on operator/affiliate preference — it’s likely that Darkside ransomware operators leverage these same tools to enumerate vulnerabilities of victim networks, where externally facing systems of interest are exposed, to establish initial access.
We observed actors pivoting from having Administrator RDP sessions on the Domain Controller, to accessing another privileged account to access a file server. Thus, it’s highly likely that their two weeks in the environment afforded them precision-targeting abilities. They took their time hunting.
On November 25, 2020, ‘darksupp’ claimed to have launched a content delivery network (CDN) for storing and delivering compromised data exfiltrated from victims of Darkside ransomware. The actor also claimed to be developing a second version of the ransomware and intends to provide support for distribution using dynamic-link library (.dll) and PowerShell scripts (.ps1) for deployment.
We have observed Darkside operators manually enumerating and exfiltrating data using a combination of RDP access and their own copy of QTBrowser, 7zip. This culminates in a direct upload of files to both PrivatLab and MegaUpload cloud hosting, under cover of Web/HTTPS sessions, which are difficult to sift in many cases for less mature organizations. \
This manual methodical exfiltration occurred over the span of several hours.
7zip archives were named after data/folder names enumerated and temporarily stored in root temp directory (e.g., C:Temp, C:Temp1, C:Temphr{archive}.7z).
We observed Darkside payload (e.g., azure_agent.exe.exe) staged on the domain controller in a network-shareable folder (e.g., C:WindowsIMEazure), followed by the establishment of a scheduled task (e.g., WindowsSYSVOLdomainPolicies{L0NGMGU1D}UserPreferencesScheduledTasks) set with Group Policy and instructing hosts to obtain and execute the payload. This resulted in a fully automated enterprise-wide deployment less than 24 hours after data was exfiltrated.
Security Recommendations
Implement a sophisticated endpoint detection and response (EDR) solution that will rely on behavior analysis — not just malware signatures — and have tamper-proof capabilities.
Implement multifactor authentication (MFA).
Implement an email security solution to detect and protect against known and unknown threats.
Hunt for unusual remote desktop protocol (RDP) connections.
Use Group Policy Software Restriction Policies (SRP) to prevent users from executing Windows executable filetypes (e.g., .exe, .dll, .hta, .bat, .scr) from the AppDataLocalTemp path of Office365, Microsoft Word, Excel, and Outlook. Alternatively, also inspect C:Users[current user]AppDataRoamingMicrosoft as it’s another popular method that achieves the same results.
Implement and regularly test an off-site backup solution.
Appendix
Indicator | Role |
|---|---|
C:\Windows\IME\azure | File path of DC where Darkside payload was staged. |
F:\temp | File path of staged 7zip archives (.7z) prior to exfiltration |
F:\temp1 | File path of staged 7zip archives (.7z) prior to exfiltration |
F:\temphr | File path of staged 7zip archives (.7z) prior to exfiltration |
Windows\SYSVOL\domain\Policies\{LONGMGU1D}\User\Preferences\ScheduledTasks | Path of Scheduled Task on Domain Controller for deployment of Darkside payload via Group Policy. |
Indicator | Role |
|---|---|
azure_agent.exe.exe | Darkside Payload |
README.3a43168b.TXT | Darkside Ransomware Note – README.{random_string}.TXT |
enc.exe | Darkside Payload |
idfoodsf.exe | Darkside Payload |
Indicator | Role |
|---|---|
6d134cdf470f03707ad481b617e67b9018f92f72a0e2fb3e6cc9f2ab17ac1439 | Darkside Payload |
06cfe7f5d88e2f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8 | Darkside Payload |
243dff0fc80a049f4fb3729f8b8def0fce29768f345c88ee1069e22b0ae60 | Darkside Payload |
0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d | Darkside Payload |
Indicator | Role |
|---|---|
www[.]privatelab[.]com | Manual Data Exfiltration – Cloud Upload |
www[.]mega[.]nz | Manual Data Exfiltration – Cloud Upload |
Bitcoin Wallet Address
bc1qkk8z69uxkrxdeuwlkvlk89p7qnr6cefa4aeq7p
Leak Site
hxxps://Darksidedxcftmqa[.]onion
Complete advertisement from the Darkside group on a popular Russian hacking forum (Full translation from Russian to English)
————- [Welcome to Darkside] ————–> Кто мы? ——————————
Мы продукт нацеленный только на крупные корпорации. Можно детальнее прочесть тут: https://www.forbes.com/sites/daveywinder/2020/08/23/beware-of-the-dark-side-a-sinister-new-1-million-cybersecurity-threat-Darkside-ransomware/ https://bbc.com/news/technology-54591761https://www.wired.com/story/ransomware-gone-corporate-Darkside-where-will-it-end/ https://www.bleepingcomputer.com/news/security/Darkside-ransomware-hits-north-american-real-estate-developer/
Кого мы ищем?
——————————
Ограниченное количество стабильных и адекватных партнеров, кто понимает зачем нужно выгружать данные, что такое бэкапы и как их удалять, русскоговорящих, со средними выплатами от 400к. Кого мы НЕ ищем?
——————————
Англоговорящих личностей.
Сомнительных личностей, сотрудников секретной службы и аналитиков ИБ компаний.
Тех, кто ставит дедики и занимается деятельностью отличимой от поставки сетей.
Любые темы и предложения отличимые от этого поста.
Желающих обучиться пентестингу и зарабатывать миллионы.
Любителей ставить 100кк выкупа за 3.5 сервера.
О софте?
——————————
Мы готовы предоставить партнерам:
Windows [full ASM, salsa20 + rsa 1024, i/o, собственная реализация salsa и rsa, fast / auto (улучшенный space) / full, имперсонализация токена для работы с шарами, раб столом, освобождение занятых файлов, изменение прав на файлы, arp scanner, завершения процессов, сервисов, drag-and-drop и много другого].
Linux [C++, chacha20 + rsa 4096, многопоточен (в том числе Hyper-threading, аналог i/o на windows), поддержка урезанных сборок ос (esxi 5.0+), fast / space, настройка каталогов и много другого].
Админ панель [full ajax, автоматический прием Bitcoin, Monero, генерация win / lin билдов с указанием всех параметров (процессы, сервисы, папки, расширения…), отстук ботов и детальная статистика по результативности компании, автоматическое распределение и вывод средств, саб–аккаунты, онлайн чат и множество другого].
Leak site [скрытые посты, поэтапная публикация данных таргета и еще множество функционала].
Все решения уже проверены и доделаны, мы сами работаем своим софтом и не писали его на продажу / аренду, в отличие от многих продуктов.То чего нам не хватало в работе с другими партнерскими программами — мы реализовали у себя.
Правила?
——————————
Следующие сферы запрещены:
– Медицина (Больницы, госпитали).
– Образование (Университеты, школы).
– Государственный сектор (муниципалитеты, любые гос органы).
– Некоммерческие организации (благотворительные фонды, ассоциации).Запрещены любые действия, которые наносят репутационный урон имиджу продукта.
Запрещена любая работа по СНГ (в том числе Грузии, Украине).
Запрещена передача аккаунта третьим лицами.
Какой процент?
——————————
От 25% до 10%. В софте динамическая система рейта. Чем больше выплата, тем меньше % партнерки и наоборот.Так же возможен стабильный рейт, это обсуждается. Как попасть?
——————————
Пройти собеседование, показать свою работу и выплаты, ответить на необходимые вопросы.Но для начала написать в ЛС. При этом указать:
Свой опыт работы.
С какими партнерскими программами работали.
Диапазон сумм выкупа. Минимум, максимум, средняя.
Работаете сами или в команде.
TOX или jabber.
Если вам не ответили, то вы не подошли, спамить в теме не нужно.
Рассматриваем ли мы доступы в сети?
——————————
Да, USA от 400kk, с предложениями можно отписать в ЛС, написав сайт, сферу деятельности компании и контакт. Если компания интересна – с вами свяжутся. Какие гарантии?
——————————
Депозит в 20 BTC (~305k на момент написания) на xss.is. Если у вас будут супер предложения, мы с удовольствием его поднимем, вплоть до 1кк и более.
Translation to English:
Who are we looking for?
——————————
A limited number of stable and adequate partners who understand the importance of exfiltrating data, awareness of backups and how to delete them, Russian-speaking, with average payouts of 400k.
Who are we NOT looking for?
——————————
English-speaking personalities.
Suspicious individuals, employees of the secret service and analysts of information security companies.
Those who only setup RDP access or do other things other than deploy on networks.
Any topics and suggestions different from this post.
Those who want to learn pen-testing and earn millions.
Those who think they can demand US$100M in ransom for 3.5 servers. About software?
——————————
We are ready to provide partners with:
Windows payloads [full ASM (assembly language), I/O, custom implementation of the Salsa20 and RSA-1024 ciphers, fast / automated / full encryption, token impersonation for accessing shared network drives, process termination to encrypt open files, file permission modification, ARP scanning tool, the drag-and-drop UI/UX features, and much more)
Linux payloads [C++, ChaCha20 + RSA-4096, multithreading (including hyper-threading, an analogue of the Windows I/O system), support of stripped-down OS versions (ESXI 5.0 and up), fast [encryption] / space [overwrite], catalog adjustment, and many other things].
Admin panel [ajax, automatic transaction processing for Bitcoin, Monero, generation of Windows/Linux builds with selectable parameters (processes, services, folders, and extensions), bots will report detailed statistics on the company’s performance, ability to create sub-accounts, online chat and much more].
Leak site [ability to hide posts, allows for detailed disclosures of compromised data, and much more]. All solutions have been tested and we work with our own software and did we did not produce it simply for sale/rent, unlike many products. In our program, we’ve implemented everything we wanted, but did not find in other affiliate programs.
Rules?
——————————
The following areas are prohibited:
Healthcare (clinics and hospitals).
Education (universities and schools).
The public sector (municipal services and public agencies).
Non-profit organizations (charitable foundations and associations).
Any actions that can damage the product reputation are prohibited.
Do not target systems in the CIS (this includes Georgia and Ukraine).
Sharing accounts is not allowed.
What’s the percentage/share of profits?
——————————
From 25% to 10%. The software has a dynamic rate system. The higher the payout, the lower the% of the affiliate program and vice versa.
A stable rate is also possible, this is being discussed.
How to get?
——————————
Pass an interview, show your work and payments, answer the necessary questions. First, send us a message. Indicate:
Your previous experience.
What other programs you’ve worked.
Your range of previous closed payments; minimum, maximum, average.
Your preferences on working alone or with a team.
Provide your TOX or Jabber contact.
If we don’t answer you, then you weren’t the right fit, don’t spam us about it in the topic thread. Will we consider network accesses?
——————————
Sure, provided it’s a U.S. company with US$400M+ in revenue.
Solicit your offer for consideration; provide company website, line of business, and your contact details. If we’re interested, we’ll contact you.
What guarantees?
——————————
We made a deposit of 20 BTC (~ 305,000 USD) with forum escrow at XSS. If you make an awesome partnership proposal, we may raise that deposit to 1M+ to instill further confidence.
——————————
Note: Edited for clarity and readability
Back to Blog Posts
Article
FortiBleed Campaign Linked to INC and Lynx Ransomware Operations
Researchers have linked the FortiBleed credential-harvesting campaign to the INC and Lynx ransomware-as-a-service (RaaS) operations, establishing a direct connection between large-scale FortiGate credential theft and subsequent ransomware deployment. The attribution is based on a variety of factors, including an operator observed managing negotiation panels for both ransomware groups, notable overlap between FortiBleed victim data and subsequent ransomware targets, and internal infrastructure exposing attack workflows. The campaign is estimated to have targeted more than 430,000 internet-facing FortiGate devices, resulting in administrative access to hundreds of organizations.
What’s Notable and Unique
Researchers identified a shared operator actively managing negotiation panels for both the INC and Lynx ransomware groups, providing rare operational evidence linking the two RaaS operations beyond infrastructure or malware similarities.
Analysis of the exposed infrastructure revealed a structured ransomware operation with dedicated roles for access acquisition, victim management, negotiations, and technical support, reflecting an organized ransomware-as-a-service (RaaS) model rather than an ad hoc criminal group.
The operation reportedly integrates artificial intelligence into multiple stages of the attack lifecycle, including vulnerability research, penetration testing, attack automation, and ransomware development, demonstrating the increasing adoption of AI to enhance offensive capabilities.
Mitigations
Organizations should assume that exposed or previously compromised FortiGate credentials may be leveraged for ransomware deployment and immediately reset administrative and VPN credentials while enforcing multi-factor authentication (MFA) for all privileged access. Security teams should ensure that FortiGate appliances are fully patched, restrict management interfaces to trusted networks, and audit administrative accounts and firewall configurations for unauthorized changes. Organizations should also monitor for anomalous authentication activity, hunt for published indicators of compromise (IOCs), and review VPN and firewall logs for signs of unauthorized access. Maintaining centralized logging and a well-practiced incident response process can help detect and contain attacks before they progress to lateral movement or ransomware deployment.
Analyst Comments
The attribution of FortiBleed to the INC and Lynx ransomware operations reinforces the growing convergence between credential-harvesting campaigns and ransomware deployment, highlighting the role of initial access operations in modern RaaS ecosystems. The relationship between INC and Lynx also aligns with Arete's previous research, which identified a shared malware lineage. INC Ransom, first observed in 2023, was later leaked or sold, enabling code reuse by other threat actors. Lynx, which emerged in 2024, is widely regarded as an evolution of the INC codebase. Sinobi ransomware, identified in 2025, shares near-identical binaries and infrastructure, and approximately 99% code similarity with Lynx. Further details on the code correlation between INC, Lynx, and Sinobi are available in Arete's 2025 Annual Report.
Sources
Is FortiBleed Linked to INC and Lynx Ransomware?
FortiBleed credential-theft campaign linked to Lynx ransomware
FortiBleed Unmasked: A Joint Operation by Lynx and INC Ransomware Groups
FortiBleed Credential Theft Campaign Attributed to INC and Lynx Ransomware Groups
Article
Ransomware Trends & Data Insights: June 2026
Although Akira was once again the most active ransomware threat in June, activity remained relatively distributed among multiple threat groups, with 17 unique threat groups observed throughout the month. Along with Akira, Qilin and INC Ransom remained active and were among the top five most active threat groups observed in June. Several new threat actors also emerged during the month, including KryBit, Settra, and Icarus.

Figure 1. Activity from the top 5 threat groups in June 2026
Throughout the month, analysts at Arete identified several trends behind the threat actors perpetrating cybercrime activities:
In June, a threat actor calling themselves Icarus compromised and exfiltrated data from customers of the market intelligence platform Klue. Klue later confirmed the security incident, which involved attackers stealing OAuth tokens used to connect to customers' Salesforce environments, and reported that the threat actor was deleting the data stolen from affected Klue customers. In an odd twist, reports emerged of a second threat actor claiming to have compromised Icarus's infrastructure and attempting to re-extort Klue's customers. Regardless, the Klue breach highlights the growing threat of software-as-a-service (SaaS) supply chain compromises, particularly those exploiting OAuth tokens and trusted integrations to bypass traditional security controls.
In mid-June, security researchers identified a large-scale credential-harvesting and valid account abuse campaign dubbed “FortiBleed” that systematically targets internet-facing Fortinet FortiGate firewalls and SSL-VPN gateways, relying heavily on automated password spraying and configuration exfiltration rather than vulnerability exploitation. The scale of exposure and attack activity has been significant and globally distributed, with attackers collecting the login credentials of over 86,000 FortiGate devices across 194 countries. There is no singular ‘fix’ to mitigate the database exposure, and it is important that organizations work with their security teams, incident response providers, and other stakeholders to review environments holistically and monitor for signs of potentially unauthorized activity.
Multiple threat groups continue to leverage vulnerable drivers to bypass endpoint detection and response (EDR) solutions in a technique known as Bring Your Own Vulnerable Driver (BYOVD). Arete has observed Akira and DragonForce using the technique in multiple engagements, and The Gentlemen ransomware-as-a-service (RaaS) has also been observed using what researchers are calling "GentleKiller", a framework consisting of multiple variants that leverage vulnerable drivers and EDR-disabling utilities to target a wide range of endpoint security products.
Sources
Arete Internal
Article
Update on FortiBleed Credential Exposure
Last week, security researchers identified a large-scale credential-harvesting and valid account abuse campaign dubbed “FortiBleed” that systematically targets internet-facing Fortinet FortiGate firewalls and SSL-VPN gateways. The campaign relies heavily on automated password spraying and configuration exfiltration rather than vulnerability exploitation.
Attackers first scan for exposed FortiGate devices and rank targets based on revenue. SSH brute-force attacks are used against admin accounts to gain initial access.
Following initial access, operators deploy stealthy packet-sniffing capabilities and establish external listening posts to receive harvested credentials and session data in near real time.
Observed post-exploitation activity strongly indicates pre-positioning for broader enterprise compromise, including lateral movement and potential ransomware deployment.
The scale of exposure and attack activity has been significant and globally distributed. The campaign has been ongoing since at least February 2026, with attackers collecting the login credentials of over 86,000 FortiGate devices across 194 nations.
How Arete Can Help
Arete continues to monitor this campaign, utilizing our extensive experience in detection, threat hunting, and attack surface review to look for indications of unauthorized activity related to this database exposure. Additional information regarding important considerations, containment and credential compromise mitigation actions, and additional hardening recommendations can be found in Arete’s FortiBleed Advisory.
Sources
FortiBleed: SOCRadar’s Investigation into 86,644 Compromised Fortinet Firewalls
FortiBleed Attackers Turn Firewalls Into Credential Stealers as Heists Persist
FortiBleed: The Most Detailed Breakdown Yet of an Active Russian Credential-Harvesting Operation
Hackers Using FortigateSniffer Tool That Turns Compromised Firewalls Into Password Collectors
Article
Europol Disrupts AudiA6 Crypto Laundering Service
European authorities have dismantled AudiA6, a major cryptocurrency laundering service linked to ransomware groups and broader cybercriminal networks. Between 2022 and 2025, the platform is believed to have processed over €336 million in illicit funds, enabling threat actors to obscure financial trails and monetize cybercrime proceeds. Its operators are also suspected of running Dark2Web, a dark web forum that facilitated collaboration, services, and connections among cybercriminals globally. This development underscores the expanding role of sophisticated, large-scale cryptocurrency laundering services in sustaining the cybercrime economy, enabling threat actors to obscure illicit funds and evade regulatory controls.
What’s Notable and Unique
Following law enforcement disruption of Cryptex and Garantex, AudiA6 emerged as another platform involved in financial activities linked to ransomware groups. Investigators believe that AudiA6 became a central hub for cybercriminals seeking to launder stolen digital assets while obscuring the transaction trail from authorities.
On June 10, 2026, a coordinated operation resulted in two arrests in Georgia, the dismantling of key infrastructure (30+ servers, 25 domains), the freezing or seizure of over €778,000 in crypto, and the takedown of the AudiA6 and Dark2Web platforms.
Analyst Comments
Ransomware groups and cybercriminal networks are increasingly leveraging sophisticated techniques, including chain-hopping, decentralized exchanges, and mixer-as-a-service platforms, to rapidly move illicit cryptocurrency across multiple blockchains, effectively obscuring transaction trails. Concurrently, the widespread use of fraudulent exchange accounts, mule wallets, and privacy-enhancing tools has elevated cryptocurrency laundering to a core enabler of the cybercrime ecosystem, allowing actors to bypass anti-money-laundering controls at scale. This investigation identified over 6,000 KYC records linked to money-mule accounts, many of which were tied to Russian-speaking intermediaries specifically recruited to facilitate the movement of illicit proceeds. These threat actors systematically used both commercial and domain-controlled email services to establish mule accounts across multiple cryptocurrency platforms. Collectively, these findings underscore the growing scale, coordination, and professionalization of cryptocurrency-enabled crime, highlighting the critical need for sustained, intelligence-led, and internationally coordinated efforts to disrupt these evolving financial ecosystems.
Sources
Ransomware gangs cut off from EUR 336 million ‘AudiA6’ crypto laundering pipeline



