Dark Web News: Takedowns, Seizures and Exit Scams, Dated

Latest 12 June 2026 · Money-laundering takedown

Police dismantle the AudiA6 laundering pipeline and the Dark2Web forum

An international operation coordinated by Europol and Eurojust, led by the US Secret Service and IRS Criminal Investigation, has shut down AudiA6 — a cryptocurrency "mixer-as-a-service" that authorities say laundered more than €336 million (about $390 million) between 2022 and 2025 — along with Dark2Web, the cybercrime forum where it advertised. Two alleged administrators, a 37-year-old Ukrainian and a 25-year-old Russian national, were arrested in Batumi, Georgia on 10 June 2026. Investigators took down 25 domains and more than 30 servers, froze roughly €692,000 in cryptocurrency, and seized over 80 vehicles; both the clearnet and onion versions of AudiA6 and Dark2Web now carry a seizure banner.

The service was a favorite of ransomware crews: it promised to "clean" traceable Bitcoin within about an hour for a 3–10% commission, and blockchain-analysis firm TRM Labs has tied it to more than fifteen investigations, including the laundering of proceeds from the 2022 LastPass breach. Roughly 10,333 BTC moved through its wallets, a portion of it arriving directly from known darknet markets.

What it means. The headline figure is not the lesson; the mechanism is. AudiA6 existed because Bitcoin's ledger is public and permanent, and the same permanence that created demand for a launderer is what let analysts map the flows and follow them to an arrest. It is the reason the surviving markets pushed users toward Monero, and the same lesson the closed-market archive keeps teaching: the chain remembers, and a laundering middleman is one more party who can be seized.

The dark web dispatch log: 2025–2026

This is the running record of the events that reshaped the dark web over the last eighteen months, newest first. It is deliberately limited to dated, sourced developments — market seizures, exit scams, forum and laundering-network takedowns, carding busts, enforcement operations, and the crypto-privacy infrastructure the whole ecosystem runs on — because that is what separates news from the rumor that fills the gap around it. For the full all-time record, the closed-market case studies go back to Silk Road in 2013.

• 5 June 2026 Privacy coin · Protocol bug

  An AI-found flaw lets Zcash's shielded pool be counterfeited

  On 5 June 2026, Zcash founder Zooko Wilcox and Shielded Labs disclosed a critical vulnerability in Zcash's Orchard shielded pool that allowed an attacker to forge and inflate ZEC — to mint counterfeit coins that the network would accept as genuine. The bug was found by security researcher Taylor Hornby, commissioned by Shielded Labs to audit the protocol, who used Anthropic's then-unreleased Claude Opus 4.8 model to generate unlimited, undetectable fake ZEC in a local test. The root cause was an overly permissive rule in the Orchard circuit — the cryptographic "rulebook" that defines a valid transaction — not a break in the underlying cryptography. It was quietly patched on 1–2 June before the public disclosure; the co-founder reported no evidence the flaw was ever exploited and the supply intact, and the team moved to freeze the Orchard pool while a fix is finalized.

  The fallout was immediate: ZEC fell 26–36% within a day, and trader Arthur Hayes confirmed he had fully liquidated a position he had once called a top holding. The episode is a clean illustration of a thesis that runs through this site and our guide to buying Monero: a shielded pool hides amounts by design, so you cannot eyeball an over-issuance the way you can on a transparent chain — only the math stands between the ledger and counterfeit coins, and here the math had a hole that survived multiple expert audits. It is also a reminder that "privacy coin" is not one thing. Zcash's privacy is optional and its Orchard circuit famously complex; the proposed cure is formal verification and a simpler next-generation circuit. None of this is a darknet-market event, but the markets that standardized on a privacy coin chose theirs for exactly the properties this bug put on trial.

  Sources: Zcash / Shielded Labs disclosure · TechFlow

• 21 April 2026 Market change

  BlackOps ends its Monero-only run and adds Bitcoin

  BlackOps began accepting Bitcoin alongside Monero on 21 April 2026, closing out the Monero-only model it had run since launch. A wider payment menu is not a safety upgrade — Bitcoin's ledger is public and permanent, which is the exact property the AudiA6 case turned on — and it changes nothing about how a BlackOps address is verified, which still rests on the signed canary.

  Source: tordark BlackOps review

• February 2026 Exit scam (suspected)

  Kerberos Market vanishes despite its anti-phishing tooling

  Kerberos, live since 2022 and known for unusually aggressive anti-phishing protection, went dark in February 2026 behind a "disk failure" message, in what the community read as an exit scam. It is a clean illustration of where verification ends: hardening the login page does nothing about the operators themselves, and the people best protected from clones still lost balances to the market they trusted.

  Source: tordark Kerberos case study

• Early July 2025 Exit scam (suspected)

  Abacus Market, the largest Bitcoin-era Western market, disappears

  Abacus went offline in early July 2025 with no seizure banner and no agency announcement. TRM Labs assessed it as a likely exit scam: after users began reporting stalled withdrawals in late June, daily deposits collapsed about 94%, from roughly $230,000 across 1,400 transactions to $13,000 across 100 — confidence draining in real time. Its admin "Vito" blamed a DDoS attack and an influx of Archetyp refugees; the funds never came back.

  Sources: TRM Labs · tordark Abacus case study

• 11–13 June 2025 Seizure · Operation Deep Sentinel

  Archetyp Market seized, ending the longest-running Western drug market

  A six-country action led by German authorities and supported by Europol and Eurojust took down Archetyp Market, online since May 2020 with more than 600,000 registered users. Around 300 officers were deployed; the 30-year-old German administrator was arrested in Barcelona, a moderator and six top vendors were detained in Germany and Sweden, and roughly €7.8 million was seized. Tellingly, the market went dark about two days before any seizure banner appeared, and the first rumor mill called it a scam.

  Sources: Europol · tordark Archetyp case study

• Early June 2025 Seizure · Carding

  BidenCash carding marketplace seized, around 145 domains taken

  US authorities, working with international partners, seized the BidenCash carding marketplace and roughly 145 associated clearnet and onion domains. BidenCash had become one of the largest shops for stolen payment-card and credential data, partly by giving away millions of records for free to build its reputation — a reminder that darknet news is not only about drug markets but about the stolen-data economy that feeds fraud.

  Source: US Department of Justice

• 22 May 2025 Operation · 270 arrests

  Operation RapTor: the largest darknet drug enforcement action to date

  The Joint Criminal Opioid and Darknet Enforcement team and Europol announced 270 arrests of vendors, buyers and administrators across ten countries, with more than $200 million seized, two metric tons of drugs including 144 kilograms of fentanyl, and over 180 firearms. The arrests drew on intelligence gathered from earlier takedowns — Nemesis, Tor2Door, Bohemia, Incognito and Kingdom — and US Treasury sanctions named Behrouz Parsarad, the operator behind Nemesis. The message was deliberate: a market going dark is not the end of an investigation, it is the start of one.

  Sources: US Department of Justice · Europol

• Late January 2025 Seizure · Operation Talent

  The Cracked and Nulled cybercrime forums are taken down

  A Europol-coordinated action seized Cracked and Nulled, two long-running forums with millions of combined users that served as on-ramps for stolen credentials, hacking tools and fraud services. The forums sat upstream of the markets tordark tracks — the place where much of the data and tooling that later appears for sale is first traded — which is why their removal counts as darknet news even though neither sold drugs.

  Source: Europol

The state of the darknet markets right now

The Western market map redrew itself again in mid-2025, when Archetyp's seizure and Abacus's exit landed within weeks of each other and produced the largest vendor migration since AlphaBay fell in 2017. In its 2026 reporting, Chainalysis names TorZon as the market that absorbed most of the displaced Western traffic; tordark's verified directory tracks it alongside DrugHub, Nexus, DarkMatter, BlackOps and We The North. None of that is a safety ranking — it is simply where the volume went, and the market at the top of the volume chart is also the biggest target in the room.

Two things are worth keeping in proportion. First, the Western drug markets are dwarfed by the Russian-language ecosystem: blockchain-tracking firms estimate a single market, Kraken (not the exchange), moved on the order of $1.3 billion in Bitcoin in the first nine months of 2025 alone, with the largest Russian-speaking markets together handling several times the Western total. Second, the churn never stops — every market named above will eventually appear in the closed-market archive, by seizure or by exit scam, and the only open question is which. That is why a current "which markets are up" list is the wrong thing to anchor on, and a freshly verified signature is the right one.

How to read a breaking dark web story

Reading this beat well means resisting the first interpretation, because the first interpretation is almost always wrong. When a market goes dark, the community read swings between "exit scam" and "just downtime," and the truth often takes days — Archetyp was offline about two days before any seizure banner appeared, and the early rumor mill called it a scam. Wait for a signed message or an official statement before treating a breaking claim as settled, and weigh who is making the claim, because on this subject speed and accuracy are usually at odds.

The hardest part is that rumor moves faster than fact and is routinely dressed as fact. Anonymous status posts, screenshots with no provenance, and confident threads asserting a market is "back" or "seized" circulate hours before anything is confirmed, and acting on them hurts people in both directions: a buyer who believes a false "it's back" rumor walks into a clone, while one who dismisses a true "withdrawals are frozen" warning loses a balance. The discipline is to grade every claim by its sourcing rather than its confidence or its timing. Confirmed facts arrive with documents, dates and named outlets; rumor arrives with certainty and nothing else. When the two conflict, the sourced version wins, and when neither is available yet, the cautious assumption is the correct one.

Turn the reading into action rather than spectating. A credible report of stalled withdrawals at a market you use is a reason to withdraw now, not after confirmation; a seizure anywhere in the ecosystem is a reason to expect refugees and a wave of clones. Pair the news with the habit in our PGP verification guide, and reporting becomes a defense instead of a postmortem.

Where to follow dark web news, and how to vet it

Most of the reporting that holds up lives on the ordinary web, which is convenient: you can read it without the verification overhead of onion services. Credible coverage comes from a narrow set of source types, and it is worth knowing which is which.

• Security journalism. Krebs on Security and BleepingComputer cover takedowns, breaches and scams with sourcing you can check, and The Record follows cybercrime and enforcement closely.
• Primary law-enforcement records. Agency pages from Europol, Eurojust and the US Department of Justice publish the dated, official account — the document everyone else is reporting on.
• Blockchain-analysis firms. TRM Labs and Chainalysis trace the on-chain side of seizures and exit scams, and their assessments are often the first credible read on whether a market was taken or simply vanished.
• Community forums, with caution. Boards like Dread surface the earliest signals — withdrawal complaints, downtime — but they also carry the most rumor and the most phishing. Treat them as a place to learn what to verify, never as proof.

Vet any source the same way regardless of where it sits: does it cite documents, does it date its claims, and does it distinguish what is confirmed from what is rumored? A site that traffics in unsourced certainty is entertainment, not news — and a directory that hands you a link instead of showing you how to check it is the most dangerous kind. When you do go looking for a market yourself, our note on onion search engines covers what those tools can and cannot tell you about an address.

Common questions about dark web news