Law-enforcement infrastructure takedowns — Operation Saffron (Switzerland JIT), FIOD/Stark Industries, Kimwolf, INTERPOL Ramz

Four coordinated actions in the window degraded threat-actor infrastructure relevant to this audience. Operation Saffron dismantled First VPN — a Russian-language criminal anonymisation service marketed to ransomware operators — seizing 33+ servers with the user database captured; Switzerland was a named Joint Investigation Team participant, and the infrastructure is linked to Phobos RaaS (Eurojust; daily 2026-05-22). The Netherlands FIOD arrested two suspects for EU-sanctions evasion tied to the Stark Industries bulletproof-hosting front and seized ~800 servers, dismantling NoName057(16) DDoS plumbing (FIOD; daily 2026-05-23). The alleged operator of the Kimwolf 30+ Tbps IoT DDoS-for-hire botnet (AISURU variant) was arrested (US DoJ; daily 2026-05-23), and INTERPOL Operation Ramz logged 201 arrests across a 13-country MENA sweep including a PhaaS-server takedown (INTERPOL; daily 2026-05-19). The defender-relevant pattern: the takedowns hit anonymisation/hosting/DDoS plumbing rather than end actors, so expect short-term infrastructure churn (new VPN/hosting fronts, rebuilt botnet C2) rather than a durable drop in activity.