Canada’s intelligence service has disclosed details of a first of its kind cyber operation that allowed authorities to remotely neutralize foreign controlled botnets operating through infected devices located within the country. A recently released public version of a Federal Court ruling revealed that Canadian Security Intelligence Service obtained judicial authorization to access compromised servers, home routers, and Internet of Things devices and take actions designed to disrupt two foreign operated botnet networks. The ruling, made public on June 15, 2026, marks the first known instance in which CSIS used its threat reduction warrant powers to directly interfere with malicious cyber infrastructure. The warrant enabled the agency to alter, degrade, and destroy botnet related data stored on infected devices and disconnect those systems from the malicious networks controlling them. The operation targeted a range of internet connected equipment, including small office and home office routers, servers, smart security cameras, connected televisions, Ring doorbells, and other consumer devices located across Canada.
According to court records, Justice Catherine Kane initially approved the warrant on May 1, 2024, before extending it later that year. Detailed reasons supporting the authorization were issued confidentially in February 2026 and remained sealed until a redacted version was released publicly this month. The court determined that the threat posed by the botnets was both credible and imminent and concluded that the proposed actions were necessary, reasonable, and proportionate. The ruling emphasized that the operation was directed at compromised devices rather than their owners, with no effort made to identify users, intercept communications, or retain personal information. Any personal data collected incidentally during the operation was reportedly destroyed. Legal authorization was required because remotely accessing and modifying another person’s device could otherwise constitute computer related offenses under Canadian law. The court’s approval effectively provided CSIS with authority to intervene and neutralize the infected systems without exposing the agency to criminal liability.
The ruling indicates that the botnets followed a familiar architecture used in many state sponsored cyber operations. A centralized command structure issued instructions while compromised devices acted as relay points for malicious traffic. By routing activity through infected Canadian infrastructure, foreign operators could disguise their actions as legitimate traffic originating from residential users, businesses, or internet service providers. Authorities warned that such infrastructure could be used to conduct reconnaissance against government systems, military networks, critical infrastructure providers, and sectors including energy. The court specifically highlighted concerns that the botnets could be leveraged to probe or disrupt Canadian infrastructure. Although the public ruling confirms that the botnets were linked to foreign state actors, key identifying details remain redacted, leaving unanswered whether the networks were associated with Chinese, Russian, or other state sponsored operations. Reporting from The Bureau noted that the timeline and tactics bear similarities to botnet disruption efforts conducted in the United States during late 2023 and early 2024. During those operations, FBI and U.S. Department of Justice remotely removed malware from compromised routers linked to China associated Volt Typhoon activity and later dismantled a separate espionage relay network connected to Russia linked APT28 operators.
The Canadian operation differs from those U.S. actions because it was conducted under intelligence authorities rather than traditional law enforcement powers. CSIS relied on threat reduction authorities established under the CSIS Act and revised through National Security Act 2017, which came into effect in 2019. Until now, those powers had not been publicly used to remotely disinfect infected devices. Cybersecurity experts note that despite the successful disruption, the underlying security weaknesses that enabled the infections often remain unresolved. Many botnets continue to exploit outdated routers, unsupported hardware, unpatched firmware, and devices operating with default credentials. While malware may be removed through government intervention, the affected systems can remain vulnerable to reinfection if owners fail to update, replace, or properly secure their equipment. The public ruling also leaves open questions regarding the collection of IP address information used to support the warrant application, particularly following the Supreme Court of Canada’s decision in R. v. Bykovets, which recognized privacy protections related to IP address information. Questions also remain about whether owners of disinfected devices were notified after the operation and how similar intelligence led cyber interventions may evolve in the future.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
