Jun 22
/
Latest News
CSIS Used Rare Warrant to Remotely Disrupt Foreign‑Run Botnets Inside Canada
Canada’s spy agency quietly obtained a groundbreaking court warrant allowing it to reach into infected servers, home routers, and consumer IoT devices across the country and neutralize two foreign‑controlled botnets, according to a newly released Federal Court ruling.
The public version of the decision, issued June 15 after more than two years under seal, confirms that the Canadian Security Intelligence Service used its threat‑reduction powers to alter, degrade, and destroy botnet data on compromised machines. The operation severed the devices—ranging from small‑office routers to Ring doorbells, security cameras, and smart TVs—from the command networks directing them.
Justice Catherine Kane first approved the warrant on May 1, 2024, renewed it that August, and issued confidential reasons in February 2026. The court found the threat to Canada “clearly established and imminent,” and ruled the measures necessary, reasonable, and proportionate. It emphasized that the operation targeted devices, not individuals: CSIS sought no identities, intercepted no content, and destroyed any personal data collected incidentally.
The botnets followed a familiar relay model, using hijacked Canadian hardware to mask foreign‑state activity probing critical infrastructure, government systems, and military networks. Device owners were left appearing responsible for traffic they never sent. The ruling confirms the networks were operated by foreign adversaries but redacts which states were involved.
The timing mirrors a series of U.S. court‑ordered botnet cleanups in late 2023 and early 2024, when the FBI remotely disinfected routers linked to China’s Volt Typhoon and Russia’s APT28. The key difference is authority: the American operations were law‑enforcement actions, while Canada’s was an intelligence‑service disruption under the CSIS Act—powers expanded in the National Security Act, 2017 but never used this way until now.
The ruling underscores a persistent weakness in cyber defence: aging, unpatched consumer hardware that attackers routinely conscript into botnets. Government‑led disinfection removes malware but not the underlying vulnerabilities, leaving devices open to reinfection unless owners replace or secure them.
One unresolved question remains. The Bureau, which surfaced the ruling, reports that CSIS relied on IP addresses it had collected without a warrant—weeks after the Supreme Court of Canada ruled in R. v. Bykovets that IP addresses carry a reasonable expectation of privacy. Whether that collection fits within CSIS’s authorities, and whether affected device owners were ever notified, is still unclear.
The public version of the decision, issued June 15 after more than two years under seal, confirms that the Canadian Security Intelligence Service used its threat‑reduction powers to alter, degrade, and destroy botnet data on compromised machines. The operation severed the devices—ranging from small‑office routers to Ring doorbells, security cameras, and smart TVs—from the command networks directing them.
Justice Catherine Kane first approved the warrant on May 1, 2024, renewed it that August, and issued confidential reasons in February 2026. The court found the threat to Canada “clearly established and imminent,” and ruled the measures necessary, reasonable, and proportionate. It emphasized that the operation targeted devices, not individuals: CSIS sought no identities, intercepted no content, and destroyed any personal data collected incidentally.
The botnets followed a familiar relay model, using hijacked Canadian hardware to mask foreign‑state activity probing critical infrastructure, government systems, and military networks. Device owners were left appearing responsible for traffic they never sent. The ruling confirms the networks were operated by foreign adversaries but redacts which states were involved.
The timing mirrors a series of U.S. court‑ordered botnet cleanups in late 2023 and early 2024, when the FBI remotely disinfected routers linked to China’s Volt Typhoon and Russia’s APT28. The key difference is authority: the American operations were law‑enforcement actions, while Canada’s was an intelligence‑service disruption under the CSIS Act—powers expanded in the National Security Act, 2017 but never used this way until now.
The ruling underscores a persistent weakness in cyber defence: aging, unpatched consumer hardware that attackers routinely conscript into botnets. Government‑led disinfection removes malware but not the underlying vulnerabilities, leaving devices open to reinfection unless owners replace or secure them.
One unresolved question remains. The Bureau, which surfaced the ruling, reports that CSIS relied on IP addresses it had collected without a warrant—weeks after the Supreme Court of Canada ruled in R. v. Bykovets that IP addresses carry a reasonable expectation of privacy. Whether that collection fits within CSIS’s authorities, and whether affected device owners were ever notified, is still unclear.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.