Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Canada's Spy Agency Reports Hacking Three Criminal Groups in 2025
Canada's Spy Agency Reports Hacking Three Criminal Groups in 2025
NEWS

Canada's Spy Agency Reports Hacking Three Criminal Groups in 2025

Canada's Communications Security Establishment publicly disclosed offensive cyber operations against a ransomware-as-a-service gang, a foreign online extremist group, and a drug trafficking network in its 2025–2026 annual report — a rare admission of state-level offensive hacking against criminal organizations.

Dylan H.

News Desk

July 6, 2026
4 min read

Canada's signals intelligence and cybersecurity agency, the Communications Security Establishment (CSE), has publicly disclosed that it conducted offensive cyber operations against three criminal organizations during 2025 — a ransomware-as-a-service gang, an online foreign extremist group, and a drug trafficking network. The disclosures appear in the CSE's 2025–2026 Annual Report, published July 6, 2026.

The Three Operations

Operation 1: Ransomware-as-a-Service Gang

CSE used its signals intelligence capabilities to map the gang's complete infrastructure before executing a disruption operation. According to the report, the operation:

  • "Rendered the group's infrastructure inoperable"
  • "Deleted a large amount of stolen data that was being advertised for sale on the dark web"
  • Disrupted the group's active extortion campaigns

The operation goes beyond typical law enforcement takedowns by actively destroying data that had already been stolen from victims — a more aggressive approach that aims to eliminate the leverage ransomware operators hold over their targets.

Operation 2: Foreign Online Extremist Group

The target was an online extremist organization described as "spreading violent ideology and seeking to recruit in Western countries, including Canada." CSE leveraged data from internet-connected devices in the operation, which reportedly:

  • "Successfully undermined the group's credibility"
  • "Limited their ability to radicalize and recruit new members"

This type of operation — degrading a threat actor's public credibility rather than simply taking down infrastructure — represents an information operations component alongside technical disruption.

Operation 3: Drug Trafficking Network

The third operation targeted cybercriminals assisting with fentanyl precursor chemical sales. The operation "disrupted and diminished" their trafficking activities. This marks an interesting convergence of the cyber domain with the ongoing fentanyl crisis, with CSE applying offensive cyber tools to a public health threat vector.

Beyond the Three: Ten More Ransomware Groups Disrupted

In addition to the three named operations, the annual report states that CSE executed "authorized technical disruptions" against 10 additional major ransomware gangs, rendering parts of their infrastructure unusable. This broader campaign — 13 ransomware groups targeted in a single year — suggests a significantly scaled-up offensive posture from Canada's cyber agency.

Legal and Policy Context

Canada's legal framework explicitly authorizes CSE to conduct "active cyber operations" — offensive actions taken against foreign targets in support of government priorities. Under Canada's Communications Security Establishment Act (2019), CSE may:

  • Degrade, disrupt, or destroy capabilities of foreign actors
  • Conduct operations in support of Canadian national security and defence
  • Act against threats to Canadian infrastructure or foreign intelligence targets

Critically, CSE is prohibited from directing operations against Canadians or persons in Canada — all three operations targeted foreign criminal groups.

Why This Matters

The public disclosure is notable in several respects:

Transparency is rare. Most Western intelligence agencies rarely acknowledge offensive cyber operations at this level of specificity. The CSE's annual report naming both the categories of targets and the operational effects sets a transparency standard that few peer agencies match.

Criminal vs. state targeting. While most public discussions of offensive cyber operations focus on nation-state adversaries, CSE's disclosed operations were entirely against criminal organizations — ransomware operators, extremists, and drug traffickers. This represents a law enforcement-adjacent use of intelligence-grade offensive capabilities.

Data deletion as a tactic. The destruction of stolen data advertised on dark web forums is an under-discussed but powerful disruption method. Rather than simply seizing infrastructure, the approach directly undermines the extortion value of ransomware operations.

Reactions

The disclosures reflect growing international consensus that offensive cyber operations against criminal ransomware infrastructure are a legitimate and proportionate state response. The United States, United Kingdom, and Australia have all conducted similar operations — though rarely with this level of public attribution.


Source: The Record — Canadian spy agency reports hacking three criminal groups in 2025

#Ransomware#Cybercrime#Nation-State#Canada#Offensive Cyber

Related Articles

Iran Deploys 'Pseudo-Ransomware,' Revives Pay2Key Operations

Iranian APT groups are increasingly blurring the lines between state-sponsored cyber espionage and financially motivated cybercrime, deploying destructive...

6 min read

Stolen Logins Are Fueling Everything From Ransomware to Nation-State Cyberattacks

A new report reveals how industrialized credential theft has become the common thread connecting ransomware campaigns, SaaS platform breaches, and...

5 min read

JadePuffer: The First Fully Autonomous LLM-Driven Ransomware Attack

Security researchers at Sysdig have documented JadePuffer — an agentic threat actor powered entirely by a large language model that independently exploited a Langflow RCE flaw, moved laterally, exfiltrated a MySQL database, destroyed it, and demanded ransom. No human operator was in the loop at any stage.

4 min read
Back to all News