Canada's signals intelligence and cybersecurity agency, the Communications Security Establishment (CSE), has publicly disclosed that it conducted offensive cyber operations against three criminal organizations during 2025 — a ransomware-as-a-service gang, an online foreign extremist group, and a drug trafficking network. The disclosures appear in the CSE's 2025–2026 Annual Report, published July 6, 2026.
The Three Operations
Operation 1: Ransomware-as-a-Service Gang
CSE used its signals intelligence capabilities to map the gang's complete infrastructure before executing a disruption operation. According to the report, the operation:
- "Rendered the group's infrastructure inoperable"
- "Deleted a large amount of stolen data that was being advertised for sale on the dark web"
- Disrupted the group's active extortion campaigns
The operation goes beyond typical law enforcement takedowns by actively destroying data that had already been stolen from victims — a more aggressive approach that aims to eliminate the leverage ransomware operators hold over their targets.
Operation 2: Foreign Online Extremist Group
The target was an online extremist organization described as "spreading violent ideology and seeking to recruit in Western countries, including Canada." CSE leveraged data from internet-connected devices in the operation, which reportedly:
- "Successfully undermined the group's credibility"
- "Limited their ability to radicalize and recruit new members"
This type of operation — degrading a threat actor's public credibility rather than simply taking down infrastructure — represents an information operations component alongside technical disruption.
Operation 3: Drug Trafficking Network
The third operation targeted cybercriminals assisting with fentanyl precursor chemical sales. The operation "disrupted and diminished" their trafficking activities. This marks an interesting convergence of the cyber domain with the ongoing fentanyl crisis, with CSE applying offensive cyber tools to a public health threat vector.
Beyond the Three: Ten More Ransomware Groups Disrupted
In addition to the three named operations, the annual report states that CSE executed "authorized technical disruptions" against 10 additional major ransomware gangs, rendering parts of their infrastructure unusable. This broader campaign — 13 ransomware groups targeted in a single year — suggests a significantly scaled-up offensive posture from Canada's cyber agency.
Legal and Policy Context
Canada's legal framework explicitly authorizes CSE to conduct "active cyber operations" — offensive actions taken against foreign targets in support of government priorities. Under Canada's Communications Security Establishment Act (2019), CSE may:
- Degrade, disrupt, or destroy capabilities of foreign actors
- Conduct operations in support of Canadian national security and defence
- Act against threats to Canadian infrastructure or foreign intelligence targets
Critically, CSE is prohibited from directing operations against Canadians or persons in Canada — all three operations targeted foreign criminal groups.
Why This Matters
The public disclosure is notable in several respects:
Transparency is rare. Most Western intelligence agencies rarely acknowledge offensive cyber operations at this level of specificity. The CSE's annual report naming both the categories of targets and the operational effects sets a transparency standard that few peer agencies match.
Criminal vs. state targeting. While most public discussions of offensive cyber operations focus on nation-state adversaries, CSE's disclosed operations were entirely against criminal organizations — ransomware operators, extremists, and drug traffickers. This represents a law enforcement-adjacent use of intelligence-grade offensive capabilities.
Data deletion as a tactic. The destruction of stolen data advertised on dark web forums is an under-discussed but powerful disruption method. Rather than simply seizing infrastructure, the approach directly undermines the extortion value of ransomware operations.
Reactions
The disclosures reflect growing international consensus that offensive cyber operations against criminal ransomware infrastructure are a legitimate and proportionate state response. The United States, United Kingdom, and Australia have all conducted similar operations — though rarely with this level of public attribution.
Source: The Record — Canadian spy agency reports hacking three criminal groups in 2025