Canadian spy agency says it hacked drug traffickers, extremists and a ransomware gang last year
Digital Frontier EditorialJuly 6, 20264 min read
Key Takeaways
CSE disclosed three state-authorized hacks last year targeting fentanyl brokers, violent extremists, and a ransomware gang — a rare public accounting of offensive cyber operations.
The agency also hit 10 major ransomware groups simultaneously, deleting data and rendering infrastructure inoperable.
Operational details — locations, methods, tools — remain classified, consistent with Five Eyes norms of protecting tradecraft.
The report signals a shift: Canadian intelligence now treats cybercrime and drug supply chains as national security threats on par with terrorism.
Canada's Communications Security Establishment hacked a fentanyl supply network, a violent extremist group, and a ransomware gang last year. It also took a sledgehammer to ten other ransomware operations at once. The spy agency said so itself, in its annual report, using language so blunt it reads like a warning shot.
Three "active cyber operations." That's the term CSE uses for breaking into foreign infrastructure to degrade threats. One disrupted chemical brokers feeding the fentanyl trade. One undermined an extremist group recruiting Canadians. One killed a ransomware-as-a-service platform that had hit healthcare, transportation, and business sectors — and deleted the gang's data for good measure.
This is not routine. Western intelligence agencies almost never admit to offensive hacks. They hint. They leak. They let journalists connect dots. CSE just published the dots.
The fentanyl operation is the tell. Synthetic opioids kill Canadians by the thousands. The chemicals come from overseas. CSE treated the brokers as a national security target — not a law enforcement problem. That distinction matters. It means the intelligence apparatus, not the RCMP, took the lead. It means the toolkit included signals intelligence, network intrusion, and disruption techniques usually reserved for state actors.
Same with the ransomware gang. CSE didn't just monitor. It "rendered the group's infrastructure inoperable." It deleted data. That's destruction, not espionage. The agency crossed the line from watching to breaking — and told the public it did.
Why now? The report doesn't say. But the timing aligns with a broader Five Eyes shift. The U.S. Cyber Command runs "hunt forward" missions in allied countries. The U.K.'s GCHQ has whispered about offensive cyber for years. Australia's ASD talks openly about "disruption." Canada, the quiet partner, just proved it plays the same game.
The report omits geography. No countries named. No IP ranges. No malware families. That's intentional. Attribution invites retaliation. Methods burn. If CSE revealed how it accessed the ransomware gang's servers — phishing? supply chain? zero-day? — the next gang patches the hole. The fentanyl brokers rotate infrastructure. The extremists switch platforms.
Skeptics will ask: did it work? The report says the fentanyl operation "disrupted and diminished their ability to operate." The extremist op "successfully undermined the group's credibility." The ransomware hit "deleted much of the data." Vague verbs. No metrics. No body counts. No seizure values. Intelligence agencies have always graded their own homework.
But the simultaneous disruption of ten ransomware groups suggests scale. CSE didn't just snipe one gang. It ran a campaign. That requires persistent access, not a one-off exploit. It implies the agency has embedded itself in criminal ecosystems — watching, waiting, then striking in concert.
The legal basis? The CSE Act, updated in 2019, explicitly authorizes "active cyber operations" against foreign threats. Ministerial authorization required. Judicial oversight via the Intelligence Commissioner. The framework exists. The report confirms it's being used.
Civil libertarians should watch the extremist operation closely. "Spreading violent ideology and recruiting members, including in Canada" — that description could fit several groups. Some designated terror entities. Others in legal grey zones. CSE collected signals intelligence on the group's "organization, reach, and potential vulnerabilities" before striking. That's reconnaissance on a target with Canadian connections. The line between foreign threat and domestic surveillance thins here.
The agency insists it targets foreign infrastructure only. But the extremist group recruited Canadians. The fentanyl brokers supplied Canadians. The ransomware gang victimized Canadians. The "foreign" label does heavy lifting. It always has.
What's missing from the report speaks louder than what's included. No mention of state-sponsored hacking — China, Russia, Iran, North Korea. CSE defends government networks daily against those actors. The annual report usually crows about attribution. This year, silence on the nation-state front. Either the operations remain too sensitive, or the agency wants the spotlight on criminal disruption.
Three named operations. Ten concurrent ransomware hits. A spy agency stepping out of the shadows to say: we break things that hurt Canadians. The message isn't for the public. It's for the adversaries. The brokers. The recruiters. The ransomware operators. They now know CSE has the access, the authority, and the willingness to delete their servers.
Deterrence by disclosure. A risky bet. But one Canada's intelligence community just placed.