Canada’s electronic intelligence agency says it hacked three foreign criminal or extremist targets in 2025, including a ransomware-as-a-service operation, people involved in fentanyl precursor trafficking, and a group spreading violent extremist ideology.
The Communications Security Establishment, Canada’s counterpart to the U.S. National Security Agency, disclosed the operations in an annual report released last week. The agency described them as “active cyber operations,” a category of state-authorized hacking aimed at foreign groups that CSE said posed a threat to Canada.
The report gives only broad descriptions of the targets. It does not name the ransomware crew, the alleged drug traffickers, or the extremist group. That makes the public version hard to audit, which is usually the point of this genre of intelligence-agency transparency: enough detail to show the tool exists, not enough to let outsiders test the claims.
What CSE says it did
In one operation, CSE said it used data taken from internet-connected devices to interfere with a foreign extremist group that was “spreading violent ideology” and trying to recruit in Western countries, including Canada. According to the agency, the operation damaged the group’s credibility and reduced its ability to radicalize and recruit new members.
The report does not say what devices were involved, what data was collected, or what specific technical steps CSE took after obtaining it. The agency’s description suggests an operation that combined intelligence collection with some form of disruption, rather than passive monitoring alone.
CSE also said it targeted overseas cybercriminals helping sell chemicals used to make fentanyl. Fentanyl is a powerful opioid tied to tens of thousands of deaths each year in North America. The agency said its hacking operation “disrupted and diminished” the traffickers, but it did not specify whether that meant taking down accounts, disabling infrastructure, interfering with communications, or some other action.
The third named operation focused on a ransomware-as-a-service group. In that business model, developers or operators provide ransomware tools and infrastructure to affiliates, who then break into victims and run the extortion. CSE said it used signals intelligence to map how the unnamed group worked internally.
According to the report, CSE’s operation made the group’s infrastructure unusable and deleted a large quantity of stolen data that was being advertised for sale on the dark web. The agency did not identify the victims whose data was allegedly deleted, nor did it say whether the action prevented any ransom payments or arrests.
Broader ransomware disruptions
The same report says CSE carried out “authorized technical disruptions” against 10 major ransomware gangs last year. The agency said those actions were intended to make parts of the groups’ infrastructure unusable.
The disclosure places Canada among governments willing to say, at least in outline, that they are using offensive cyber authorities against criminal infrastructure outside their borders. The report frames the operations as defensive measures against threats to Canada, but the public details remain sparse: CSE names the categories of targets and the claimed effects, while withholding the operational mechanics and the identities of the groups involved.
That leaves the central facts as CSE states them: in 2025, Canadian intelligence officials say they used state-authorized hacking to disrupt a violent extremist recruitment effort, fentanyl-related chemical trafficking, and ransomware infrastructure, plus additional technical actions against 10 ransomware gangs.
This story draws on original reporting from The Record.