№188|10:10 AM ET
Independent reporting on technology, markets & policy
TechEchelon
№01 / Anchor·CYBERSECURITY

Canadian Spy Agency Confirms It Hacked Drug Traffickers, Extremists, and a Ransomware Gang in 2025

Canada's Communications Security Establishment revealed in its annual report that it conducted three offensive cyber operations in 2025, disrupting fentanyl brokers, an overseas extremist group, and a ransomware-as-a-service gang.

TE
TechEchelon Staff
JUL 7, 2026 · 07:10 AM ET · 3 MIN READ
Photo by Mark Stebnicki on Pexels

Canada's Communications Security Establishment disclosed that it carried out three state-authorized offensive cyber operations last year, targeting fentanyl brokers, a violent extremist group, and a ransomware-as-a-service gang — a rare public accounting of the spy agency's active hacking activities.

The disclosures appeared in the CSE's annual report, published last week, underscoring the national security threats that Canada and its closest allies continue to face, ranging from illicit drug supply chains to destructive cyberattacks.

The CSE is mandated to collect foreign intelligence, defend government networks, and disrupt online adversaries. The agency's annual report uses the term "active cyber operations" to describe state-sanctioned attacks on overseas operations that threaten Canadian national security or public safety.

In the first disclosed operation, the CSE targeted cybercriminals outside Canada who were brokering the sale of chemicals used to manufacture the synthetic opioid fentanyl. After collecting intelligence on the brokers, the agency conducted an operation that "disrupted and diminished their ability to operate," according to the report.

The second operation focused on an overseas extremist group that was spreading violent ideology and actively recruiting members, including individuals in Canada. The CSE collected signals intelligence — data derived from electronics and internet-connected devices — on the group's organization, reach, and potential vulnerabilities, then executed an operation that "successfully undermined the group's credibility and limited their ability to radicalize and recruit new members," the report said.

The third operation targeted a ransomware-as-a-service operation whose infrastructure was being rented by hackers to launch extortion attacks against organizations in Canada's healthcare, transportation, and business sectors. The CSE said its signals intelligence unit mapped how the gang operated before using an active cyber operation that "rendered the group's infrastructure inoperable" and deleted much of the data stored on its servers.

Beyond the three principal operations, the agency also said it carried out concurrent "technical disruptions" against 10 of the most significant ransomware gangs targeting Canada, with the aim of making "parts of their infrastructure unusable."

The CSE additionally disclosed one defensive cyber operation during the year, targeting a phishing campaign directed at Canadian federal government institutions and other critical systems. That operation disrupted the group's infrastructure and "degraded their ability" to target Canadians, the report said.

The annual report did not identify the locations of the hackers, the extremist group, or the ransomware gang, nor did it specify the technical methods used — a standard practice among intelligence agencies seeking to protect their operational techniques.

Offensive cyber operations by state intelligence services are not uncommon, but they are rarely acknowledged in detail. For comparison, U.S. Cyber Command, headquartered in Fort Meade, Maryland, conducts "hunt forward" operations that deploy cyber teams to allied nations; the number of such U.S.-led operations rose from a few during 2018 to more than two dozen during 2025.

The CSE's disclosures signal a growing appetite among Western intelligence agencies to publicize, at least in broad terms, their offensive cyber activities — a shift that reflects both an effort to deter adversaries and an acknowledgment of the escalating frequency of ransomware and state-linked cyberattacks against critical infrastructure.

TE
━ ABOUT THE BYLINE
TechEchelon Staff

TechEchelon Staff bylines are produced collectively by the newsroom for short, breaking, and wire-style coverage. Longer-form reporting is published under the responsible reporter's name.

More from the Staff
● THE BRIEF · DAILY NEWSLETTER

Five stories every morning. Before the opening bell.

Written for readers who already know the basics — markets, AI, and the policy decisions that shape both.

Mon — Fri · 06:30 ET · Free

No spam · Unsubscribe anytime