The Communications Security Establishment (CSE), Canada's signals intelligence agency and NSA equivalent, disclosed in its annual report published last week that it carried out three authorized offensive cyber operations in 2025 against foreign criminal groups. The agency also documented ten technical disruptions against ransomware gangs and a defensive operation against a phishing campaign targeting Canadian government institutions. Such transparency is unusual for a Five Eyes agency.
- The CSE conducted three authorized "active cyber operations" in 2025 against a ransomware-as-a-service gang, chemical precursor brokers for fentanyl, and a foreign violent extremist group.
- Ten "authorized technical disruptions" rendered parts of the infrastructure of ten ransomware gangs unusable.
- A defensive operation countered a phishing campaign against Canadian federal institutions.
- The report does not reveal the geographic location of targets, specific operational techniques, or judicial outcomes; the identities of the criminal groups remain anonymous.
The Three Offensive Operations: Targets and Stated Outcomes
The first operation targeted a ransomware-as-a-service gang operating abroad. The CSE states it rendered the group's infrastructure inoperable and removed a large volume of stolen data advertised for sale on the dark web.
The second operation targeted brokers of chemical precursors used to produce fentanyl. The agency says it "disrupted and diminished" their operational capabilities.
The third struck a foreign violent extremist group recruiting members in Canada. The stated objective was to undermine its credibility and limit its capacity for radicalization and recruitment.
"The three separate hacks — revealed in a report released last week by the country's NSA-equivalent Communications Security Establishment (CSE) — were 'active cyber operations' on foreign groups posing a threat to Canada" — The Record, reporting on the CSE report
This tripartite targeting — cybercrime, drug trafficking, violent extremism — signals a broad definition of national threat that justifies offensive cyber operations under the CSE's mandate.
Ten Technical Disruptions Against Ransomware
Alongside the three structural operations, the CSE conducted "authorized technical disruptions" against ten major ransomware gangs throughout 2025. The technical phrasing is precise: the objective was to render parts of the criminal groups' infrastructure unusable, not merely to gather intelligence or monitor their activity.
The distinction between "active cyber operations" and "technical disruptions" in the CSE report suggests an internal taxonomy separating broader operations from targeted, likely faster interventions. The source does not specify whether the ten disruptions were coordinated temporally or distributed across the year.
The Defensive Operation and the Government Perimeter
TechCrunch reports a fourth intervention: a defensive operation against a phishing campaign directed at Canadian federal institutions. The inclusion of this detail in the annual report shows the CSE communicating both offensive and defensive actions, building a picture of continuous activity in cyberspace.
The source does not specify whether the phishing campaign was linked to one of the criminal groups already mentioned or to a distinct actor. The CSE report does not reveal details on the initial vector of the defensive operation.
Contrast with the Opacity of Other Five Eyes Agencies
2>The CSE disclosure stands in stark contrast to the practice of U.S. Cyber Command and the NSA, which rarely confirm individual offensive operations in real time or with targets identified by category. The U.S. Cyber Command has in some cases released aggregate communications on operations against ransomware, but the granularity of the Canadian report — precise number of operations, target typology, declared outcome — remains exceptional in the Five Eyes landscape.
The choice of transparency invites two opposing readings. On one hand, detailed publication serves as a deterrent signal: criminal groups targeting Canada must now factor in the concrete possibility of infrastructure destruction by a state agency. On the other, every element of disclosure feeds adversary analysis of CSE methods, priorities, and operational timing.
What Changes
For Canadian organizations, the CSE 2025 report confirms the agency actively intervenes against threats directly striking national territory, but provides no operational guidance for autonomous defense. Three concrete implications emerge from the dossier.
First: the ten technical disruptions against ransomware gangs indicate the CSE treats ransomware as a priority national security threat, not merely an ordinary cybercrime problem. Organizations suffering ransomware attacks cannot assume they are isolated from preventive state intervention.
Second: the defensive anti-phishing operation against government targets shows the CSE actively monitors social engineering campaigns against federal institutions. Canadian government agencies have access to a level of active protection not documented for the critical private sector.
Third: the anonymity of targeted groups and the absence of technical details prevent private victims from verifying whether a specific gang that hit them is among those neutralized. The CSE's strategic disclosure does not translate into actionable intelligence for private defenders.
Editorial Close
The CSE 2025 report marks a benchmark in the transparency of offensive cyber operations. Three active operations, ten technical disruptions, and one defensive intervention: 14 documented operations in a year for an agency that until recently confirmed almost nothing. The very measure of the disclosure — precise on numbers, opaque on names and techniques — reflects a strategic calibration balancing a show of force against operational security. It remains to be seen whether this level of transparency will repeat in future reports or represents an exception tied to the 2025 political context.
Information is based on the cited sources and current as of publication.
Sources
- https://therecord.media/canada-cse-2025-cyber-operations-ransomware-drugs-extremism
- https://techcrunch.com/2026/07/06/canadian-spy-agency-says-it-hacked-drug-traffickers-extremists-and-a-ransomware-gang-last-year/
- https://nvd.nist.gov/vuln/detail/CVE-2025-53770
- https://nvd.nist.gov/vuln/detail/CVE-2025-43529
- https://techcrunch.com/2026/06/17/cybercriminals-allegedly-hacked-tens-of-thousands-of-fortinet-firewalls-used-by-major-companies-all-over-the-world/
- https://www.recordedfuture.com/research/2026-fifa-world-cup-threats
- https://abcnews.com/US/addicted-hacking-young-hacker-historic-breach-speaks-1st/story?id
- https://nvd.nist.gov/vuln
- https://nvd.nist.gov/vuln/search
- https://nvd.nist.gov/vuln/categories
- https://nvd.nist.gov/vuln/data-feeds
- https://nvd.nist.gov/vuln/vendor-comments