CSIS Secures First Threat-Reduction Warrant to Disinfect Domestic Botnet

The Canadian Security Intelligence Service obtained, on May 1, 2024, and made public on June 15, 2026, the first judicial warrant in the country's history for cyber threat-reduction operations: altering, degrading, and destroying botnet data on servers, SOHO routers, and domestic IoT devices, including Ring doorbells, security cameras, TVs, and Wi-Fi appliances. The Federal Court decision, signed by Justice Catherine Kane, authorizes an intelligence service — not law enforcement — to undertake actions technically classifiable as computer mischief under the Criminal Code, provided they target machines and not people. The operation remains partly shrouded in secrecy: it is unknown whether it has been executed, or whether device owners have been notified.

The Warrant and Its Legal Architecture

Justice Catherine Kane granted the authorization on May 1, 2024, with renewal the following August. The sealed reasons were issued in February 2026; the public, redacted version emerged on June 15, 2026, after more than two years of opacity. The court found "the threat to Canada clearly established and imminent, and the measures necessary, reasonable, and proportionate." Without this warrant, CSIS actions would constitute computer mischief under the Canadian Criminal Code.

The CSIS Act, reformed by the 2017 National Security Act and effective from 2019, created threat-reduction powers. This is the first time they have been used for cyber operations, marking a transition from passive counter-intelligence to active intervention on domestic infrastructure. The court explicitly characterized the threat as the work of "two foreign adversaries" pursuing "financial, political, ideological, and economic interests" that "would consider Canada an easy target to exploit."

Targeted Devices and Two State-Linked Botnets

The devices listed in the warrant span three categories: servers located in Canada, SOHO (Small Office/Home Office) routers, and consumer IoT devices. The source explicitly cites Ring doorbells, security cameras, televisions, and Wi-Fi appliances. This selection reflects a consolidated pattern: proxy botnets leverage unmaintained consumer infrastructure — end-of-life routers, default credentials, unpatched firmware — as a relay layer to mask the origin of attacks against critical infrastructure.

The judicial document identifies two distinct botnets, each controlled by a different foreign adversary. National identities are redacted. The Todayville/The Bureau source temporally links the operations to the 2024 U.S. disruptions against Volt Typhoon (associated with Chinese interests) and APT28/GRU (Russia), but stresses that "the flag is the redaction." The dossier neither confirms nor denies this correlation: attribution assessments remain analytical inferences, not judicial facts.

"alter, degrade, and destroy botnet data on infected machines and disconnect devices from networks" — Description of warrant purpose, Federal Court, via The Hacker News

The Privacy Tension: R. v. Bykovets and IP Addresses

The warrant relies on IP addresses collected without prior authorization. This practice clashes with the Supreme Court of Canada's R. v. Bykovets ruling, which recognized a reasonable expectation of privacy in IP addresses. The Federal Court addressed the issue in a classified companion decision whose content is not public. The dossier does not specify whether the IP collection will face subsequent legal challenge.

The court imposed formal safeguards: no user identities sought, no content intercepted, destruction of incidentally collected personal data. However, the absence of notification to device owners — confirmed as unknown by sources — raises the issue of transparency toward subjects whose machines are accessed by an intelligence agency. CSIS stated it would act "as soon as possible," but Risky Business, citing court documents obtained via The Canadian Press, notes uncertainty about the operation's actual execution.

Immediate Actions

The development demands an update to enterprise and consumer security practices, with specific actions drawn from the operational context that has emerged:

• IoT/SOHO inventory audit: Organizations must map personal routers, smart devices, and Wi-Fi appliances present on corporate premises or in employee remote-work setups, as these categories are explicitly cited in the warrant as vectors for state-sponsored infection.
• Network visibility monitoring: Security teams must verify that external disinfection operations — possible without notice — do not alter logs, indicators of compromise, or incident-response timelines, since the source does not specify whether CSIS notifies owners.
• National legal framework assessment: Governance leads must track whether their group's operating jurisdictions provide for similar threat-reduction warrants for intelligence services, given the divergence between the Canadian model (CSIS) and U.S. FBI/DOJ operations.
• Edge device lifecycle renewal: The persistence of botnets on end-of-life hardware with obsolete firmware is documented as an enabling condition; proactive retirement of these assets reduces the attack surface that justifies government intervention.

The Five Eyes Precedent and the Maintenance That Never Comes

The U.S. operations of December 2023 and early 2024 — KV-botnet/Volt Typhoon and APT28/Ubiquiti — were conducted by the FBI and the Department of Justice. Canada has flipped the axis: the warrant is issued to an intelligence service, not law enforcement. This choice reflects a different legal structure, but raises the question of who bears ultimate responsibility for the security of domestic devices. Sources converge in noting that government disinfection does not solve the root vulnerability: devices remain exposed to reinfection, and owners gain neither awareness nor defensive capability.

The energy sector is identified among potential targets, with adversaries able to "probe and potentially disrupt" Canadian infrastructure. But the friction point is maintenance. Proxy botnets exploit the absence of patching, the failure to rotate credentials, unmanaged end-of-life. State intervention temporarily substitutes for the irresponsible owner, without building a sustainable model. The warrant is a significant legal milestone, but its repeatability depends on the persistence of a device class that the market produces and abandons.

The document's publication in June 2026, after two years of secrecy, offers retrospective transparency. It does not clarify whether transparency will be structural for future operations. Canadian businesses and consumers — and by extension subjects in Five Eyes jurisdictions — must now factor in that their domestic infrastructure may be accessed, modified, or disconnected by an intelligence agency without individual notice, under judicial authorization based on threat standards the court qualifies but does not publish in technical detail.

Information verified against cited sources and current as of publication.

Sources

• https://thehackernews.com/2026/06/canadas-spy-agency-used-first-of-its.html
• https://news.risky.biz/risky-bulletin-canadas-spy-agency-allowed-to-remove-a-botnet-from-canadian-devices/
• https://www.todayville.com/canadas-spy-service-won-permission-to-hack-two-state-linked-botnets-assessed-to-likely-include-china-hiding-inside-canadian-homes/
• https://www.law360.ca/ca/pulse/articles/2489793
• https://www.stepsecurity.io/blog/mastra-npm-packages-compromised-using-easy-day-js
• https://krebsonsecurity.com/2026/06/popa-botnet-linked-to-publicly-traded-israeli-firm/
• https://support.google.com/admanager/answer/9012903
• https://thehackernews.com/
• https://thehackernews.com/p/upcoming-hacker-news-webinars.html