Canada ransomware and cyber extortion policy

Canada's Spy Agency Confirms It Hacked a Ransomware Gang Out of Existence — and the Legal Framework Behind It Is Working As Designed

CSE's 2025-2026 report reveals authorized hacks on 10 ransomware gangs and one full takedown, testing the 2019 CSE Act's cyber-offense powers.

Canada's 2025 Offensive Cyber Operations Against Ran… People of Internet Research · Canada 10 Ransomware gangs disrupted CSE ran authorized technical disru… 25+ Incidents tied to one gang The RaaS group CSE fully disabled … 2019 Year offensive mandate created Bill C-59 gave CSE its active and … peopleofinternet.com
Canada's 2025 Offensive Cyber Operatio… People of Internet Research · Canada 10 Ransomware gangs disrupted 25+ Incidents tied to one gang 2019 Year offensive mandate created peopleofinternet.com

Key Takeaways

The Communications Security Establishment, Canada's signals-intelligence agency, used its July 6, 2026 annual report to disclose something governments rarely admit in public: it hacked a criminal organization until it stopped functioning. According to the 2025-2026 Annual Report, CSE's cyber-intelligence teams tracked a ransomware-as-a-service (RaaS) group responsible for more than 25 incidents against Canadian transportation, healthcare, pharmaceutical, and business targets, then ran an active cyber operation that "rendered the group's infrastructure inoperable and deleted a large amount of stolen data that was being advertised for sale on the dark web." Separately, the agency confirmed "authorized technical disruptions" against 10 major ransomware gangs during 2025, aimed at making parts of their infrastructure unusable, alongside comparable operations against fentanyl-precursor traffickers and a violent extremist group, as first reported by The Record.

The legal machinery behind the headline

This is not a rogue operation or a policy improvisation. It is the intended output of the CSE Act, which came into force in 2019 as part of Bill C-59. That law split CSE's mandate into five parts, adding "defensive cyber operations" and "active cyber operations" as distinct, ministerially authorized activities — sections 18 and 19 of the Act. Active cyber operations require sign-off from the Minister of National Defence with the consent of the Minister of Foreign Affairs, and section 32 explicitly bars CSE from causing bodily harm or obstructing justice or democracy in the course of such operations, per the Library of Parliament's legislative summary. Oversight sits with the National Security and Intelligence Review Agency (NSIRA), which replaced the old CSE Commissioner model specifically to give these new offensive powers independent scrutiny.

Seven years after that framework was written, the ransomware takedown disclosed this week is the clearest evidence yet that it functions as designed: a bounded, authorized, reviewable state hack against a criminal target outside Canada, executed without collateral harm to domestic systems.

The case for going further — and its limits

Privacy and civil liberties advocates are right to ask hard questions about offensive state hacking, and the strongest version of their case deserves a fair hearing. Active cyber operations happen in secret, are authorized by the executive rather than a court, and by design leave the public unable to verify proportionality in real time — unlike a criminal indictment, there is no adversarial process testing whether the target was correctly identified or whether the method used was the least intrusive available. NSIRA review happens after the fact, and its findings on specific operations are rarely public in enough detail to reassure skeptics. That is a legitimate structural weakness, not a fringe objection.

But the ransomware disclosure also shows the guardrails working in the direction critics say they don't: CSE is disclosing the fact and rough shape of these operations annually, rather than burying them, and doing so through a report that names specific sector impacts (healthcare, transportation, pharmaceutical) rather than vague generalities. Extortion gangs operating RaaS infrastructure are not entitled to due process protections designed for a citizen facing state power — they are foreign criminal enterprises whose "infrastructure" is the tooling of extortion. Deleting stolen data being auctioned on the dark web is a direct victim-protection measure, not a punitive one.

Where the real risk sits: Bill C-22, not CSE's offensive mandate

The more consequential fight over state power and encryption in Canada right now isn't CSE's ransomware operations abroad — it's the domestic Lawful Access Act, 2026 (Bill C-22), which cleared third reading in the House of Commons on June 18, 2026, and now awaits Senate study when Parliament resumes September 21. The bill's Part 2, the Supporting Authorized Access to Information Act, would compel "electronic service providers" to facilitate government access to communications data. The Electronic Frontier Foundation has called it a repackaged version of a bill EFF criticized in 2025, warning it threatens encryption and expands surveillance with insufficient debate on proposed amendments. Canada's own Privacy Commissioner submitted formal advice to the House Standing Committee on Public Safety flagging these concerns during the bill's study, according to the Office of the Privacy Commissioner's parliamentary submission.

The third-reading text does include a carve-out: providers cannot be compelled to decrypt data unless they themselves hold the decryption key, meaning user-applied end-to-end encryption is nominally protected. Whether that carve-out survives contact with implementation regulations — and whether "systemic vulnerability" prohibitions are enforced in practice — is the question that will determine whether C-22 becomes a template other democracies can point to, or a cautionary tale.

The distinction that matters

Canada's offensive ransomware operations and its domestic lawful-access bill get discussed as though they're the same debate about state cyber power. They aren't. One is a foreign-facing, ministerially authorized, NSIRA-reviewed program targeting criminal infrastructure with no domestic surveillance footprint. The other is a domestic data-access regime touching every Canadian's service provider. Policymakers and advocates elsewhere weighing similar tools should keep that line sharp: proportionate authority to disrupt ransomware gangs abroad is a defensible, arguably underused tool against a genuine harm; expanding compelled domestic access is a fundamentally different — and much higher-stakes — proposition that deserves the scrutiny it is currently getting in the Senate.

Sources & Citations

  1. CSE Annual Report 2025-2026
  2. Bill C-22, Lawful Access Act 2026 — Third Reading, Parliament of Canada
  3. Privacy Commissioner submission to Standing Committee on Bill C-22
  4. Library of Parliament Legislative Summary of Bill C-59 (CSE Act origins)
  5. The Record: Canadian spy agency reports hacking three criminal groups
  6. EFF: Canada Is Forging Ahead with Its Dangerous Surveillance Bill