The Federal Court of Canada has published a redacted version of a ruling confirming that the Canadian intelligence service CSIS obtained judicial authorization to remotely interfere with infected servers, home routers and Internet of Things devices within the country in order to dismantle two botnets controlled by foreign states. This is the first publicly confirmed case of CSIS using its threat reduction warrant powers to actively destroy malicious infrastructure on third-party devices. The ruling affects owners of SOHO routers, IoT devices and servers in Canada, and sets a legal precedent for intelligence-led botnet disinfection operations in democratic countries.
Timeline and legal basis of the operation
According to the published decision of the Federal Court, Justice Catherine Kane issued the warrant on May 1, 2024, extended it in August of the same year, and the classified reasoning was finalized in February 2026. The document remained sealed for more than two years before a redacted version was released in June.
The warrant granted CSIS the authority to alter, degrade and destroy botnet data on infected machines, as well as disconnect devices from malicious networks. The court found that the threat to Canada’s security was “clearly established and imminent,” and that the measures taken were necessary, reasonable and proportionate.
A key point is that CSIS was required to seek judicial authorization because remotely interfering with someone else’s devices and deleting data is classified as computer mischief under the Canadian Criminal Code. The court emphasized that the operation was directed at devices, not people: users were not identified, the content of communications was not intercepted, and any incidentally collected personal data was to be destroyed.
Affected devices and technical architecture
The targets of the operation were servers located in Canada, small office/home office (SOHO) routers, and IoT devices: Ring doorbells, surveillance cameras, televisions and other Wi‑Fi connected household appliances.
Both botnets used a standard multi-tier relay architecture: the command tier issued instructions, while a layer of infected devices forwarded traffic. By routing data through compromised Canadian equipment, the foreign state was able to masquerade as an ordinary home connection or an internet service provider’s customer, while simultaneously conducting reconnaissance of critical infrastructure, government and military networks. The owner of an infected doorbell, in turn, appeared responsible for traffic they had never generated.
Context: comparison with FBI operations
The Canadian operation coincides chronologically with a series of court‑authorized botnet takedowns in the United States. In December 2023, the FBI used the command channel of the KV-botnet to remove malware from hundreds of American SOHO routers — primarily obsolete Cisco and NetGear models — which were reportedly used by the China‑linked group Volt Typhoon to conceal access to communications, energy, water and transportation systems. A few weeks later, a similar operation was carried out against a network of Ubiquiti routers, allegedly turned into a spying relay network by the group APT28, associated with Russia’s GRU.
The key legal distinction is that the American operations were conducted by law enforcement agencies (the FBI and the Department of Justice) under their search and seizure authorities. The Canadian operation is an action by an intelligence service, using a mechanism of active threat reduction rather than mere information gathering. These powers were enshrined in the CSIS Act and overhauled in the National Security Act, 2017, which came into force in 2019. Before this case, CSIS had never exercised these powers in this manner.
Attribution and unresolved questions
The public ruling confirms the involvement of two foreign state adversaries, but their identities are completely blacked out in the document. The timeline and tradecraft align with activity attributed to China and Russia, but the redacted decision does not allow one to determine whether both botnets belonged to a single state or to different ones.
A separate legal issue remains unresolved. According to secondary sources, CSIS’s application relied on IP addresses collected without a warrant — and this occurred shortly after the Supreme Court of Canada, in R. v. Bykovets, ruled that an IP address falls within a reasonable expectation of privacy. Whether this collection was compatible with CSIS’s statutory powers, and whether the owners of disinfected devices were notified, has not been publicly clarified.
Practical recommendations
State-led cleanup removes malware but does not eliminate the vulnerabilities that enabled the infection. Experience from U.S. operations has shown that a reboot or factory reset can undo the fix and once again expose the device to reinfection. The responsibility for protection lies with the equipment owner.
- Decommission outdated routers for which the manufacturer has stopped releasing firmware updates (primarily unsupported Cisco and NetGear models).
- Update the firmware on all SOHO routers and IoT devices to the latest available version.
- Change default credentials on all devices with a web management interface.
- Disable external access to management panels for routers and IoT devices — the administration interface should not be reachable from the internet.
- Segment the network: IoT devices (cameras, doorbells, televisions) should be placed in a separate VLAN segment, isolated from workstations and servers.
- Monitor outbound traffic for abnormal connections to unknown external IP addresses, especially from devices that should not normally initiate such connections.
The Canadian precedent shows that state intelligence services are beginning to use active interference mechanisms to combat botnets — but each such operation is a one‑off action, not a systemic defense. The only sustainable measure is to replace unsupported equipment and close administrative interfaces exposed to the internet. Organizations and home users operating SOHO routers and IoT devices should audit their equipment now, rather than wait until their devices become part of the next relay network for foreign intelligence.
