ZCyberNews
中文
Industry News3 min readLockBit

Canadian Spy Agency Hacked Three Criminal Groups in 2025

Canada's CSE executed state-authorized hacks against a ransomware-as-a-service gang, fentanyl traffickers, and an extremist group in 2025, disrupting infrastructure and deleting...

Canadian flag in front of a government building

Executive Summary

Canada's Communications Security Establishment (CSE) carried out state-authorized offensive cyber operations against three distinct criminal groups in 2025: a ransomware-as-a-service gang, drug traffickers supplying fentanyl precursors, and a foreign extremist organization. The operations, detailed in a CSE report released last week, included disrupting ransomware infrastructure, deleting stolen data advertised on dark web marketplaces, and undermining an extremist group's recruitment capabilities. Defenders should note that CSE also conducted broader "authorized technical disruptions" against 10 major ransomware gangs last year, signaling sustained offensive pressure on criminal infrastructure.

Technical Analysis

According to the CSE report, one operation targeted an unspecified ransomware-as-a-service gang. The agency used signals intelligence to map the group's operational structure and then rendered its infrastructure inoperable. Critically, the operation deleted "a large amount of stolen data that was being advertised for sale on the dark web," according to the report. This suggests CSE gained access to the gang's data storage or leak site infrastructure, not just its command-and-control servers.

A second operation focused on overseas cybercriminals involved in selling chemicals used to manufacture fentanyl. The CSE said its hack "disrupted and diminished" the traffickers' operations. The report did not specify the technical method, but the reference to data pulled from internet-connected devices implies exploitation of exposed services or IoT vulnerabilities.

The third operation targeted a foreign extremist group "spreading violent ideology and seeking to recruit in Western countries, including Canada." The CSE said it "successfully undermined the group's credibility and limited their ability to radicalize and recruit new members." This likely involved defacement, account takeovers, or disinformation campaigns rather than pure infrastructure takedown.

The CSE also disclosed it carried out "authorized technical disruptions" against 10 major ransomware gangs in 2025, making "parts of their infrastructure unusable." The report did not name the gangs, but this aligns with a broader trend of law enforcement and intelligence agencies conducting preemptive disruptions against ransomware operations, as seen with the FBI's Hive takedown in 2023 and UK's NCA LockBit operation in 2024.

Mitigations & Recommendations

While these operations are conducted by a state intelligence agency, defenders can draw lessons. The CSE's ability to map ransomware infrastructure via signals intelligence underscores the importance of operational security for threat actors, but also highlights that victims should report incidents promptly to law enforcement. Organizations should maintain offline backups, implement network segmentation, and deploy endpoint detection and response (EDR) tools to minimize dwell time and data exfiltration. For defenders concerned about their own data being deleted by takedown operations, the key takeaway is that law enforcement may gain access to stolen data — but relying on that is not a recovery strategy.

Stay Updated

Get the latest cybersecurity news delivered to your inbox.

Tags:#canada#cse#ransomware#cyber-operations#law-enforcement#fentanyl

Related Articles