Canada’s spy service used a judge-approved warrant in 2024 to disrupt two foreign-run botnets on servers, home routers and internet-connected devices on Canadian soil, in what the Federal Court said was the first use of those powers for that purpose.
KEY FACTS
- Action The warrant allowed CSIS to alter, degrade and destroy botnet data on infected devices.
- Targets The devices included SOHO routers, Ring doorbells, security cameras, TVs and other Wi-Fi appliances.
- Timing Justice Catherine Kane granted the warrant on May 1, 2024, and renewed it in August.
- Finding The court said the threat to Canada was clearly established, imminent and proportional to the measures used.
A public version of the ruling was released on June 15 after the confidential reasons were issued in February 2026. The disclosure said the operation targeted devices, not people, and no user identities were sought or content intercepted.
The warrant mattered because touching another person’s device to wipe or change data would normally amount to computer mischief under Canadian law. The court said the operation was needed to stop foreign actors from using hijacked Canadian hardware as relays for traffic that could mask probes into government, military and critical infrastructure networks.
The public ruling did not identify the two botnets or say whether they were tied to China, Russia or both. It also left open questions about how CSIS gathered some IP addresses and whether owners of the disinfected devices were notified.
Canada’s case followed similar U.S. operations in which the FBI and Justice Department remotely removed malware from consumer routers used by suspected state-backed operators. The Canadian action differed because it used intelligence service threat-reduction powers rather than law enforcement search and seizure authority.
WHY IT MATTERS
The case shows how governments are turning to court-supervised takedowns when neglected routers and IoT devices are used to hide hostile traffic. It also highlights the limits of such cleanups, since the underlying hardware weaknesses remain unless owners replace or secure the devices.