Justice Catherine Kane granted the warrant on May 1, 2024, renewed it that August, and issued the confidential reasons in February 2026.
CSIS used a threat-reduction warrant to reach into infected devices
The Federal Court released a redacted public version of the ruling on June 15, showing that the Canadian Security Intelligence Service obtained judicial permission to access and neutralize two foreign-run botnets operating on Canadian soil. It is the first time CSIS has used its threat reduction warrant powers in this way. The warrant authorized CSIS to alter, degrade, and destroy botnet data on infected machines and to sever those devices from the relay networks that the adversaries relied on.
Targets included Canadian servers, SOHO routers, and consumer IoT — Ring doorbells to TVs
The court record lists Canada-based servers, small office/home office (SOHO) routers, and a range of Internet of Things devices as the targets. The infected appliances named in the ruling include Ring doorbells, security cameras, televisions, and “other Wi‑Fi‑enabled appliances.” The document makes plain that the operation affected devices sitting on Canadian networks rather than people: the court said no user identities were sought, no content was intercepted, and any personal data swept up incidentally was destroyed.
Court rationale: an imminent, state-linked threat with infrastructure risk
Justice Kane found the threat to Canada “clearly established and imminent,” and judged the proposed measures necessary, reasonable, and proportional. The ruling described the botnets’ standard relay architecture: a command tier issuing orders and a layer of infected devices relaying traffic. By routing hostile traffic through hijacked Canadian hardware, a foreign state can make probing appear to come from ordinary home users or ISPs while targeting government, military, and critical infrastructure networks. The court specifically flagged the energy sector among the likely targets and warned adversaries could use the botnets to probe and potentially disrupt Canadian infrastructure.
How this compares to U.S. botnet cleanups: similar tactics, different authority
The timing and technique echoed a run of U.S. court‑ordered cleanups in late 2023. In December 2023 the FBI used a botnet’s own command channel to delete the KV‑botnet malware from hundreds of U.S. SOHO routers — mostly end‑of‑life Cisco and Netgear devices — that the China‑linked Volt Typhoon was using to hide access ahead of a possible crisis inside American communications, energy, water, and transportation systems. Weeks later the FBI ran a similar operation against a separate network of Ubiquiti routers that Russia’s GRU, the APT28 group, had turned into a relay. The difference in Canada’s case is institutional: the U.S. actions were law‑enforcement search‑and‑seizure operations by the FBI and DOJ, whereas Canada’s action was carried out by an intelligence service exercising threat‑reduction measures under the CSIS Act as reworked in the National Security Act, 2017 (which took effect in 2019). The court record shows CSIS had not previously used this power in the same manner.
What this means for technologists, policymakers, and end users
- Technologists and security teams: Inventory and replace end‑of‑life routers, close exposed management panels, and track relay‑style traffic patterns — removal of malware does not fix the underlying vulnerability that allowed compromise.
- Policymakers and regulators: Expect scrutiny of the legal basis for the action; the public ruling notes the operation relied on a foreign‑state finding but redacted the adversary identities, and it raises questions about evidence collection practices discussed below.
- End users and the public: A government cleanup can remove active malware but not repair unpatched devices or default credentials — owners remain responsible for retiring vulnerable hardware and applying firmware updates.
Unresolved legal thread: IP evidence and R. v. Bykovets
The public ruling leaves at least one legal loose end. According to The Bureau (which surfaced the ruling), the CSIS application relied in part on IP addresses CSIS had collected without a warrant — an issue that arose weeks after the Supreme Court of Canada’s decision in R. v. Bykovets, which held that an IP address carries a reasonable expectation of privacy. The court record does not make public whether those IP‑based leads square with CSIS’s collection authorities, nor does it say whether owners of disinfected devices were notified.
The result is a concrete, precedent‑setting intervention — an intelligence service ordered to reach into consumer gear and clean botnet relays — that simultaneously closes one chapter (malware removed from Canadian devices) and leaves others open (who exactly ran the botnets, how some evidence was gathered, and how owners were informed). The redactions and the post‑Bykovets timing mean the next legal and policy steps will matter as much as the technical fix.
