Canada’s Communications Security Establishment released its 2025-2026 Annual Report on July 6, disclosing for the first time a series of authorized offensive cyber operations — including breaking into ransomware gang systems, destroying their complete infrastructure, and deleting data those gangs had stolen from victims. The disclosure is among the most detailed public accounting of offensive cyber activity issued by a Western intelligence agency.
How CSE’s Legal Authority Enables Offensive Cyber Operations Abroad
CSE — Canada’s national cryptologic agency, responsible for both signals intelligence and offensive and defensive cyber capabilities — operates under the National Cyber Security Act, which authorizes the agency to conduct active cyber operations targeting systems outside Canada for government-sanctioned purposes. The annual report is the statutory accountability mechanism through which those operations receive public disclosure, making it one of the few structured transparency mechanisms of its kind among Five Eyes partners.
The 2025-2026 report describes four distinct categories of authorized technical operations carried out during the reporting period, spanning ransomware disruption, counter-narcotics enforcement, and violent extremism.
Dismantling a RaaS Gang’s Full Infrastructure and Deleting Victim Data
The most operationally significant disclosure involves a single ransomware-as-a-service gang against which CSE conducted a comprehensive campaign. The agency used signals intelligence to construct a complete map of the gang’s technical infrastructure, then executed a technical disruption that destroyed that infrastructure entirely — and, in a step that distinguishes this operation from most law enforcement actions, deleted the data the gang had stolen from victims.
Standard ransomware takedowns typically preserve criminal servers for forensic examination, evidence gathering, and criminal prosecution. CSE’s reported active deletion of victim data goes further, raising questions about whether affected victims were notified — a detail the report does not address. The public acknowledgment of this capability marks a significant shift in what Western intelligence agencies are willing to disclose about the scope and outcomes of their offensive operations.
Disrupting 10 Ransomware Operations Across the Reporting Period
Beyond the fully dismantled gang, CSE confirmed it disrupted 10 major ransomware groups during the same reporting period, impairing their operational capabilities without identifying the groups by name or specifying the methods used. The aggregate scale — one gang destroyed in full and ten others disrupted — indicates a sustained, systematic campaign against ransomware infrastructure rather than reactive response to individual incidents.
Extending Offensive Cyber Tools to Fentanyl Networks and Violent Extremism
Two additional disclosures in the annual report extend into domains that are unusual for a signals intelligence agency. CSE confirmed it used offensive cyber tools to access systems operated by cybercriminals facilitating the sale of fentanyl precursor chemicals — a counter-narcotics application of intelligence capabilities more commonly associated with state-level adversary targeting or military operations. This represents a documented intersection of technical intelligence authority and drug enforcement rarely acknowledged publicly.
A fourth disclosed operation targeted a foreign violent extremist group spreading violent ideology online. CSE disrupted the group’s digital infrastructure using technical capabilities, though the report provides no specifics on the group’s identity, geographic base, or the methods employed.
CSE’s Annual Report Sets a Transparency Standard Among Five Eyes Agencies
Most Five Eyes members — including the UK’s GCHQ, Australia’s Australian Signals Directorate, and the US NSA — conduct offensive cyber operations without providing public accounting of specific targets, disruption methods, or data outcomes. CSE’s annual report provides exactly that framework, making it an outlier in the transparency extended to domestic and allied audiences.
The disclosures also illustrate an evolution in how Western governments frame the authorized scope of offensive cyber tools. Ransomware-as-a-service gangs, drug supply networks, and violent extremist groups now sit alongside traditional state-level adversaries as legitimate targets under Canada’s national security legislation — a framing that has significant implications for how allied governments may argue the appropriate boundaries of their own cyber authority going forward.
Whether CSE’s model — structured public reporting on offensive scope within a statutory accountability framework — influences how other Five Eyes members disclose their operations remains an open question. For now, the 2025-2026 Annual Report establishes a disclosure standard that the security community and partner agencies will measure subsequent accountability claims against.
