OTTAWA — For the first time, a Federal Court judge has authorized Canada’s intelligence service to hack into privately owned routers, servers and household internet devices across the country and disarm the malicious software that conscripts them into foreign botnets — virtual armies implanted by hostile states to act as trojan horses, attacking critical Canadian infrastructure from within Canadian homes — a power the court itself acknowledged would otherwise be a crime.

A newly released Federal Court ruling reveals the first warrant of its kind ever granted to Canadian Security Intelligence Service — authority to neutralize two state-run botnets pre-positioned against critical infrastructure, in what The Bureau assesses is Canada’s leg of a broader Five Eyes campaign that, across 2024, disrupted both Chinese and Russian intrusions.

The authority is disclosed in newly released reasons from Madam Justice Kane, who granted the warrant on May 1, 2024, and renewed it that August. Her reasons, dated February 2026, were made public only this week — more than two years after the warrant was first granted — after government lawyers applied significant redactions that stripped out the identities of the two foreign adversaries, along with other material they deemed national security secrets. That choice may itself invite scrutiny: the United States has openly attributed closely similar intrusions — and, in The Bureau’s assessment, likely part of the very same campaign — to Chinese state hackers, including the group known as Volt Typhoon.

The Federal Court announced the decision Monday as the first judicial authorization permitting CSIS to use threat reduction measures to protect critical infrastructure from foreign adversaries.

The ruling names no adversary. But its technical fingerprint, and its timing, place it squarely within an allied campaign that the United States made public through 2024 — a link the court itself invited, noting that the CSIS affiant pointed to a U.S. press release on disrupting cyber threats and to other Five Eyes governments being more open about botnet takedowns.

The U.S. intelligence community calls the People’s Republic the “most active and persistent cyber threat” to American institutions, and the Office of the National Cyber Director has warned that Beijing seeks to “hold at risk U.S. and allied critical infrastructure.”

Congressional researchers track three publicly disclosed Chinese state-sponsored groups under the “Typhoon” label Microsoft assigns to Beijing’s hackers: Volt Typhoon, which pre-positions inside American energy, water, communications and transportation systems to prepare for disruption rather than espionage; Flax Typhoon, tied to Chinese contractors and built on a botnet of more than 260,000 internet-connected devices that U.S. authorities disrupted in September 2024; and Salt Typhoon, linked to the 2024 compromise of American telecommunications carriers.

It is the first two — Volt and Flax — that most closely fit the Canadian warrant. Volt Typhoon’s botnet was built largely on “end of life” Cisco and NetGear routers no longer receiving security patches — the very class of vulnerable hardware the Canadian court singled out — and served to pre-position against critical infrastructure, mirroring the ruling’s account of hijacked devices used as covert doorways into energy and government systems.

Flax Typhoon’s botnet of internet-connected cameras and appliances, in turn, mirrors the court’s emphasis on compromised household devices. Together the two would explain the reference to two foreign adversaries as two distinct Chinese operations. But the phrase can also be read as two different states. Within weeks of each other in early 2024, the FBI disrupted both Volt Typhoon’s router botnet and a separate network of routers that Russia’s military intelligence, the GRU, had turned into a global espionage platform — leaving a Chinese-and-Russian pairing equally consistent with the timing. The Bureau cannot resolve which from the redacted reasons.

What is on the record is that Canada is no bystander: the Communications Security Establishment’s cyber centre co-signed the Five Eyes advisories that named Volt Typhoon as a Chinese state-sponsored actor pre-positioning for disruption in the event of a crisis.

It is the first application of its kind since Parliament created the threat reduction power in the 2017 national security overhaul. CSIS sought what the court called the Cyber Threat Reduction Measures Warrant because the steps required to dismantle the networks — altering, degrading and destroying data on infected machines — would, absent a judge’s order, amount to offences under the Criminal Code’s computer-mischief provisions.

According to the ruling, the threat came from two botnets controlled by two foreign adversaries. A botnet is a network of compromised devices — in this case Canada-based servers, small office and home office routers, and Internet of Things hardware, the everyday objects the court listed as doorbell cameras, security cameras, televisions and other Wi-Fi appliances. Cyber actors seize control of these devices, the affiant explained, and operate them in two layers: a command-and-control tier that issues instructions, and a client tier of infected machines, or bots, that carry them out.

The strategic danger, as the court described it, is concealment.

By routing through hijacked Canadian devices, a hostile state can appear to be a legitimate connection — a service provider’s customer, an employee working from home — while probing critical infrastructure, military networks and government systems. The compromised devices become covert entry points, and the victimized owner can be made to look responsible for attacks they never launched. The court identified the energy sector among the targets, and warned that without the warrant the adversaries could direct their botnets to probe and potentially disrupt Canadian infrastructure.

The judge was emphatic that the operation targeted machines, not their owners. CSIS would not seek the identity of any user, would intercept no content, and would destroy any personal information incidentally swept up.

Two further legal dimensions deserve scrutiny. The warrant rested on internet protocol addresses CSIS had gathered without a warrant — a method the Supreme Court complicated in early 2024 when it held that Canadians have a reasonable expectation of privacy in an IP address. The Federal Court navigated the tension in a companion classified decision, finding the addresses were lawfully and non-intrusively collected and led only to devices, not people. And the warrant cleared the court cleanly, with a security-cleared lawyer appointed to probe the evidence and win a requirement that CSIS use the least intrusive means available.

The court left the broader stakes in plain language. Without the warrant, it found, the foreign adversaries would regard Canada as an easy target to exploit.