Canada’s domestic intelligence service reached into the routers, servers, and smart-home devices sitting in Canadians’ own homes — and wiped the malware off them. A Federal Court ruling, released in public form on June 15, 2026, reveals that the Canadian Security Intelligence Service (CSIS) obtained a first-of-its-kind threat-reduction warrant authorizing it to alter, degrade, and destroy botnet data on infected machines on Canadian soil and to cut those devices loose from two foreign-controlled botnets.
It is the first time CSIS has used its threat-reduction powers this way, and it marks a notable escalation in how Western governments are willing to act directly on private citizens’ hardware to defend national infrastructure.
What the warrant allowed
Justice Catherine Kane granted the warrant on May 1, 2024, renewed it that August, and issued the confidential reasons in February 2026, before the public version emerged this month. The order let CSIS modify and erase botnet data on the infected machines and sever the devices from the command-and-control networks running them.
CSIS needed judicial authorization precisely because the cleanup would otherwise have been a crime. Reaching into someone else’s device and wiping data is computer mischief under Canada’s Criminal Code — so even a well-intentioned remediation required a warrant to make it lawful. That legal nuance is the heart of why this case matters: it establishes that defensive intrusion into citizens’ own devices is permissible, but only under court supervision.
The devices in the crosshairs
The targeted hardware reads like an inventory of the modern home and small office:
- SOHO routers — small office / home office networking gear
- Internet of Things devices — Ring doorbells, security cameras, smart TVs, and other Wi-Fi-enabled appliances
- Canada-based servers caught up in the botnet infrastructure
These are the same forgotten, under-monitored devices that malware families increasingly prefer — the exact problem on display in the AryStinger campaign hijacking 4,300 legacy routers into a stealth reconnaissance network. When attackers route through hijacked Canadian hardware, a foreign state can look like an ordinary residential connection while it probes sensitive targets.
Why a spy agency, not just police
The court’s reasoning centered on the national-security threat, not ordinary cybercrime. By tunneling through compromised devices physically located in Canada, a hostile state actor could disguise its operations as benign domestic traffic while it reconnoitered critical systems. The ruling specifically flagged the energy sector and warned that the adversaries could direct the botnets to probe and potentially disrupt Canadian infrastructure.
That framing places the action alongside the broader, more aggressive posture law enforcement and intelligence agencies are adopting globally — from Europol’s Operation Endgame SocGholish takedown that cleaned nearly 15,000 compromised WordPress sites to the international effort that dismantled the Kimwolf DDoS botnet. The common thread: agencies are no longer content to seize the operators’ servers and leave the victims infected. They are remediating the endpoints themselves.
The civil-liberties tension
The warrant is a defensive win, but it is not without friction. The notion of an intelligence service silently modifying data on private citizens’ devices — without their knowledge or consent — raises obvious questions about oversight, scope creep, and what precedent it sets for future operations. The court’s answer was procedural: such actions are lawful, but only with a warrant, judicial reasons, and renewal requirements. That CSIS sought authorization rather than acting unilaterally is the safeguard the ruling leans on.
For defenders and device owners, the practical takeaway is uncomfortable but clear: your unpatched smart doorbell can become a matter of national security, and the state now has a sanctioned path to act on it.
What to do now
- Inventory your IoT. Every internet-connected camera, doorbell, TV, and router is a potential botnet node. You cannot secure what you have not counted.
- Change default credentials on all smart-home devices and disable remote access you do not use.
- Patch or replace. Apply firmware updates; retire end-of-life devices that no longer receive them.
- Segment IoT onto its own network so a compromised device cannot be used as a pivot into machines that matter.
- Watch for unexplained outbound traffic from home and small-office devices — a hallmark of botnet enrollment.
