The Egyptian government, or entities linked to it, has hijacked local internet users’ connections to secretly mine cryptocurrency “en masse,” according to a new report by security researchers at the University of Toronto. Evidence of this type of intrusion by a nation-state is “the stuff of legends,” the researchers say, because the techniques involved are especially difficult to detect.

Researchers at the university’s Citizen Lab identified a scheme they call “AdHose” that secretly redirects Egyptian internet users’ web traffic to malware that used their computers to mine the Monero cryptocurrency or display ads. AdHose relies on hardware installed within the networks of Telecom Egypt.

It is used in two ways, the researchers found. In “spray” mode, any website that affected users tried to visit would redirect their browsers to either an ad network or cryptocurrency mining malware called Coinhive. One scan in January found 95% of devices observed, numbering over 5,700, were affected by AdHose. The report didn’t quantify the total number of affected users.

“Spray” mode is used sparingly, the researchers said. The alternative is “trickle” mode, which redirects web traffic only when users visit particular sites. These include CopticPope.org, formerly a religious website, and Babylon-X.com, a porn site. Trickle mode is in continuous operation, the researchers found.

The hardware used to implement AdHose also doubles up as a censorship tool. It blocks access to news outlets like Al Jazeera and NGOs like Human Rights Watch. Citizen Lab found similar schemes in Turkey and Syria, although instead of crypto-mining or ads, users were served with spyware when they thought they were downloading legitimate anti-virus programs.

The maker of the intrusive hardware is a Canadian firm called Sandvine, which merged with a firm called Procera Networks last year. The researchers said that Sandvine called their report “false, misleading, and wrong” when notified of the findings. Quartz has asked Sandvine for a response.