A Citizen Lab report puts forensic evidence and a Russian court document behind a familiar problem: surveillance tools do not come home when the seller asks.
Russian government unit broke into the iPhone of a detained opposition politician using a forensic tool made by Cellebrite, three months after the Israeli firm publicly announced it had stopped selling to Moscow.
The detail that makes the case land is not the hack itself, but the paper trail: the government wrote down what it did.
Researchers at the Citizen Lab, the digital-rights group at the University of Toronto, said they found forensic evidence that a Russian investigative unit used Cellebrite’s phone-cracking tool, UFED, on the iPhone of Andrey Pivovarov in June 2021.
Authorities had detained Pivovarov, then director of the now-defunct opposition group Open Russia, and confiscated his iPhone 12 and MacBook in May of that year.
In March 2021, Cellebrite had announced it would “immediately” stop selling its technology to Russian and Belarusian government customers. The company has also stated that when it cuts ties, it can stop a device from functioning or receiving updates. In this case, by the Citizen Lab’s account, it did not.
Pivovarov gave the researchers a court document from his own prosecution. In it, Russia’s Criminalist Expert Center described using Cellebrite UFED to extract data from his phone, including WhatsApp and Telegram messages, and searching the device for political terms and the names of opposition figures.
It is a rare thing for a government to file, in writing, the make and model of the tool it used to surveil a dissident.
Cellebrite, which sells to governments worldwide and keeps a second headquarters in Virginia, did not dispute that the tool was used. Its chief marketing officer, David Gee, told the Citizen Lab in an email shared with TechCrunch that the company “stopped all sales and services to the Russian Federation in March 2021, terminating existing licenses,” and that “any use of legacy Cellebrite hardware in Russia after March 2021 is entirely unauthorized.”
Gee and a company spokesperson did not answer a series of more specific questions.
That gap, between cutting a contract and clawing back a working machine, is the point the researchers press. “It’s not surprising, and is the result of the policies of Cellebrite,” said Eitay Mack, an Israeli human-rights lawyer who has long campaigned against the country’s surveillance-tech exporters.
Mack noted that Cellebrite will not say whether it asks customers to dismantle the tools after a relationship ends.
John Scott-Railton, a senior researcher at the Citizen Lab, argued the company should go further, remotely disabling deployments after credible reports of abuse and watermarking extracted data so it can be traced to a specific device.
In plain terms, Cellebrite should be able to brick its own machines and stamp their output, ending what Scott-Railton called an era of plausible deniability.
The pattern is not new. Researchers have documented Cellebrite tools turned on dissidents, activists, and journalists in Hong Kong, Kenya, and Jordan, and the company has since cut ties with customers including Bangladesh, Myanmar, and, earlier this year, Serbia.
The Russia case adds the awkward wrinkle that the customer was supposedly already gone.
Pivovarov was sentenced to four years in prison and freed in August 2024 in the prisoner exchange that also returned Wall Street Journal reporter Evan Gershkovich. The Russian Embassy in Washington did not respond to a request for comment.
Get the TNW newsletter
Get the most important tech news in your inbox each week.