A recent investigation by Citizen Lab has revealed that Kenyan authorities employed Cellebrite’s forensic extraction tool to access the phone of a well-known activist. This incident adds to the growing concerns over the misuse of such technologies against civil society.
The Citizen Lab, part of the University of Toronto’s Munk School of Global Affairs, detected the use of Cellebrite’s tools on a phone belonging to Boniface Mwangi, a Kenyan activist who has declared his intention to run for president in 2027. The phone, a Samsung model, was in police custody following Mwangi’s arrest in July 2025, and was returned in September without its original security features.
Details of the Forensic Tool Use
Indicators suggest that Cellebrite’s technology was applied to Mwangi’s device on or around July 20 and 21, 2025. By bypassing the phone’s security, authorities potentially accessed a wide range of sensitive materials, including personal messages, files, and financial data. Citizen Lab believes the tool facilitated comprehensive data extraction.
This revelation comes in the wake of another report by Citizen Lab, which highlighted similar misuse of Cellebrite tools in Jordan. Jordanian officials allegedly used the technology on activists’ phones between late 2023 and mid-2025, during detentions and interrogations.
Responses and Broader Implications
Cellebrite responded to these findings by asserting their technology is used only within legal frameworks and with appropriate consent. However, these incidents contribute to a broader narrative of surveillance abuses, with governments employing tools like Cellebrite and other spyware for targeted monitoring.
Parallel to these findings, Amnesty International has reported on the use of Predator spyware against an Angolan journalist. This software breached Teixeira Cândido’s iPhone in May 2024, exploiting outdated operating system vulnerabilities. Although the initial infection was short-lived, it sparked numerous subsequent attempts at re-infection.
Analyzing the Predator Spyware
Expert analyses describe Predator as a sophisticated spyware, capable of long-term deployment and equipped with anti-forensic mechanisms. It allows operators to adjust surveillance based on the target’s activities, illustrating the advanced nature of contemporary spyware.
Researchers from Jamf Threat Labs noted that Predator’s error code system enhances operators’ ability to adapt strategies for specific targets, transforming failures into diagnostic opportunities.
These developments underscore the intricate and far-reaching capabilities of modern surveillance tools, raising critical questions about privacy and the ethical use of technology in law enforcement and government operations.
