Russian authorities reportedly utilized Cellebrite’s forensic technology to access the iPhone of opposition activist Andrey Pivovarov in June 2021. This incident occurred three months after Cellebrite declared it would cease sales of its tools to Russia and Belarus. The Citizen Lab brought this to light on June 25, citing both digital traces on the device and a corroborating Russian government report.
Forensic Examination Revealed
Investigators were discovered to have combed through the extracted data for connections to political figures, opposition groups, and activist organizations. Unlike remote spyware, this was a forensic examination conducted on a seized device, forming part of a political prosecution. Pivovarov was involved with Open Russia, an organization labeled “undesirable” by the Kremlin, resulting in criminal charges for continued association.
In May 2021, Pivovarov was detained at St. Petersburg airport, and his iPhone 12 along with a MacBook were confiscated. Despite not consenting to their search or providing passwords, the devices remained in custody until 2023. He was sentenced to four years in July 2022, later released in August 2024 as part of a prisoner exchange.
Evidence of Unauthorized Use
The phone was handed to Citizen Lab researchers in fall 2025, revealing traces from 2021 when it was under Russian control. MobileLockdown records, which document an iPhone’s trusted USB connections, indicated a link on June 17, 2021, with a host ID consistent with a Cellebrite fingerprint recognized from a prior Jordan case, establishing high-confidence evidence of the tool’s use.
Russia’s documentation corroborated these findings. Pivovarov received a “Forensic Expert Report No. 1269-17” during prosecution, prepared by the Interior Ministry’s forensic center for the Investigative Committee. The report explicitly named Cellebrite’s UFED Physical Analyzer and UFED 4PC, detailing data extraction from apps like WhatsApp and Telegram, and searches for opposition figures including Mikhail Khodorkovsky.
Implications of Continued Use
Cellebrite had announced in March 2021 it would halt sales to Russia and Belarus, effectively discontinuing updates but leaving existing hardware functional. Much of UFED’s functionality persists offline post-support, highlighting risks associated with existing installations in law enforcement offices. Previous reports indicated that Russia continued to employ Cellebrite’s tools on detainees’ phones beyond the sales ban.
Cellebrite responded on June 22, asserting that any use of its legacy hardware in Russia post-March 2021 was “unauthorized.” While the hardware operates without Cellebrite’s support or consent, the company maintains Russia on its restricted-customer list, transitioning to subscription licenses that deactivate upon expiration.
Future Outlook and Recommendations
Names retrieved from Pivovarov’s phone were later targeted in a phishing operation linked to Russian intelligence. The Citizen Lab advises potential seizure targets to adopt strong security measures, such as using alphanumeric passcodes, updating operating systems, activating Lockdown Mode on iPhones, and ensuring devices are powered off in high-risk situations. This case is part of a broader pattern of Cellebrite misuse, underscoring the limitations of sales cutoffs when legacy tools remain operational.
