Citizen Lab says Russian authorities used Cellebrite forensic extraction tools to access the iPhone of Russian opposition activist Andrey Pivovarov in June 2021, months after Cellebrite announced it would stop selling its products and services to customers in Russia and Belarus.
The new report from the University of Toronto research group is not just another allegation about surveillance technology reaching an abusive customer. Citizen Lab says it found forensic traces on Pivovarov’s iPhone 12 and matched them with Russian government documents that explicitly referenced Cellebrite UFED tools used to extract and analyze device data for his criminal prosecution.
The finding raises a practical question for digital forensics vendors, governments, courts, and civil-society groups: if a company says it has cut off a customer, can it actually stop already deployed phone-cracking systems from being used?
What Citizen Lab Found
Pivovarov, the former director of the Russia-based Open Russia organization, was detained at St. Petersburg Airport on May 31, 2021. His iPhone 12 and MacBook were confiscated during questioning, and he did not give investigators his passwords, according to Citizen Lab. Russian authorities later sentenced him to four years in prison on charges tied to an “undesirable” organization; he was released in an August 2024 prisoner exchange.
After Pivovarov’s release, Citizen Lab researchers examined his devices. The group says logs from the iPhone showed USB connections on or around June 17, 2021 to a host identifier it had previously attributed to Cellebrite. That device-access evidence was then reinforced by an official Russian forensic report given to Pivovarov during his prosecution.
The Russian report, according to Citizen Lab, named Cellebrite’s UFED Physical Analyzer and UFED 4PC toolkit. The documents also described the collection of extensive data from messaging and communications apps, including WhatsApp, Telegram, and Viber, and searches for political terms, Open Russia-related material, named opposition figures, and contacts connected to Pivovarov’s political network.
The MacBook appears to have been a different story. Citizen Lab says the Russian forensic materials described a failed attempt to access the computer’s file system because of encryption, and the researchers found evidence consistent with failed login attempts. That contrast matters: in this case, the phone appears to have yielded useful investigative data while the laptop did not.
Why the Timing Matters
Cellebrite announced on March 18, 2021 that it would immediately stop selling digital intelligence products and services to customers in Russia and Belarus. Citizen Lab’s reported June 2021 iPhone access came roughly three months later.
That gap is the core technology-policy problem. A sales ban stops new business, support, and updates, but it may not stop hardware and software already in the field. Citizen Lab argues that Cellebrite’s older forensic system architecture, including offline operation, allowed much of the UFED product’s functionality to continue even after updates stopped.
Cellebrite’s response, included in the Citizen Lab report and echoed in coverage by TechCrunch and The Guardian, is that any use of legacy Cellebrite hardware in Russia after March 2021 was unauthorized. The company also said older hardware sold before that cutoff would now be incompatible with modern devices and would operate without Cellebrite’s support or consent.
That answer leaves an uncomfortable middle ground. A tool can be unauthorized by the vendor and still useful to an agency that already has it. For activists, journalists, lawyers, and political groups, the distinction matters less than whether a seized phone can be unlocked, searched, and turned into an intelligence map of contacts and messages.
Phone Forensics Can Expose More Than One Person
Mobile forensic tools are often discussed as evidence-gathering systems for criminal investigations. Citizen Lab’s report shows why the same capability becomes more dangerous in political cases. A modern phone contains private messages, cloud tokens, location traces, photos, files, contact graphs, app databases, and years of communications context. When investigators search that material for political organizations, associates, and movement-related terms, the result can affect people far beyond the device owner.
Citizen Lab says Russian authorities searched Pivovarov’s devices for names and organizations tied to Open Russia and opposition politics. The researchers also noted a possible connection worth further investigation: some people whose names appeared in the extracted social graph were later targeted by COLDRIVER, a Russian-linked hacking group previously investigated by Citizen Lab, Access Now, and partners. Citizen Lab did not present that as proof of direct causation, but it shows why device extraction can feed later targeting work.
The report also places the Russia case inside a broader pattern. Citizen Lab has previously documented or discussed Cellebrite use in cases involving civil society, activists, journalists, or political targets in countries including Serbia, Kenya, Jordan, Myanmar, Bahrain, and Hong Kong. Access Now, which worked with Citizen Lab on related advocacy, said the Russia finding shows that cutting off sales after abuse reports is not enough if existing tools remain usable in the field.
The Controls Citizen Lab Wants
Citizen Lab’s recommendations are unusually concrete. The group wants Cellebrite and the wider mobile forensics industry to adopt cryptographically signed identifiers that would show when a forensic tool was used on a device and tie that use to a specific customer. It also calls for immutable logs, stronger due diligence before sales, meaningful remote deactivation after credible abuse reports, and clearer public reporting on how customers are approved or rejected.
Those proposals treat forensic extraction tools more like controlled infrastructure than ordinary software licenses. If a product can bypass device security, preserve or manipulate evidence, and expose an entire political network through one confiscated phone, then auditability is not an optional compliance feature. It is part of whether courts, regulators, and affected users can trust the tool’s use at all.
The case also intersects with a wider security debate over exploit stockpiling. Phone-unlocking products may rely on vulnerabilities that are not immediately disclosed to device makers. When those vulnerabilities remain secret, they can help investigators access locked devices, but they can also leave the broader public exposed if the same methods leak, are reverse engineered, or are independently discovered by hostile actors.
What This Means for High-Risk Phone Users
For most people, the immediate lesson is not that every phone is equally vulnerable to forensic extraction. Device model, operating-system version, lock state, passcode strength, exploit availability, and custody conditions all matter. But for high-risk users such as journalists, dissidents, human-rights workers, lawyers, and political organizers, the report reinforces a hard reality: physical seizure changes the threat model.
Strong passcodes, current software updates, careful cloud-token hygiene, and minimizing sensitive data stored locally can reduce exposure. So can preparing for border crossings, detention risk, protest environments, or travel to jurisdictions where political device searches are plausible. No checklist can neutralize a sophisticated forensic lab, but reducing the amount of useful data on a seized phone can limit the damage.
For vendors and regulators, the Pivovarov case points to a harder standard. A promise to leave a market means little if deployed extraction systems can keep working in politically motivated investigations. The next version of mobile forensics governance will have to answer not only who is allowed to buy these tools, but how they are disabled, logged, audited, and traced after a customer loses permission to use them.
