Russian authorities deployed Cellebrite’s Universal Forensic Extraction Device (UFED) to breach the iPhone of opposition politician Andrey Pivovarov in June 2021, months after the Israeli surveillance firm publicly announced it had terminated all contracts with Russian customers, according to a forensic investigation published by the Citizen Lab at the University of Toronto.
On May 31, 2021, Pivovarov, the former director of the pro-democracy nonprofit Open Russia, was removed from a flight at St. Petersburg Airport and detained by Russian security services.
He had recently dissolved the Russian branch of Open Russia to protect staff from prosecutorial risk following amendments to Russia’s law on “undesirable organizations.”
During questioning, his iPhone 12 and Apple MacBook were confiscated without his consent and without him providing passwords. His devices remained in official custody until 2023, when they were returned to his lawyer following his four-year prison sentence on charges of managing an “undesirable” organization. He was ultimately freed in the landmark August 2024 U.S.-Russia prisoner exchange.
Pivovarov made contact with Citizen Lab researchers at the World Liberty Congress in Berlin in the fall of 2025. An initial screen of his iPhone flagged signs of forensic extraction, prompting a detailed analysis.
Researchers identified traces of Cellebrite’s UFED on the device on or around June 17, 2021, three months after Cellebrite declared it would “immediately” stop selling to Russian and Belarusian authorities.
The forensic smoking gun was a specific Host ID (9016926980658937761372207) found in MobileLockdown USB connection records on the device, previously attributed by the Citizen Lab to Cellebrite in an earlier investigation involving Jordanian civil society.
Critically, the findings were corroborated not just by forensic artifacts, but by Russia’s own paperwork. A report commissioned by Russia’s Forensic Expert Center of the Ministry of Interior (MVD) titled “ЗАКЛЮЧЕНИЕ ЭКСПЕРТА Nº 1269-17” (“Forensic Expert Report No. 1269-17”) and provided to Pivovarov during his prosecution explicitly names Cellebrite’s UFED Physical Analyzer and the UFED 4PC toolkit as the tools used to extract data from his devices.
Investigators documented extracting communications from WhatsApp, Telegram, and Viber, and used Cellebrite’s tools to search the device for specific political keywords, including names of opposition figures like Mikhail Khodorkovsky and human rights lawyer Anastasiya Burakova.
In March 2021, Cellebrite publicly announced it was terminating Russian contracts amid pressure from human rights advocates. The company’s chief marketing officer David Gee reiterated that position, stating: “Any use of legacy Cellebrite hardware in Russia after March 2021 is entirely unauthorized”.
However, the Citizen Lab’s findings, consistent with prior reporting by Haaretz and Mediazona, demonstrate that Russian authorities successfully continued leveraging the UFED platform well after the announced exit.
The tool’s offline-mode capability and its architecture, which allow core functionality to persist without vendor updates, appear to have rendered the contract cancellation largely ineffective.
Citizen Lab researchers identified a potentially alarming downstream consequence. The same individuals whose names were searched on Pivovarov’s device, including Burakova, were later targeted in phishing campaigns by COLDRIVER, a hacking group linked to Russia’s Federal Security Service (FSB), as documented in a 2024 joint investigation by Citizen Lab and Access Now.
Researchers note this correlation warrants further investigation into whether Cellebrite-extracted data may have seeded subsequent FSB surveillance operations against regime opponents abroad.
This case is part of a growing forensic record. Cellebrite technology has been confirmed by investigators in misuse cases spanning Serbia, Kenya, Jordan, Myanmar, Bahrain, and Botswana, with the company issuing contract cancellations in some but not all of those countries.
Access Now and Citizen Lab have issued a formal letter to Cellebrite demanding answers and urging the company to implement technical “kill switches” and robust human rights due diligence before future sales. Cellebrite, listed on the Nasdaq, has not announced structural changes to its export control mechanisms in response to the Pivovarov findings.
Windows Secure Boot Certificates to Expire – What IT Teams Should Do Before the Deadline.
