Russia Used Cellebrite UFED on Activist’s iPhone After Company Said It Cut Ties

Russian authorities used Cellebrite forensic tools to access the iPhone of opposition politician Andrey Pivovarov months after the company said it had stopped selling its technology to Russia and Belarus, according to a new Citizen Lab investigation.

The case centers on Pivovarov, the former director of Open Russia, who was removed from a plane at St. Petersburg Airport on May 31, 2021. His iPhone 12 and MacBook were seized while he was in Russian custody, and he did not provide passwords or consent for a device search.

Citizen Lab says forensic traces on the iPhone show with high confidence that Cellebrite’s UFED technology was used on or around June 17, 2021. Russian government case documents later provided to Pivovarov also named Cellebrite tools as part of the extraction process.

What Citizen Lab found on Pivovarov’s iPhone

Citizen Lab examined MobileLockdown records from Pivovarov’s iPhone and found USB connection artifacts tied to a Host ID previously attributed to Cellebrite. The Host ID, 9016926980658937761372207, appeared during the period when the device was in official custody.

The stronger evidence came from Russia’s own case file. A forensic report commissioned by the Forensic Expert Center of the Russian Ministry of Interior stated that investigators used UFED 4PC and UFED Physical Analyzer to extract and analyze data from Pivovarov’s devices.

The report documented extraction from messaging apps including WhatsApp, Telegram, and Viber. Investigators also searched the extracted data for political terms, organizations, and names linked to Open Russia and Russian opposition networks.

Finding	Details
Target	Andrey Pivovarov, former director of Open Russia
Device	iPhone 12 seized by Russian authorities in 2021
Reported tool	Cellebrite UFED 4PC and UFED Physical Analyzer
Forensic trace	MobileLockdown USB records linked to a Cellebrite Host ID
Approximate date	On or around June 17, 2021

Why the timing matters

The alleged use happened after Cellebrite announced on March 18, 2021, that it would immediately stop selling its digital intelligence solutions and services to customers in Russia and Belarus.

That timing raises a larger question about what happens to forensic tools after a company says it has left a market. If hardware and software already delivered to authorities can continue operating, a sales cutoff may not stop later use in politically sensitive cases.

Cellebrite has said that any use of legacy Cellebrite hardware in Russia after March 2021 was unauthorized. The company also says it provides technology under license for legally authorized uses.

What Russian investigators searched for

The forensic report did not describe a narrow device check. It showed that investigators searched Pivovarov’s extracted data for material tied to political activity, opposition figures, and civil society contacts.

Search terms included references to Open Russia and names such as Mikhail Khodorkovsky, human rights lawyer Anastasiya Burakova, and Pivovarov’s partner Tatiana Usmanova. Citizen Lab says this shows the extraction supported a political prosecution, not a conventional criminal investigation.

Pivovarov was later sentenced to four years in prison on charges related to Russia’s law on “undesirable organizations.” He was released on August 1, 2024, as part of a major prisoner exchange between Russia and Western countries.

• Russian authorities seized Pivovarov’s iPhone 12 and MacBook in 2021.
• Citizen Lab found traces consistent with Cellebrite UFED use on the iPhone.
• Russian documents named UFED 4PC and UFED Physical Analyzer.
• Investigators extracted data from messaging apps and searched for political terms.
• The MacBook analysis appears to have failed because of password protection and encryption.

The MacBook finding highlights the value of encryption

Citizen Lab’s report says Russian authorities appear to have failed to access Pivovarov’s MacBook. The Russian forensic report stated that analysis could not proceed because the device was protected by a password and encryption.

That detail matters for activists, journalists, lawyers, and civil society groups. Strong device encryption and strong passwords can make seized laptops harder to access, even when authorities have access to commercial forensic tools.

Phones can be more exposed when forensic products can exploit device weaknesses, bypass protections, or extract available data from a seized handset. This makes timely device updates, strong passcodes, and careful account security especially important for high-risk users.

Access Now says sales cutoffs are not enough

Access Now said the findings show why companies that sell digital forensic tools need stronger safeguards when leaving a market. The group said contract cancellation alone does not prevent misuse if already deployed tools can keep working.

Access Now, Citizen Lab, and Pivovarov sent a letter to Cellebrite calling for stronger controls, including better human rights due diligence, effective exit procedures, and technical measures that can stop abusive use after a contract ends.

The concern extends beyond Russia. Citizen Lab and rights groups have documented or reported Cellebrite-related misuse concerns in multiple countries, including Serbia, Jordan, Kenya, Myanmar, Bahrain, Botswana, and others.

Issue	Why it matters
Legacy tools	Previously sold forensic systems may keep working after contract cancellation.
Offline use	Some core extraction capabilities may not need active vendor support.
Weak exit controls	A sales ban may not stop tools already in government hands.
Political prosecutions	Extracted data can expose activists, contacts, lawyers, and opposition networks.

Possible link to later phishing attacks needs more investigation

Citizen Lab also points to a worrying overlap. Some people whose names appeared in searches on Pivovarov’s device were later targeted in phishing campaigns linked to Russia-aligned threat activity.

The 2024 Rivers of Phish report by Citizen Lab and Access Now attributed one campaign to COLDRIVER, also known as Star Blizzard, Callisto, and other names. The report said several governments link COLDRIVER to Russia’s Federal Security Service.

Citizen Lab does not claim that Cellebrite-extracted data definitively caused later phishing. It says the correlation warrants further investigation because device extractions can reveal social graphs, contacts, messaging patterns, and political networks useful for follow-on targeting.

Cellebrite’s 2021 exit statement is under scrutiny

The case puts renewed attention on Cellebrite’s 2021 exit statement. At the time, the company said it would stop selling solutions and services to customers in Russia and Belarus.

The Pivovarov case suggests that stopping new sales does not necessarily stop the use of tools already deployed. That gap matters because digital forensic products can produce highly sensitive data from phones, including messages, contacts, photos, files, and account artifacts.

For human rights groups, the key issue is accountability. They argue that vendors should not only screen customers before a sale, but also maintain mechanisms to respond when credible abuse emerges after the sale.

What civil society groups should take from the case

The investigation offers practical lessons for activists, journalists, lawyers, and nonprofit staff who may face device seizure. Physical custody of a phone or computer can create major risk, especially in countries where authorities use forensic extraction tools against political opponents.

High-risk users should treat device seizure as a possible compromise event. That means changing passwords from a safe device, reviewing logged-in sessions, rotating recovery codes, and warning close contacts if political or personal data may have been exposed.

The 2024 Citizen Lab and Access Now investigation also shows why follow-on phishing can become a serious risk. Once attackers know a person’s contacts and work relationships, phishing emails can become more personalized and harder to detect.

• Use strong alphanumeric passcodes on phones.
• Keep iOS, macOS, and all apps updated.
• Enable device encryption and do not reuse passwords.
• Use hardware security keys for high-risk accounts where possible.
• Review account sessions after any device seizure.
• Warn close contacts if sensitive messages or social graphs may have been exposed.

What Cellebrite is being asked to change

Rights groups want Cellebrite and similar vendors to add stronger technical and policy controls. Their recommendations include better customer screening, stronger human rights due diligence, remote deactivation after credible abuse reports, and verifiable audit trails for extractions.

Access Now’s campaign argues that companies should not rely on contract language alone when their tools can help authorities access private communications in political cases.

For Cellebrite, the Pivovarov findings create a reputational and governance problem. The company says post-March 2021 use in Russia was unauthorized, but the case suggests unauthorized use may still cause real harm if technical controls cannot stop it.

Bottom line

The Pivovarov case shows how forensic extraction tools can remain useful to government agencies after a vendor announces a market exit. It also shows how seized devices can become evidence sources in political prosecutions.

Citizen Lab’s findings are based on both device artifacts and Russian legal documents. That combination makes this case unusually detailed compared with many allegations involving surveillance and forensic tools.

The broader lesson is clear: human rights safeguards for forensic technology must extend beyond initial sales. Without effective deactivation, auditing, and abuse-response mechanisms, contract cancellation may not prevent continued use against activists and political opponents.

FAQ