Russia Used Cellebrite on Jailed Activist's iPhone Months After Sales Cutoff

Summary

Citizen Lab researchers found evidence that Russian authorities used Cellebrite's UFED forensic tools to extract data from opposition activist Andrey Pivovarov's iPhone in June 2021, three months after Cellebrite announced a sales cutoff to Russia and Belarus. The finding combines MobileLockdown USB pairing records and an official Russian government forensic report naming the Cellebrite product, documenting searches through the activist's messaging apps and contacts with opposition figures. The case highlights a critical vulnerability in weaponry embargoes: existing hardware continues functioning offline long after vendor support ends, enabling continued surveillance and persecution of political dissidents.

Full text

Russia Used Cellebrite on Jailed Activist's iPhone Months After Sales Cutoff Swati KhandelwalJun 26, 2026Mobile Security / Digital Forensics Russian authorities used Cellebrite's UFED forensic tools to break into the iPhone of detained opposition activist Andrey Pivovarov in June 2021, three months after Cellebrite said it would stop selling its tools and services to Russia and Belarus. The finding, published June 25 by the Citizen Lab, rests on two things that rarely line up: traces on the phone itself and an official Russian government report that names the tool. Investigators searched the extracted data for political contacts, opposition figures, and the names of activist organizations. This was not remote spyware. It was a forensic tool run on a seized device in custody, used to build a case in a political prosecution. Pivovarov ran Open Russia, an opposition group the Kremlin had branded "undesirable," a label that turned continued involvement into a criminal offense. He was pulled off a flight at St. Petersburg airport on May 31, 2021, and his iPhone 12 and MacBook were confiscated. He never gave consent to a search and never handed over his passwords. The devices stayed in custody until 2023. In July 2022, he was sentenced to four years; he was freed in August 2024 in a prisoner exchange. Pivovarov gave the phone to Citizen Lab researchers in the fall of 2025. The traces on it dated to 2021, when the device was in Russian custody. MobileLockdown records, which track an iPhone's trusted USB pairings, showed a connection on June 17, 2021, to a host ID matching a Cellebrite fingerprint the researchers had identified in a prior case in Jordan. They rate it high-confidence evidence that Cellebrite's UFED was used. Russia's own paperwork backs the forensic read. Pivovarov received a report titled "Forensic Expert Report No. 1269-17" in the course of his prosecution, prepared for Russia's Investigative Committee by the Interior Ministry's forensic center, and he gave a copy to the Citizen Lab. It names Cellebrite's UFED Physical Analyzer and UFED 4PC by product. It documents pulling data from WhatsApp, Telegram, and Viber, and shows investigators running searches for "Open Russia Civic Movement" and for named opposition figures, including Mikhail Khodorkovsky, lawyer Anastasiya Burakova, and Pivovarov's partner Tatiana Usmanova. The MacBook held. The MVD report describes a failed extraction, blocked by encryption, and the Citizen Lab found matching failed login attempts on the same date, indicating the authorities never had Pivovarov's password. The timing is the point. Cellebrite announced in March 2021 that it would stop selling to Russia and Belarus, a move that cut off updates but left existing hardware running. Much of UFED keeps working offline long after support ends, the Citizen Lab says, which is the hole in the cutoff: the risk was never only future sales, it was the installed base already sitting in police and intelligence offices. That matches earlier reporting that Russia kept using Cellebrite on detainees' phones after the announcement. Asked for comment on June 22, Cellebrite told the Citizen Lab and Access Now that any use of its legacy hardware in Russia after March 2021 is "entirely unauthorized." It said that hardware runs without its support or consent and that, today, it would be incompatible with modern devices. Russia stays permanently on its restricted-customer list, the company said, and it is shifting to subscription licenses that stop working when they expire. The distinction matters more legally than operationally: the tool still worked when Russian investigators had the phone in 2021. One overlap is worth watching: the people whose names were searched on Pivovarov's phone later surfaced as targets of COLDRIVER, an FSB-linked phishing operation, and Burakova was targeted but did not bite. The Citizen Lab does not claim a direct link, but the mechanism is plain: extract one activist's social graph, and you have the target list for the next campaign. Citizen Lab's advice for anyone at risk of seizure is blunt, and none of it is foolproof against a forensic tool. Use a strong alphanumeric passcode. Keep the OS current. Turn on Lockdown Mode on iPhones, or Advanced Protection on Android 16 and up. Encrypt the disk on computers. Power the device fully off before walking into a high-risk situation. If a seized device comes back, change every account password and have it examined before wiping it. Russia joins Serbia, Kenya, and Jordan in a growing list of Cellebrite abuse cases backed by forensics. The sharper lesson is narrower: a sales cutoff that leaves old, offline-capable tools running is not much of a cutoff once the phone is already in a custody room. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Cellebrite, Citizen Lab, digital forensics, encryption, Human Rights, iPhone, mobile security, Russia, Surveillance ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check

Entities