Skip to content

Citizen Lab Finds Russia Used Cellebrite to Extract Data From Opposition Leader’s Phone After Contract Cutoff

Dispatch

Researchers at the Citizen Lab, a digital rights group housed at the University of Toronto's Munk School of Global Affairs and Public Policy, published findings on June 25, 2026, confirming that Russian authorities used Israeli forensic software company Cellebrite's flagship extraction tool to access the iPhone of Andrei Pivovarov, a Russian opposition leader who was later released in the August 2024 East-West prisoner exchange [1][2]. The extraction took place on or around June 17, 2021, three months after Cellebrite publicly announced it had terminated all contracts with Russian and Belarusian customers [3][6]. The gap between Cellebrite's exit announcement and documented continued use goes to a structural question in surveillance-technology export control: a sales cutoff does not disable hardware already operating in a police evidence lab.

Pivovarov served as director of Open Russia, a pro-democracy nonprofit that Russian authorities designated "undesirable" under a domestic law enabling criminal prosecution of affiliated individuals [1][9]. Russian security services removed Pivovarov from a flight and detained him at St. Petersburg's Pulkovo Airport on May 31, 2021. During questioning, investigators confiscated his iPhone 12 and a MacBook; he did not consent to a search and did not provide passwords. In July 2022, a Russian court sentenced him to four years in a penal colony on a charge of "carrying out the activities of an undesirable organization." He was released on Aug. 1, 2024, as part of a multinational exchange in which Russia freed 16 detainees and the U.S., Germany, Poland, Slovenia, and Norway collectively released eight detainees and two minors, including Wall Street Journal reporter Evan Gershkovich and former U.S. Marine Paul Whelan.

The Citizen Lab's forensic findings rest on two independent evidentiary pillars. Researchers identified traces of Cellebrite's forensic tools on Pivovarov's iPhone 12 on or around June 17, 2021, locating a USB connection in the device's MobileLockdown records linked to a Host ID previously attributed to Cellebrite in a separate investigation. That digital evidence is corroborated by Russia's own prosecution paperwork. Commissioned by Russia's Forensic Expert Center of the Ministry of the Interior, the document was provided to Pivovarov during his criminal prosecution. The report explicitly names Cellebrite's UFED Physical Analyzer and UFED 4PC toolkit, and documents the extraction of communications from WhatsApp, Telegram, and Viber, with searches for references to Open Russia and named opposition figures including Mikhail Khodorkovsky. Authorities were less successful on the MacBook: disk encryption blocked data extraction, according to the Interior Ministry report.

Cellebrite terminated its contract with the Russian Investigative Committee in March 2021, following accusations that its technology was being used to suppress political opponents. The company's own website asserted it could "stop the device from functioning or receiving software updates" upon contract termination. When a contract ends, Cellebrite can revoke software update access; it cannot, under its current product architecture, remotely disable a UFED unit that is already in a police evidence lab and operating offline. Cellebrite Chief Marketing Officer David Gee, in a written statement directed to the Citizen Lab and Access Now, said the company "stopped all sales and services to the Russian Federation in March 2021, terminating existing licenses," and characterized any subsequent use of legacy hardware as "entirely unauthorized." [24] The Russian extraction nonetheless occurred. The Pivovarov case is part of a documented pattern of continued operational use at least two years after Cellebrite's exit announcement, as Russian independent media Mediazona previously reported on similar use against anti-war activist Dmitry Ivanov following Russia's 2022 full-scale invasion of Ukraine.

The Citizen Lab's researchers and Access Now, a human rights nonprofit supporting Pivovarov, have issued a formal demand letter to Cellebrite calling for technical and legal remediation. Citizen Lab senior researcher John Scott-Railton called on Cellebrite to "remote-disable deployments following credible reports of abuse, and end the era of plausible deniability by implementing cryptographically-signed watermarks on all imaged devices." Pivovarov has separately urged the company to adopt digital watermarking to enable product-use traceability, according to POLITICO [POLITICO]. Cellebrite has announced a structural change, moving away from perpetual hardware licenses toward subscription-based licensing arrangements where access expires automatically if a contract lapses. That architectural shift would close the gap this case exposed for future customers; it leaves unaffected the installed base of governments that received hardware under perpetual licenses, including any holdover equipment now operating in Russian law enforcement facilities.

The Pivovarov case has direct implications for U.S. policy, given Cellebrite's deep integration in federal law enforcement. ICE and Homeland Security Investigations plan to spend up to $100 million over the next five years on Cellebrite's digital forensics hardware and software tools. The Justice Department serves as the sponsoring agency for Cellebrite's recently achieved FedRAMP High Authorization, which provides the most direct path for all DOJ component agencies, including the FBI, ATF, and DEA, to adopt Cellebrite Government Cloud for law enforcement and intelligence missions. Cellebrite technology has been confirmed in misuse cases spanning Serbia, Kenya, Jordan, Myanmar, Bahrain, and Botswana, raising a broader question that U.S. contracting officers and oversight committees have yet to formally address: what end-use verification obligations attach to a company whose hardware remains operable in sanctioned jurisdictions after a commercial exit, and whether existing export control frameworks under the Export Administration Regulations or the Arms Export Control Act are adequate instruments to manage that residual-use risk.

Featured image: Photo by Vitalijus on Unsplash


References

[1] Citizen Lab. (2026, June 25). Russia breaks into human rights activist's phone with Cellebrite. https://citizenlab.ca/research/russia-breaks-into-human-rights-activists-phone-with-cellebrite/

[2] Engadget. (2026, June 26). Russia allegedly used a forensics platform to hack an activist's phone, despite having its access cut off. https://www.engadget.com/2201736/russia-allegedly-used-a-forensics-platform-to-hack-an-activist-s-phone-despite-having-its-access-cut-off/

[3] Meduza. (2026, June 25). Russia hacked phone of opposition politician Andrei Pivovarov using Israeli firm Cellebrite's spyware. https://meduza.io/en/news/2026/06/25/russia-hacked-phone-of-opposition-politician-andrei-pivovarov-using-israeli-firm-cellebrite-s-spyware

[4] The Insider. (2026, June 27). Russian security services broke into opposition activist Andrei Pivovarov's iPhone using Israeli Cellebrite system, Citizen Lab reports. https://theins.press/en/news/294171

[5] Forbes. (2026, June 25). Russia hacked dissident's iPhone with Cellebrite tech, records show. https://www.forbes.com/sites/thomasbrewster/2026/06/25/russia-hacks-dissident-iphone-with-israeli-cellebrite-tech/

[6] CyberSecurity News. (2026, June 25). Russia used Cellebrite tool to hack activist's iPhone despite contract cancellation. https://cybersecuritynews.com/russia-cellebrite-tool-iphone/

[7] TechCrunch. (2026, June 25). Cellebrite said it cut off Russia, but Russia used its tools anyway. https://techcrunch.com/2026/06/25/cellebrite-said-it-cut-off-russia-but-russia-used-is-tools-anyway/

[8] TechTimes. (2026, June 27). Cellebrite's Russia exit failed: Forensics confirm its tools cracked activist's iPhone. https://www.techtimes.com/articles/319181/20260627/cellebrites-russia-exit-failed-forensics-confirm-its-tools-cracked-activists-iphone.htm

[9] The Hacker News. (2026, June 25). Russia used Cellebrite on jailed activist's iPhone months after sales cutoff. https://thehackernews.com/2026/06/russia-used-cellebrite-on-jailed.html

[10] Wikipedia. (2024). 2024 Ankara prisoner exchange. https://en.wikipedia.org/wiki/2024_Ankara_prisoner_exchange

[18] FedScoop. (2026, May 11). DHS units to re-up contract with controversial mobile device data extractor. https://fedscoop.com/dhs-cellebrite-privacy-drones-data-mobile-devices-ice/

[21] Cellebrite. (2026, May 6). Cellebrite Government Cloud achieves FedRAMP High Authorization. https://cellebrite.com/en/resources/press-releases/cellebrite-government-cloud-achieves-fedramp-high-authorization/

[24] TechCrunch. (2026, June 25). Cellebrite said it cut off Russia, but Russia used its tools anyway. https://techcrunch.com/2026/06/25/cellebrite-said-it-cut-off-russia-but-russia-used-is-tools-anyway/

Latest Articles

Back To Top
Search
⚡ Cached with atec Page Cache