Russia accessed an activist's iPhone using Cellebrite, months after the company stated it had withdrawn.

      A report from Citizen Lab presents forensic evidence and a document from a Russian court that highlight a recurring issue: surveillance tools do not return home when the seller requests. A unit of the Russian government accessed the iPhone of a detained opposition politician using a forensic tool created by Cellebrite, three months after the Israeli company publicly stated it had ceased sales to Moscow.

      What substantiates this case is not just the hack but the documentation: the government recorded its actions. Researchers from Citizen Lab, a digital rights organization based at the University of Toronto, reported discovering forensic proof that a Russian investigative unit employed Cellebrite’s phone-breaking tool, UFED, on the iPhone of Andrey Pivovarov in June 2021. Authorities detained Pivovarov, who was then the director of the now-defunct opposition group Open Russia, and seized his iPhone 12 and MacBook in May of that year.

      In March 2021, Cellebrite announced it would "immediately" halt sales of its technology to Russian and Belarusian government clients. The company has also indicated that it can disable a device or prevent it from receiving updates when it ends its relationship with a client. According to Citizen Lab, this did not occur in this case.

      Pivovarov provided the researchers with a court document related to his prosecution. The document from Russia's Criminalist Expert Center indicated the use of Cellebrite UFED to extract information from his phone, including messages from WhatsApp and Telegram, while searching for political terms and names of opposition figures.

      It is uncommon for a government to document in writing the specific tools it utilized to surveil a dissident. Cellebrite, which sells to governments globally and maintains a second headquarters in Virginia, did not contest that the tool was applied. Its chief marketing officer, David Gee, informed Citizen Lab in an email shared with TechCrunch that the company “stopped all sales and services to the Russian Federation in March 2021, terminating existing licenses,” and asserted that “any use of legacy Cellebrite hardware in Russia after March 2021 is entirely unauthorized.”

      Gee and a company spokesperson did not respond to additional specific inquiries. The researchers focus on the gap between terminating a contract and reclaiming a functioning device. “This is not surprising and results from Cellebrite’s policies,” stated Eitay Mack, an Israeli human rights attorney who has long campaigned against the exportation of surveillance technology from the country.

      Mack pointed out that Cellebrite has not disclosed whether it requests customers dismantle the equipment once the partnership ends. John Scott-Railton, a senior researcher at Citizen Lab, contended that the company should take further steps to remotely disable devices after credible reports of misuse and watermark extracted data to trace it back to a specific device. In simple terms, Scott-Railton suggested that Cellebrite should have the capability to render its devices inoperable and mark their outputs, thereby concluding what he described as an era of plausible deniability.

      This pattern is not unprecedented. Researchers have documented instances where Cellebrite tools were used against dissidents, activists, and journalists in places like Hong Kong, Kenya, and Jordan, and the company has severed ties with clients including Bangladesh, Myanmar, and, earlier this year, Serbia. The situation in Russia is complicated by the fact that the customer was allegedly already gone.

      Pivovarov received a four-year prison sentence and was released in August 2024 in a prisoner exchange that included Wall Street Journal reporter Evan Gershkovich. The Russian Embassy in Washington did not respond to a request for comment.