The Cellebrite Russia phone hack of opposition politician Andrey Pivovarov has thrown a harsh light on a question the surveillance-tech industry would rather not answer: what happens to your tools after you walk away from a customer?
Researchers at the Citizen Lab, a digital rights group based at the University of Toronto, say they found forensic evidence that a Russian government investigative unit used Cellebrite’s UFED phone-extraction tool to break into Pivovarov’s iPhone 12. The hack occurred on or around 17 June 2021, according to the Citizen Lab’s analysis, carried out with high confidence.
The timing is the problem. Cellebrite had already announced, on 18 March 2021, that it was halting all sales and services to Russia and Belarus. That press release, signed by CEO Yossi Carmil, said the company was ‘terminating existing licences’ and ‘immediately’ unwinding legal contracts. Three months later, Russian authorities were apparently still using UFED just fine.
The Cellebrite Russia Phone Hack: What the Evidence Shows
Pivovarov was detained at St. Petersburg airport in May 2021, whereupon Russian security officials confiscated his iPhone 12 and MacBook. He was later sentenced to four years in prison on charges of working with an ‘undesirable’ organisation, before being freed in August 2024 as part of a prisoner exchange that also freed Wall Street Journal reporter Evan Gershkovich.
What makes this case unusual, as The Next Web points out, is that Russian authorities documented their own methods. A court document shared by Pivovarov with the Citizen Lab researchers named Cellebrite UFED explicitly, detailing how it was used to extract WhatsApp and Telegram messages and to search the phone for the names of opposition figures. Governments do not often write that down.
The MacBook fared better: the Citizen Lab found that Russian authorities were largely unsuccessful in accessing it because the device was encrypted. The iPhone, it seems, was not similarly protected.
The extracted data may have had consequences beyond Pivovarov himself. According to CyberScoop, the Citizen Lab investigation found that Russian authorities may have used information from his phone to surveil fellow dissident Anastasiya Burakova, in a hacking campaign linked to Russia’s Federal Security Service (FSB).
Revoking a Licence Is Not the Same as Pulling the Plug
Cellebrite’s chief marketing officer David Gee, in an email shared with the Citizen Lab and copied to several publications, said: ‘Any use of legacy Cellebrite hardware in Russia after March 2021 is entirely unauthorised.’ He added that hardware sold before March 2021 ‘would now be incompatible with modern devices and would operate without our technical support, our consent or any legal sanction from Cellebrite.’
In theory, older hardware losing software support should make it less capable over time. In practice, the Pivovarov case suggests that an iPhone 12, a fairly current device in mid-2021, was still crackable with pre-ban kit.
Israeli human rights lawyer Eitay Mack, who has campaigned against both Cellebrite and spyware maker NSO Group, has argued for years that this gap is a feature of the business model, not an oversight. The Guardian reports that Mack said there were other instances in which Cellebrite tools appeared to be used after contracts were cancelled, and that his investigations indicated the software could function even on a dated licence. Cellebrite, he noted, refuses to say whether it requires customers to physically dismantle hardware when a contract is terminated.
This was not Cellebrite’s first warning about Russia. Forbes reports that before the March 2021 ban, the company was already under pressure after Russian authorities used its technology to raid the phone of Lyubov Sobol, a prominent Navalny ally, in late 2020. The ban came after that incident; the abuse, apparently, continued anyway.
Senior Citizen Lab researcher John Scott-Railton has called on Cellebrite to do two things: remotely disable deployments following credible reports of abuse, and implement cryptographically signed watermarks on all imaged devices so that extracted data can be traced to the specific tool used. Bloomberg notes the episode adds pressure on the company as scrutiny of the surveillance-tech sector intensifies.
On the question of Cellebrite’s own website claim that it can ‘stop the device from functioning or receiving software updates’ after cutting a customer off: that capability, whatever it amounts to, did not prevent the Cellebrite Russia phone hack of Pivovarov’s device in June 2021. Gee did not respond to specific follow-up questions from reporters. The company’s next move on remote-kill and watermarking will be watched closely.
