Cyber Security

Russia Used Cellebrite on iPhone Activist Arrested Months After Sales Cutoff

Russian authorities used Cellebrite’s UFED forensic tools to access the iPhone of jailed opposition activist Andrey Pivovarov in June 2021, three months after Cellebrite said it would stop selling its tools and services in Russia and Belarus.

The findings, published on June 25 by Citizen Lab, depend on two rare things: clues on the phone itself and an official Russian government report naming the device.

Investigators searched the released data for political contacts, opposition figures, and names of activist organizations. This was not a remote control spy. It was an investigative tool used on a device held in custody, used to build a case in a political prosecution.

Pivovarov ran Open RussiaThe opposition Kremlin had called it “unpopular,” a label that turned continued involvement into a criminal offense.

He was removed from the plane at the airport in St. Petersburg on May 31, 2021, and was robbed of his iPhone 12 and MacBook. He did not give permission to be searched and he did not give his passwords. The devices remain in stock until 2023. In July 2022, he was sentenced to four years; he was released in August 2024 in a prisoner exchange.

Pivovarov gave the phone to Citizen Lab researchers in the fall of 2025. The traces on it date back to 2021, when the device was locked up in Russia.

MobileLockdown records, which track trusted iPhone USB pairings, showed a connection on June 17, 2021, to a host ID matching a Cellebrite fingerprint that researchers had identified in a previous case in Jordan. They rated high-confidence evidence that Cellebrite’s UFED was used.

Russia’s own documents support a forensic study. Pivovarov received a report titled “Forensic Expert Report No. 1269-17” during his prosecution, prepared for the Russian Investigative Committee by the intelligence agency of the Ministry of Internal Affairs, and provided a copy to Citizen Lab.

Names Cellebrite’s UFED Physical Analyzer and UFED 4PC by product. It documents information that pulls data from WhatsApp, Telegram, and Viber, and shows investigators conducting searches of the “Open Russia Civic Movement” and opposition figures, including Mikhail Khodorkovsky, lawyer Anastasiya Burakova, and Pivovarov’s colleague Tatiana Usmanova.

The MacBook was seized. The MVD report describes a failed login, which was blocked by encryption, and Citizen Lab found a string of failed login attempts on the same day, indicating that authorities never had Pivovarov’s password.

Time is the point. Cellebrite announced in March 2021 that it would stop selling to Russia and Belarus, a move that cut off updates but left existing hardware running. Most of UFED continues to work offline long after support ends, Citizen Lab says, which is a loophole: the risk was not only future sales, it was the installed base already sitting in police and intelligence offices.

That’s similar to previous reports that Russia has been using Cellebrite to wire detainees after the announcement.

Asked for comment on June 22, Cellebrite told Citizen Lab and Access Now that any use of the precious hardware in Russia after March 2021 is “totally unauthorized.” It said the hardware was running without its support or permission and that, today, it would not be compatible with modern devices.

Russia remains permanently on its list of restricted customers, the company said, and is switching to registration licenses that expire when they expire. The difference is more legal than practical: the tool still works when Russian investigators have the phone in 2021.

One overlap should be noted: people whose names were searched in Pivovarov’s phone later turned up as guides of COLDRIVER, a hacking operation connected to the FSB, and Burakova was targeted but did not bite.

Citizen Lab doesn’t claim a direct link, but the methodology is clear: extract the social graph of one activist, and you have a target list for the next campaign.

Citizen Lab’s advice for anyone at risk of a seizure is not clear, nor is it unreasonable against a forensic tool. Use a strong alphanumeric passcode. Keep the OS up to date. Turn on lock mode on iPhones, or advanced protection on Android 16 and above. Encrypt the disk on computers. Power off the device fully before entering a more dangerous situation. If the seized device is returned, change all account passwords and have them checked before erasing them.

Russia joins Serbia, Kenya, and Jordan in a growing list of celebrity abuse cases backed by law enforcement. The sharp lesson is small: a sales cutoff that leaves older, capable devices offline isn’t a cutoff if the phone is already in storage.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button