Description
Russian authorities used Cellebrite's UFED forensic tools to break into the iPhone of detained opposition activist Andrey Pivovarov in June 2021, three months after Cellebrite said it would stop selling its tools and services to Russia and Belarus.
The finding, published June 25 by the Citizen Lab, rests on two things that rarely line up: traces on the phone itself and an official Russian government report that names the tool.
Investigators searched the extracted data for political contacts, opposition figures, and the names of activist organizations. This was not remote spyware. It was a forensic tool run on a seized device in custody, used to build a case in a political prosecution.
Pivovarov ran **Open Russia** , an opposition group the Kremlin had branded "undesirable," a label that turned continued involvement into a criminal offense.
He was pulled off a flight at St. Petersburg airport on May 31, 2021, and his iPhone 12 and MacBook were confiscated. He never gave consent to a search and never handed over his passwords. The devices stayed in custody until 2023. In July 2022, he was sentenced to four years; he was freed in August 2024 in a prisoner exchange.
Pivovarov gave the phone to Citizen Lab researchers in the fall of 2025. The traces on it dated to 2021, when the device was in Russian custody.
MobileLockdown records, which track an iPhone's trusted USB pairings, showed a connection on June 17, 2021, to a host ID matching a Cellebrite fingerprint the researchers had identified in a prior case in Jordan. They rate it high-confidence evidence that Cellebrite's UFED was used.
Russia's own paperwork backs the forensic read. Pivovarov received a report titled "Forensic Expert Report No. 1269-17" in the course of his prosecution, prepared for Russia's Investigative Committee by the Interior Ministry's forensic center, and he gave a copy to the Citizen Lab.
It names Cellebrite's UFED Physical Analyzer and UFED 4PC by product. It documents pulling data from WhatsApp, Telegram, and Viber, and shows investigators running searches for "Open Russia Civic Movement" and for named opposition figures, including Mikhail Khodorkovsky, lawyer Anastasiya Burakova, and Pivovarov's partner Tatiana Usmanova.
The MacBook held. The MVD report describes a failed extraction, blocked by encryption, and the Citizen Lab found matching failed login attempts on the same date, indicating the authorities never had Pivovarov's password.
The timing is the point. Cellebrite announced in March 2021 that it would stop selling to Russia and Belarus, a move that cut off updates but left existing hardware running. Much of UFED keeps working offline long after support ends, the Citizen Lab says, which is the hole in the cutoff: the risk was never only future sales, it was the installed base already sitting in police and intelligence offices.
That matches earlier reporting that Russia kept using Cellebrite on detainees' phones after the announcement.
Asked for comment on June 22, Cellebrite told the Citizen Lab and Access Now that any use of its legacy hardware in Russia after March 2021 is "entirely unauthorized." It said that hardware runs without its support or consent and that, today, it would be incompatible with modern devices.
Russia stays permanently on its restricted-customer list, the company said, and it is shifting to subscription licenses that stop working when they expire. The distinction matters more legally than operationally: the tool still worked when Russian investigators had the phone in 2021.
One overlap is worth watching: the people whose names were searched on Pivovarov's phone later surfaced as targets of COLDRIVER, an FSB-linked phishing operation, and Burakova was targeted but did not bite.
The Citizen Lab does not claim a direct link, but the mechanism is plain: extract one activist's social graph, and you have the target list for the next campaign.
Citizen Lab's advice for anyone at risk of seizure is blunt, and none of it is foolproof against a forensic tool. Use a strong alphanumeric passcode. Keep the OS current. Turn on Lockdown Mode on iPhones, or Advanced Protection on Android 16 and up. Encrypt the disk on computers. Power the device fully off before walking into a high-risk situation. If a seized device comes back, change every account password and have it examined before wiping it.
Russia joins Serbia, Kenya, and Jordan in a growing list of Cellebrite abuse cases backed by forensics. The sharper lesson is narrower: a sales cutoff that leaves old, offline-capable tools running is not much of a cutoff once the phone is already in a custody room.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Russian authorities used Cellebrite's UFED forensic tools to break into the iPhone of detained opposition activist Andrey Pivovarov in June 2021, three months after Cellebrite said it would stop selling its tools and services to Russia and Belarus.
The finding, published June 25 by the Citizen Lab, rests on two things that rarely line up: traces on the phone itself and an official Russian government report that names the tool.
Investigators searched the extracted data for political contacts, opposition figures, and the names of activist organizations. This was not remote spyware. It was a forensic tool run on a seized device in custody, used to build a case in a political prosecution.
Pivovarov ran **Open Russia** , an opposition group the Kremlin had branded "undesirable," a label that turned continued involvement into a criminal offense.
He was pulled off a flight at St. Petersburg airport on May 31, 2021, and his iPhone 12 and MacBook were confiscated. He never gave consent to a search and never handed over his passwords. The devices stayed in custody until 2023. In July 2022, he was sentenced to four years; he was freed in August 2024 in a prisoner exchange.
Pivovarov gave the phone to Citizen Lab researchers in the fall of 2025. The traces on it dated to 2021, when the device was in Russian custody.
MobileLockdown records, which track an iPhone's trusted USB pairings, showed a connection on June 17, 2021, to a host ID matching a Cellebrite fingerprint the researchers had identified in a prior case in Jordan. They rate it high-confidence evidence that Cellebrite's UFED was used.
Russia's own paperwork backs the forensic read. Pivovarov received a report titled "Forensic Expert Report No. 1269-17" in the course of his prosecution, prepared for Russia's Investigative Committee by the Interior Ministry's forensic center, and he gave a copy to the Citizen Lab.
It names Cellebrite's UFED Physical Analyzer and UFED 4PC by product. It documents pulling data from WhatsApp, Telegram, and Viber, and shows investigators running searches for "Open Russia Civic Movement" and for named opposition figures, including Mikhail Khodorkovsky, lawyer Anastasiya Burakova, and Pivovarov's partner Tatiana Usmanova.
The MacBook held. The MVD report describes a failed extraction, blocked by encryption, and the Citizen Lab found matching failed login attempts on the same date, indicating the authorities never had Pivovarov's password.
The timing is the point. Cellebrite announced in March 2021 that it would stop selling to Russia and Belarus, a move that cut off updates but left existing hardware running. Much of UFED keeps working offline long after support ends, the Citizen Lab says, which is the hole in the cutoff: the risk was never only future sales, it was the installed base already sitting in police and intelligence offices.
That matches earlier reporting that Russia kept using Cellebrite on detainees' phones after the announcement.
Asked for comment on June 22, Cellebrite told the Citizen Lab and Access Now that any use of its legacy hardware in Russia after March 2021 is "entirely unauthorized." It said that hardware runs without its support or consent and that, today, it would be incompatible with modern devices.
Russia stays permanently on its restricted-customer list, the company said, and it is shifting to subscription licenses that stop working when they expire. The distinction matters more legally than operationally: the tool still worked when Russian investigators had the phone in 2021.
One overlap is worth watching: the people whose names were searched on Pivovarov's phone later surfaced as targets of COLDRIVER, an FSB-linked phishing operation, and Burakova was targeted but did not bite.
The Citizen Lab does not claim a direct link, but the mechanism is plain: extract one activist's social graph, and you have the target list for the next campaign.
Citizen Lab's advice for anyone at risk of seizure is blunt, and none of it is foolproof against a forensic tool. Use a strong alphanumeric passcode. Keep the OS current. Turn on Lockdown Mode on iPhones, or Advanced Protection on Android 16 and up. Encrypt the disk on computers. Power the device fully off before walking into a high-risk situation. If a seized device comes back, change every account password and have it examined before wiping it.
Russia joins Serbia, Kenya, and Jordan in a growing list of Cellebrite abuse cases backed by forensics. The sharper lesson is narrower: a sales cutoff that leaves old, offline-capable tools running is not much of a cutoff once the phone is already in a custody room.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Basic Information
ID
THN:ACC3B012B2608F7FC56BF4FD84BF33BB
Published
Jun 26, 2026 at 08:49