In June 2021, Russian authorities utilized Cellebrite’s Universal Forensic Extraction Device (UFED) to access the iPhone of opposition politician Andrey Pivovarov. This action occurred months after the Israeli surveillance firm publicly announced the termination of all contracts with Russian clients, as revealed by a forensic investigation conducted by the Citizen Lab at the University of Toronto.
On May 31, 2021, Pivovarov, the former director of the pro-democracy nonprofit Open Russia, was detained by Russian security services at St. Petersburg Airport. His iPhone 12 and Apple MacBook were confiscated without his consent or provision of passwords. These devices remained in official custody until 2023, following his four-year prison sentence on charges related to managing an “undesirable” organization. Pivovarov was released in August 2024 as part of a U.S.-Russia prisoner exchange.
In the fall of 2025, Pivovarov contacted Citizen Lab researchers at the World Liberty Congress in Berlin. An initial examination of his iPhone indicated signs of forensic extraction, prompting a comprehensive analysis. Researchers identified traces of Cellebrite’s UFED on the device dating around June 17, 2021. This discovery was significant, considering Cellebrite had announced in March 2021 that it would “immediately” cease sales to Russian and Belarusian authorities.
The forensic evidence included a specific Host ID found in MobileLockdown USB connection records on the device, previously linked to Cellebrite in earlier investigations. Additionally, a report from Russia’s Forensic Expert Center of the Ministry of Interior explicitly named Cellebrite’s UFED Physical Analyzer and UFED 4PC toolkit as the tools used to extract data from Pivovarov’s devices. Investigators retrieved communications from apps like WhatsApp, Telegram, and Viber and searched the device for political keywords, including names of opposition figures.
Despite Cellebrite’s public commitment to ending contracts with Russian clients, the Citizen Lab’s findings indicate that Russian authorities continued to use the UFED platform beyond the announced termination. The tool’s offline capabilities and architecture, which allow core functionality without vendor updates, appear to have rendered the contract cancellation ineffective.
This incident underscores the challenges in controlling the use of surveillance tools once they are distributed. Even after a vendor ceases support, the tools can remain operational, raising concerns about their potential misuse. It highlights the need for more robust mechanisms to prevent unauthorized use of such technologies, especially in contexts where they can be employed against political dissidents and activists.
