Bill Marczak

Publications

We found that former Member of the European Parliament Stelios Kouloglou was hacked with Pegasus spyware while serving on the PEGA committee, which investigated Pegasus and other spyware abuses in Europe. Through forensic analysis of his device, we found that the attackers could have had access to confidential documents and committee deliberations.

We analyzed Russian activist Andrey Pivovarov’s phone, finding that Russian authorities used forensic extraction tools made by Cellebrite to gain access to his device. A document prepared by Russian authorities confirms that Cellebrite was used to extract information to aid in Pivovarov’s prosecution. Importantly, we found that authorities continued to use Cellebrite for political repression even after the company had cancelled its contracts with Russian customers.

Following the widely-condemned arrest in July 2025 of prominent Kenyan opposition voice Boniface Mwangi, the Citizen Lab analyzed artefacts from devices seized during the arrest. We found that Cellebrite’s forensic extraction tools were used on his Samsung phone while it was in police custody. This case adds to the concerning pattern of the misuse of Cellebrite technology by government clients.

February 17, 2026

In May 2025, Keir Giles, a well-known expert on Russian military operations, was targeted with a highly sophisticated and personalized phishing attack. Using a method not previously observed by the Citizen Lab, the attacker posed as a U.S. State Department employee to convince Mr. Giles to create and send app-specific passwords for his email accounts, bypassing multi-factor authentication. Google spotted and blocked the attack, attributing it to a Russian state-backed operator.

12312