John Scott-Railton is a leading expert on spyware, phishing, and information operations, with a global reputation for exposing sophisticated threats. As Senior Researcher at the Citizen Lab he leads the Targeted Threats team, collaborating with at-risk individuals and partners around the world to expose abuses and drive policy change. For more than a dozen years he has worked on collaborative investigations tracking and exposing digital attacks targeting people because of who they are, what they do, or what they say.
He is a regular expert voice in conversations about these topics, and has also testified to lawmakers in the U.S., Italy, Poland and the European parliament on the threats posed by spyware proliferation to national security and human rights.
He was the Founding Editor of the Security Planner which provides personalized expert security advice. He has also worked on ensuring connectivity in conflicts, including ensuring the free and secure flow of information during wartime. For example, he developed the Voices Projects, which helped bypass internet shutdowns in Egypt and Libya. He is a past fellow at Google Ideas / Jigsaw at Alphabet where he worked on products like the Phishing Quiz.
Connect
Publications
Not Safe for Politics
Cellebrite Used on Kenyan Activist and Politician Boniface Mwangi
Following the widely-condemned arrest in July 2025 of prominent Kenyan opposition voice Boniface Mwangi, the Citizen Lab analyzed artefacts from devices seized during the arrest. We found that Cellebrite’s forensic extraction tools were used on his Samsung phone while it was in police custody. This case adds to the concerning pattern of the misuse of Cellebrite technology by government clients.
From Protest to Peril
Cellebrite Used Against Jordanian Civil Society
Through a multi-year investigation, we find that the Jordanian security apparatus has deployed forensic extraction products manufactured by Cellebrite against civil society devices. We release these findings alongside reporting from the Organized Crime and Corruption Reporting Project (OCCRP) which includes interviews with a few of the victims.
Same Sea, New Phish
Russian Government-Linked Social Engineering Targets App-Specific Passwords
In May 2025, Keir Giles, a well-known expert on Russian military operations, was targeted with a highly sophisticated and personalized phishing attack. Using a method not previously observed by the Citizen Lab, the attacker posed as a U.S. State Department employee to convince Mr. Giles to create and send app-specific passwords for his email accounts, bypassing multi-factor authentication. Google spotted and blocked the attack, attributing it to a Russian state-backed operator.
