Russia Breaks Into Human Rights Activist’s Phone With Cellebrite

Andrey Pivovarov’s Arrest and Sentencing

On May 31, 2021, prominent Russian political activist Andrey Pivovarov was removed from a flight and detained by the Russian security services at St. Petersburg Airport. For a brief period after the detention, Pivovarov was able to keep his devices and contact a lawyer. However, when an investigator began to question him, his devices, including an iPhone 12 and an Apple MacBook, were confiscated. He never gave Russian authorities consent to search his devices, and did not provide them with his passwords. His devices remained in official custody until 2023.

Pivovarov had served as the director of the Russia-based non-profit Open Russia. The UK and US Open Russia entities were designated “undesirable” by the Russian authorities in April 2017, under a law which the European Court of Human Rights later found to be incompatible with the European Convention on Human Rights. Pivovarov dissolved the Russian branch of Open Russia on May 27, 2021, stating the desire to protect staff from criminal prosecution following amendments to Russia’s law on undesirable organizations.

After his arrest, an investigation was undertaken by Russia’s Investigative Committee. In July 2022, Russian authorities sentenced Pivovarov to four years in prison on charges of carrying out the activities of an “undesirable” organization. These charges are widely viewed as politically motivated.

On August 1, 2024 he was freed as part of a prisoner exchange.

Russian Authorities Access Pivovarov’s iPhone With Cellebrite

In 2023, while still imprisoned, Pivovarov’s devices were returned to his lawyer by the Russian authorities. He regained possession of them upon his release. In fall 2025, Pivovarov made contact with researchers from the Citizen Lab at the World Liberty Congress in Berlin, Germany. An initial screen of his iPhone showed signs of Cellebrite’s forensic tools, and a detailed forensic analysis was then conducted on artefacts from the device.

Our analysis found traces of the use of Cellebrite’s forensic tools with high confidence on Pivovarov’s iPhone 12 on or around June 17, 2021, during a period when the device was in the custody of the Russian authorities.

Our forensic analysis of MobileLockdown records from Pivovarov’s iPhone show USB connections to a device with a Host ID on June 17, 2021 that we previously attributed to Cellebrite.

The Cellebrite HostID Found on Pivovarov’s Device

Host ID 9016926980658937761372207

Host ID 9016926980658937761372207

Cellebrite DI Ltd. (or Cellebrite) is an Israeli technology company specializing in the sale of data extraction and forensic analysis tools to law enforcement agencies and commercial customers. Their Universal Forensic Extraction Device (UFED) product series enables customers to extract all of a device’s data. Cellebrite also provides technology to governments for non-consensual device extraction, including password bypassing and cracking.

Official Documents Confirm Cellebrite Use

Our forensic analysis is directly confirmed by a document prepared by the Russian authorities themselves. Commissioned by Russia’s Forensic Expert Center of the Russian Ministry of the Interior (MVD), the document was given to Pivovarov in the course of his criminal prosecution. Pivovarov provided the Citizen Lab with a copy of the report, titled “ЗАКЛЮЧЕНИЕ ЭКСПЕРТА Nº 1269-17” (English “Forensic Expert Report No. 1269-17”).

The official report explicitly confirms the use of Cellebrite’s UFED Physical Analyzer and the UFED 4PC toolkit. According to 2021 promotional materials, these tools allow law enforcement to extract data from “the broadest range of digital devices” on their existing PC (UFED 4PC) and analyze extracted data in a user-friendly interface (UFED Physical Analyzer).

Figure 1

The authorities documented gathering extensive information from the device, including data from apps like WhatsApp, Telegram, and Viber.

Figure 2

Blended Targeting?

The MVD report documents how their experts used Cellebrite’s UFED to search the contents of Pivovarov’s devices for terms such as the “Open Russia Civic Movement” as well as a range of specific political topics.

Figure 3

The authorities searched Pivovarov’s devices for key organizations and contacts, as well as high profile opposition figures. Search terms included Mikhail Khodorkovsky, who founded Open Russia, Anastasiya Burakova, who was at the time a human rights lawyer at Open Russia and currently leads a prominent anti-war group, and Open Russia’s former coordinator and Pivovarov’s partner, Tatiana Usmanova.

In 2024, in collaboration with Access Now, and with the assistance of First Department, Arjuna Team and RESIDENT.ngo, the Citizen Lab investigated a global hacking campaign by COLDRIVER, a hacking group linked to the Russian FSB. Anastasiya Burakova was one of the targets of the COLDRIVER campaign, and has consented to being named in this report. The targeting in her case was unsuccessful as she did not open the attachment. The Citizen Lab and Access Now also strongly suspect that Mikhail Khodorkovsky’s press secretary, Maxim Dbar, was also unsuccessfully targeted by COLDRIVER, and mention his case with consent. Our investigations into these links are ongoing.

This correlation between Cellebrite being used to target Pivovarov’s social graph, and subsequent COLDRIVER targeting of the same individuals warrants further investigation. It is consistent with the possibility that the use of Cellebrite’s tools against Pivavarov may have later helped to enable further targeting and surveillance of other regime opponents abroad, like Burakova.

Authorities Appear to Fail to Access Pivovarov’s MacBook

When the Russian authorities arrested Pivovarov, they also confiscated his MacBook computer. The MVD report includes a section describing a failed attempt at forensically extracting its data.

The officials claim that encryption of the MacBook made it impossible for them to gain access to the file system of the device and extract materials from it. The document also features images of the login screen and system restore functionality of the Mac.

Figure 4

Forensic analysis by security researcher Hassen Selmi and the Citizen Lab find evidence of what we believe are their failed login attempts on June 17, 2021, seeming to confirm the MVD report. We thus assess that authorities did not have access to Pivovarov’s password.

Cellebrite: A Growing History of Abuses

Cellebrite has a well-documented history of selling to governments with track records of persecuting activists, journalists, and dissidents, despite the company’s insistence that its sales are consistent with legal and ethical obligations.

Cellebrite markets its technology to law enforcement as “the industry standard for lawfully accessing and collecting digital evidence.” However, in countries such as Russia, where criminal prosecutions are used as a tool of repression, Cellebrite’s capabilities can be used to facilitate unlawful criminal prosecutions or other abusive legal action against human rights defenders, journalists, and other regime targets.¹

Cellebrite in Russia: When You Sell to an Autocrat, Abuses Follow

Cellebrite’s sales to Russia’s Investigative Committee (“the Committee”), the body responsible for the persecution of figures like Alexei Navalny, Pussy Riot, and journalist Galina Timchenko, illustrate the firm’s apparent comfort with selling to repressive states. Various members of the Committee, including its head Alexander Bastrykin, have been sanctioned by the EU and US authorities. When Cellebrite entered the Russian market, the adverse human rights impacts associated with the sale of this technology in that context were likely foreseeable.

In September 2020, a legal petition was filed by lawyer Eitay Mack against Cellebrite in the Tel Aviv District Court alleging the company sold its technology to the Russian Investigative Committee who used it for political repression. In March 2021, Cellebrite publicly cancelled their contract with Russian and Belarusian customers. The contract cancellation meant that the Russian and Belarusian authorities would cease to receive updates for their Cellebrite devices. More than a year later, however, it was reported that Cellebrite continued to be used to hack political detainees’ cellphones despite the contract cancellation.

Our forensic findings confirm the reports that Russian authorities developed a range of methods to continue leveraging Cellebrite in political prosecutions (as well as other device hacking tools) despite the contract cancellation. The historic architecture of Cellebrite forensic systems means that much of the functionality in the UFED product has continued to operate long after updates cease. Furthermore, Cellebrite systems have historically featured an offline mode. Consequently, the way Cellebrite’s technology was designed appeared to make it difficult for the company to meaningfully cut off problematic customers.

Cellebrite’s Continued Failure to Meet its Corporate Responsibility to Respect Human Rights

Cellebrite’s record suggests it is comfortable pursuing contracts with governments that are likely to use its technology to commit human rights abuses. Cellebrite previously sold to autocratic and repressive countries including Russia, Belarus, China, Jordan, Kenya, Myanmar, Serbia, and Botswana, among others.

There is also a growing list of forensically-documented cases in which Cellebrite technology was used for political repression, from Serbia and Kenya to Jordan and now Russia, and where the company has shown a mixed record of contract cancellations.

After reports of human rights abuses and concerns, Cellebrite terminated contracts in Serbia, Russia, Belarus, Bangladesh, Hong Kong, and China. However, Cellebrite does not appear to have cancelled contracts with Kenya and Jordan, two other countries where human rights abuses associated with Cellebrite technology have been forensically confirmed by the Citizen Lab.² We also note reports that authorities in Hong Kong reportedly continued to obtain Cellebrite technology after their access was officially cancelled via resellers that also continued to provide updates.

In addition to the cases where Cellebrite abuses have been confirmed, there is a long list of sales to countries and security services linked to human rights abuses and repression:

Reactive and Selective Approach to Abuses

Cellebrite’s responses to human rights harms associated with their products appears to be reactive – i.e., in response to reporting by third parties versus proactive action by the company itself. While Cellebrite has argued that its cancellations in Russia and Belarus went beyond what was legally required, this investigation contributes evidence that the contract cancellation did not immediately block Russia from leveraging Cellebrite’s tools for political persecution.

Furthermore, while Cellebrite’s licensing agreement states they possess the ability to remotely disable the technology, previous reporting suggests this functionality was absent or ineffective, at best. Cellebrite now states that they are “in the process” of moving all licenses to a subscription model, and that devices will “immediately stop working” when the license expires.

This pattern suggests a selective approach to the corporate obligation on businesses to respect human rights, rather than genuine compliance with the United Nations Guiding Principles on Human Rights (UNGPs). Genuine compliance would result in careful due diligence in export transactions, including careful customer research, contractual and procedural safeguards, strong grievance mechanisms, and transparent public reporting on transactions.

Although Cellebrite maintains that it has an “Ethics and Integrity Committee” to review sales for compliance with international standards and norms, there has been no detailed public disclosure of how decisions are made. At a minimum, this should include disclosing what evidence was gathered to make judgements about which clients to accept or deny, and at what point Cellebrite decides to exit a market.

Under the UNGPs, Cellebrite has a responsibility to respect human rights. This obligation requires that the company enact a robust human rights compliance system to prevent its technology from being used in or facilitating human rights abuses.³ This report suggests again that Cellebrite has fallen short of the well-established standards outlined in the UNGPs.

Forensic Technology: A Key Tool for Repression

When used for political repression, forensic technology can create harm that extends far beyond the direct target. Tools like Cellebrite can be used to collect extensive amounts of information from devices, ranging from messages, photos, application data, to credentials of remote accounts and movements. This material can be used to develop a rich picture of a political movement or organization, and identify further individuals for targeting or repression. We note that Cellebrite markets advanced artificial intelligence tools that can help develop exactly the kind of pattern-of-life and social graph that would be useful to a repressive state seeking to subvert dissent and political opposition.

The increasing use of embedded AI systems in Cellebrite’s technology raises concerns about how these tools can be directly used to facilitate state repression, such as mapping out opposition movements or pinpointing journalists’ sources. Meanwhile, the well-documented tendency of LLMs to introduce errors raises questions about the possibility of false positives stemming from incorrect pattern matching, leading to incorrect investigative conclusions that implicate innocent parties.

Exploits and Collective Insecurity

Cellebrite’s technology may also further collective cyber insecurity by exploiting software vulnerabilities that are used to bypass device security, instead of reporting them so that they can be patched. For example, a 2025 Amnesty International Security Lab investigation found that Cellebrite’s tools were leveraging three previously-unknown vulnerabilities affecting all Android devices to unlock a Serbian activist’s phone, rather than responsibly disclose those vulnerabilities in the public interest.

Past cases also highlight that Cellebrite’s technology (and the exploits they leverage) are susceptible to reverse-engineering by third parties. In 2015, Cellebrite alleged in US legal filings that Oxygen Software (a Russian company with reported past connections to the Russian security apparatus) obtained an unauthorized copy of the UFED system and used that to reverse engineer Cellebrite’s Samsung and LG screen lock disablers. Cellebrite ultimately did not pursue the case.⁴

Past reports have also noted that Cellebrite’s security protocols were found to be seriously deficient not only putting the provenance of the exploits it controls in question but also whether Cellebrite-gathered evidence can even be trusted at all, given the possibilities of tampering.

Right of Reply from Cellebrite

On June 22, 2026, the Citizen Lab and Access Now contacted Cellebrite with a request for comment on our findings. We undertook to publish their response in full. Cellebrite responded, in part:

“Any use of legacy Cellebrite hardware in Russia after March 2021 is entirely unauthorized. The Cellebrite hardware previously sold, prior to March 2021, would now be incompatible with modern devices and would operate without our technical support, our consent or any legal sanction from Cellebrite. Rapid technology advances render legacy digital forensic hardware and software ineffective within a short period of time. Russia remains permanently on our restricted-customer list.”

Their full reply to the Citizen Lab is here.

Conclusion: Forensic Tools Are a Key Instrument of Repression

The only crime that Pivovarov committed was criticism of the Russian state, which is not a legitimate criminal offence under international human rights law.

Cellebrite claims that their tools are only designed to be used pursuant to “legally sanctioned investigations” authorized by “a warrant or appropriate equivalent depending on the jurisdiction.”

However, an effective human rights due diligence policy would look beyond the existence of legal procedures and consider whether the cases being pursued are selected in compliance with international human rights standards. This is not the case with respect to Pivovarov, or other politically-motivated criminal prosecutions by the Russian authorities.

Cellebrite’s responsibility under the UNGPs does not end only when their clients follow their domestic criminal procedure by the book. The company must ensure they do not provide their tools to governments that abuse the legal system for repression.

Our investigation provides a window into how Cellebrite’s tools were used as part of political surveillance and prosecution of Pivovarov and his associates, including seeking sensitive communications, presumably to determine relationships between prominent opposition figures. That information may also have informed other forms of state targeting, including FSB-linked social engineering campaigns. Our report further highlights how Cellebrite tools could continue to be abused even after a contract termination.

This case is the latest in a long line of abuses of Cellebrite’s technology under the color of law enforcement by autocrats around the globe. A well-documented set of cases shows Cellebrite has a history of selling to repressive regimes, and reacting with selective contract terminations only after third-party exposure and outcry. 

We welcome Cellebrite’s claim that their new approach to licensing will enable more effective remote-disabling when they choose to cancel contracts. However the company’s history of sales to autocrats, reactive approach to reported human rights harms, and selective license cancelling leaves us skeptical that these measures will prevent future abuses. We also note with concern the reports that repressive police services in China and Hong Kong continued to obtain Cellebrite technology despite official contract cancellations.

Recommendations to Cellebrite

Don’t Sell to Autocrats, Shut Abusers Down

Cellebrite should conduct extensive human rights due diligence during all phases of sales, and refrain from selling to customers with histories of human rights abuses, poor oversight, and autocratic behavior.

Cellebrite should also learn from the Russian context and ensure that their software and tools can be quickly and fully remotely shut down, or cease working upon contract termination. We urge Cellebrite to consult the additional recommendations made by Access Now.

Watermark With a Unique Identifier

Cellebrite should lead the industry by adopting a unique customer identifier that is placed on forensically-imaged devices. This identifier should enable any party to confirm that Cellebrite’s tools were used to access and forensically acquire material from a device. A unique, cryptographically-signed per-customer identifier will also help investigate cases where their technology was used unethically or in contravention of applicable laws, and discourage the abuse of forensic extraction tools. Cellebrite deployments should maintain an immutable log that includes these identifiers. Such an indicator could be especially helpful in discouraging covert abuses, like those documented in Serbia by Amnesty International’s Security Lab, where the technology was used to surreptitiously place spyware on activists’ phones. We believe such watermarks should become an industry-standard, and that regulators operationalizing the UNGPs should treat the adoption as a baseline obligation.

Be Accountable, Answer Questions About Abuses

We urge Cellebrite to be transparent in the criteria they use to evaluate customers and potential sales. As a large company in the forensic space, they have the ability to shape the market towards better norms. Cellebrite should be clear about the measures they take to investigate reports of abuses, and the actions they take. This clarity is important, especially for victims that currently lack a mechanism for redress. 

We note the many unanswered (and incompletely answered) questions put to Cellebrite by human rights organizations, journalists and investigators over past cases of abuse. This helps autocrats and harms victims. If Cellebrite hopes to be seen as an ethical company, they should answer these questions with specifics. 

Recommendations for Civil Society

If you believe your device is at risk of seizure, consult an expert. There is no substitute for advice that is tailored to your specific situation, and the risks that you face. Here is our current guidance on risks from device seizure and Cellebrite-style technology, adapted from our recent prior reporting.

Protect Against Device Seizure

The following advice may help reduce the likelihood that a forensic extraction tool will successfully bypass the device’s lock and access its data. It is important to note that these steps will not eliminate the likelihood of forensic access:

• Keep your device’s operating system up-to-date.
• Set a strong (preferably alphanumeric) passcode for your device.
• For your accounts, use a password manager, ensuring that each service has a different password, and that you can more quickly change passwords in the event that a device or account is compromised.
• Enable Lockdown Mode (iPhones only).
• Enable Advanced Protection (available for Android version 16 or above).
• Enable Full Disk Encryption for computers.

If you must carry data into a situation with elevated risk of device seizure (e.g., a police station or a border crossing), fully power off the device. Generally, we advise reducing the amount of sensitive data on mobile devices as they are more prone to seizure.

Has Your Device Been Seized?

You should immediately change the passwords of all accounts that were on the device, including those accessed through the device’s browser(s). You should then check these accounts for logins that you do not recognize. 

If the device was returned to you, we recommend seeking one-on-one advice from a qualified forensic professional to analyze the device. If you are part of civil society, the Citizen Lab may be able to assist with forensic analysis. We can provide guidance on next steps or refer you to trusted partners for further support.

Seek Expert Assistance

If the device is returned to you, we strongly advise against deleting all of the data on your device (also known as a factory reset) before it is examined by an expert, as a factory reset will likely make it impossible to determine what occurred with the device when it was not in your custody. Such an examination may help to better understand what was done on the device, including identifying signs of the use of forensic tools such as Cellebrite’s technology. Such an analysis might also assist efforts to determine whether there was overreach or disproportionate use of forensic extraction tools in your case.

Participating in expert analysis can help uncover device vulnerabilities that may have been exploited by forensic extraction tools. Research groups like the Citizen Lab typically have a policy of notifying device manufacturers of these vulnerabilities, enabling them to develop and release patches for these exploits, making everyone’s devices more secure.

1. As explained in a prior Citizen Lab report addressing Cellebrite abuse in Jordan, “the use of technology to extract data from the phones of persons subjected to … unlawful criminal prosecutions or in response to their lawful exercise of the right to freedom of expression cannot meet the requirements of international human rights law and cannot be justified.” ↩︎
2.  For example, in the context of the Citizen Lab’s finding that Cellebrite’s technology has been used by Jordanian authorities against activists, Cellebrite provided responses that failed to address the specific questions raised in correspondence to them. The Citizen Lab also sent questions to Cellebrite in the context of its report that Cellebrite technology was used against a Kenyan activist, but the company did not respond. ↩︎
3.  As summarized by Access Now in a prior report on Cellebrite, the UNGPs require that Cellebrite “(i) show public commitment to respect human rights through appropriate policies; (ii) conduct an effective, ongoing human rights due diligence and impact assessment to understand how and what kind of human rights abuses its products would implicate, which includes consulting with experts and potentially affected stakeholders; (iii) based on the assessment, design and implement the policies and procedures to adequately mitigate these risks; (iv) keep monitoring and improving the system; (v) investigate and take remedial measures for past human rights violations ; and (vi) issue periodic public communications.” ↩︎
4.  Cellebrite Mobile Synchronization Ltd. v. Oxigen Software and Oxigen Forensics, Inc. Case 1:15-cv-01699-LO-MSN ↩︎