Russia Used Cellebrite on Jailed Activist's iPhone Months After Sales Cutoff - The Hacker News

Russia Used Cellebrite on Jailed Activist's iPhone Months After Sales Cutoff Swati KhandelwalJun 26, 2026Mobile Security / Digital Forensics Russian authorities used Cellebrite's UFED forensic tools to break into the iPhone of detained opposition activist Andrey Pivovarov in June 2021, three months after Cellebrite said it would stop selling its tools and services to Russia and Belarus. The finding, published June 25 by the Citizen Lab, rests on two things that rarely line up: traces on the phone itself and an official Russian government report that names the tool. Investigators searched the extracted data for political contacts, opposition figures, and the names of activist organizations. This was not remote spyware. It was a forensic tool run on a seized device in custody, used to build a case in a political prosecution. Pivovarov ran Open Russia, an opposition group the Kremlin had branded "undesirable," a label that turned continued involvement into a criminal offense. He was pulled off a flight at St. Petersburg airport on May 31, 2021, and his iPhone 12 and MacBook were confiscated. He never gave consent to a search and never handed over his passwords. The devices stayed in custody until 2023. In July 2022, he was sentenced to four years; he was freed in August 2024 in a prisoner exchange. Pivovarov gave the phone to Citizen Lab researchers in the fall of 2025. The traces on it dated to 2021, when the device was in Russian custody. MobileLockdown records, which track an iPhone's trusted USB pairings, showed a connection on June 17, 2021, to a host ID matching a Cellebrite fingerprint the researchers had identified in a prior case in Jordan. They rate it high-confidence evidence that Cellebrite's UFED was used. Russia's own paperwork backs the forensic read. Pivovarov received a report titled "Forensic Expert Report No. 1269-17" in the course of his prosecution, prepared for Russia's Investigative Committee by the Interior Ministry's forensic center, and he gave a copy to the Citizen Lab. It names Cellebrite's UFED Physical Analyzer and UFED 4PC by product. It documents pulling data from WhatsApp, Telegram, and Viber, and shows investigators running searches for "Open Russia Civic Movement" and for named opposition figures, including Mikhail Khodorkovsky, lawyer Anastasiya Burakova, and Pivovarov's partner Tatiana Usmanova. The MacBook held. The MVD report describes a failed extraction, blocked by encryption, and the Citizen Lab found matching failed login attempts on the same date, indicating the authorities never had Pivovarov's password. The timing is the point. Cellebrite announced in March 2021 that it would stop selling to Russia and Belarus, a move that cut off updates but left existing hardware running. Much of UFED keeps working offline long after support ends, the Citizen Lab says, which is the hole in the cutoff: the risk was never only future sales, it was the installed base already sitting in police and intelligence offices. That matches earlier reporting that Russia kept using Cellebrite on detainees' phones after the announcement. Asked for comment on June 22, Cellebrite told the Citizen Lab and Access Now that any use of its legacy hardware in Russia after March 2021 is "entirely unauthorized." It said that hardware runs without its support or consent and that, today, it would be incompatible with modern devices. Russia stays permanently on its restricted-customer list, the company said, and it is shifting to subscription licenses that stop working when they expire. The distinction matters more legally than operationally: the tool still worked when Russian investigators had the phone in 2021. One overlap is worth watching: the people whose names were searched on Pivovarov's phone later surfaced as targets of COLDRIVER, an FSB-linked phishing operation, and Burakova was targeted but did not bite. The Citizen Lab does not claim a direct link, but the mechanism is plain: extract one activist's social graph, and you have the target list for the next campaign. Citizen Lab's advice for anyone at risk of seizure is blunt, and none of it is foolproof against a forensic tool. Use a strong alphanumeric passcode. Keep the OS current. Turn on Lockdown Mode on iPhones, or Advanced Protection on Android 16 and up. Encrypt the disk on computers. Power the device fully off before walking into a high-risk situation. If a seized device comes back, change every account password and have it examined before wiping it. Russia joins Serbia, Kenya, and Jordan in a growing list of Cellebrite abuse cases backed by forensics. The sharper lesson is narrower: a sales cutoff that leaves old, offline-capable tools running is not much of a cutoff once the phone is already in a custody room. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Cellebrite, Citizen Lab, digital forensics, encryption, Human Rights, iPhone, mobile security, Russia, Surveillance ⚡ Top Stories This Week AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered Load More ▼ ⭐ Featured Resources [Watch Demo] See Which Security Gaps Attackers Could Exploit First Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check