A new investigation by Citizen Lab has found that Russian authorities used Cellebrite’s Universal Forensic Extraction Device technology to access the iPhone of detained opposition activist Andrey Pivovarov in June 2021, approximately three months after Cellebrite announced it had suspended the sale of its products and services to Russia and Belarus. The findings, published on June 25, are based on forensic evidence recovered directly from Pivovarov’s iPhone along with official Russian government documents that explicitly identify the forensic software used during the investigation. Researchers said the examination focused on extracting communications and information related to political contacts, opposition figures, and activist organizations while the device remained in government custody. The analysis determined that the activity involved physical forensic access to a confiscated device rather than remote surveillance software or spyware.
According to Citizen Lab, Andrey Pivovarov, who led the opposition movement Open Russia, was removed from a flight at St. Petersburg airport on May 31, 2021, after Russian authorities declared the organization undesirable under national law. His iPhone 12 and MacBook were confiscated during the detention, and investigators reportedly carried out forensic examinations without his consent or access credentials. Pivovarov did not provide passwords for either device, and both remained in official custody until they were returned in 2023. He was sentenced to four years in prison in July 2022 before being released as part of a prisoner exchange in August 2024. After recovering the devices, Pivovarov provided the iPhone to Citizen Lab researchers in late 2025, allowing them to analyze forensic traces that remained from the period when the device was held by Russian authorities. Researchers discovered MobileLockdown records showing that the iPhone established a trusted USB pairing on June 17, 2021, with a host identifier matching a Cellebrite fingerprint previously documented in another forensic investigation conducted in Jordan. Citizen Lab described this as high confidence evidence that Cellebrite’s UFED platform had been used during the examination.
The findings were further supported by official documentation supplied by Pivovarov during the investigation. The report, titled Forensic Expert Report No. 1269 17, was prepared by Russia’s Investigative Committee through the Interior Ministry’s forensic center and specifically referenced Cellebrite UFED Physical Analyzer and UFED 4PC by name. According to the report, investigators extracted data from messaging applications including WhatsApp, Telegram, and Viber before conducting keyword searches involving Open Russia Civic Movement, opposition figure Mikhail Khodorkovsky, lawyer Anastasiya Burakova, and Pivovarov’s partner Tatiana Usmanova. While the iPhone examination was successful, the accompanying MacBook remained protected because investigators were unable to bypass its encryption. Citizen Lab confirmed failed login attempts recorded on the computer matched the same examination period, indicating authorities did not possess the correct password. Researchers emphasized that the timing of the forensic examination is particularly significant because Cellebrite publicly announced in March 2021 that it would halt sales to Russia and Belarus. However, existing forensic equipment already deployed in the country continued functioning without requiring ongoing vendor support or software updates, allowing investigators to continue using the technology after the sales suspension.
Cellebrite responded to questions from Citizen Lab and Access Now by stating that any use of its legacy hardware in Russia after March 2021 was entirely unauthorized and occurred without the company’s support or approval. The company added that Russia remains permanently listed among its restricted customers and explained that it is transitioning to subscription based licensing that disables products when licenses expire. Citizen Lab noted that while this licensing approach may prevent future unauthorized use, the forensic tools available in 2021 remained fully operational when Russian authorities examined Pivovarov’s phone. Researchers also observed that several individuals whose names appeared in searches conducted on the seized device were later targeted in phishing operations attributed to COLDRIVER, a group linked to Russia’s Federal Security Service. Although Citizen Lab did not establish a direct connection between the forensic examination and subsequent phishing activity, researchers noted that extracting contact networks from confiscated devices can provide valuable intelligence for future operations. Citizen Lab advised individuals who face a high risk of device seizure to use strong alphanumeric passcodes, keep operating systems fully updated, enable Lockdown Mode on iPhones or Advanced Protection on supported Android devices, encrypt computer storage, completely power off devices before entering high risk situations, and change all account passwords if a confiscated device is returned. The report places Russia alongside Serbia, Kenya, and Jordan as countries where documented forensic evidence has shown the use of Cellebrite technology in sensitive investigations involving activists and civil society members.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
