Russian authorities used Cellebrite tools to unlock an activist’s iPhone and analyze private data despite canceled support, raising abuse concerns.On May 31, 2021, Russian security services pulled opposition activist Andrey Pivovarov off a flight at St. Petersburg airport and confiscated his iPhone 12 and MacBook. He never consented to a search and never gave up his passwords. Three weeks later, on June 17, while his devices sat in custody, Russian authorities used Cellebrite ‘s forensic tools to break into his phone. Cellebrite had announced it was stopping sales to Russia three months earlier.The Citizen Lab published its findings on June 25, 2026. What makes this case unusual is that the evidence comes from two independent sources that line up exactly. “Our analysis found traces of the use of Cellebrite’s forensic tools with high confidence on Pivovarov’s iPhone 12 on or around June 17, 2021, during a period when the device was in the custody of the Russian authorities.” reads the report published by Citizen Lab. “Our forensic analysis of MobileLockdown records from Pivovarov’s iPhone show USB connections to a device with a Host ID on June 17, 2021 that we previously attributed to Cellebrite.”The second source is Russia’s own paperwork. Pivovarov received a prosecution document, Forensic Expert Report No. 1269-17, prepared by the Interior Ministry’s forensic center, and he gave a copy to the Citizen Lab. It names Cellebrite UFED Physical Analyzer and UFED 4PC by product name.The investigators didn’t just extract data. They searched it. “The authorities documented gathering extensive information from the device, including data from apps like WhatsApp, Telegram, and Viber.” continues the report.The MVD report shows searches for “Open Russia Civic Movement” and for named individuals including Mikhail Khodorkovsky, who founded Open Russia, human rights lawyer Anastasiya Burakova, and Pivovarov’s partner Tatiana Usmanova. This was a political map-building exercise disguised as a criminal investigation.The MacBook resisted. Russia’s own report documents a failed extraction attempt, blocked by disk encryption, and Citizen Lab forensics found matching failed login attempts on June 17, confirming the authorities never had the password. Pivovarov was sentenced to four years in July 2022 on charges of running an “undesirable” organization — a label Russia applied to Open Russia, and one the European Court of Human Rights later found incompatible with the European Convention on Human Rights. He was freed in August 2024 in a prisoner exchange.The timing raises a question Cellebrite can’t easily answer. The company cancelled its Russian contracts in March 2021, which cut off future updates but left existing hardware running. The Russian and Belarusian authorities would cease to receive updates for their Cellebrite devices, but evidence demonstrates that more than a year later, Russian autorities were still using the tool to hack political detainees’ cellphones.“Our forensic findings confirm the reports that Russian authorities developed a range of methods to continue leveraging Cellebrite in political prosecutions (as well as other device hacking tools) despite the contract cancellation. The historic architecture of Cellebrite forensic systems means that much of the functionality in the UFED product has continued to operate long after updates cease.” continues the report. “Furthermore, Cellebrite systems have historically featured an offline mode. Consequently, the way Cellebrite’s technology was designed appeared to make it difficult for the company to meaningfully cut off problematic customers.”Cellebrite told the Citizen Lab that any use of its legacy hardware after March 2021 is “entirely unauthorized” and that the hardware runs without its support or consent. That’s legally accurate and operationally irrelevant: the tool worked, the phone was open, and the extraction happened.There’s an additional thread worth following. The names pulled from Pivovarov’s phone later appeared as targets in a COLDRIVER phishing campaign, the FSB-linked operation that went after Russian opposition figures abroad. Burakova was targeted but didn’t open the attachment. The Citizen Lab doesn’t claim a direct causal link, but the mechanism is straightforward: extract one activist’s contact list and you have a ready-made target list for the next operation.Russia now joins Serbia, Kenya, and Jordan on the Citizen Lab’s list of Cellebrite abuse cases backed by hard forensic evidence. Cellebrite says it’s moving to subscription licenses that stop working when they expire, which would prevent the installed-base problem from recurring. The company’s track record, selling to repressive governments, cancelling contracts only after third-party exposure, and reacting selectivelym makes that commitment worth watching rather than simply trusting.“Cellebrite’s record suggests it is comfortable pursuing contracts with governments that are likely to use its technology to commit human rights abuses. Cellebrite previously sold to autocratic and repressive countries including Russia, Belarus, China, Jordan, Kenya, Myanmar, Serbia, and Botswana, among others.” concludes the report. “There is also a growing list of forensically-documented cases in which Cellebrite technology was used for political repression, from Serbia and Kenya to Jordan and now Russia, and where the company has shown a mixed record of contract cancellations.”Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, mobile)