A new forensic investigation published June 25 by the Citizen Lab at the University of Toronto has confirmed what Cellebrite's March 2021 exit announcement from Russia implicitly promised could not happen: Russian investigators used the company's flagship UFED phone-cracking tool on the seized iPhone of a jailed opposition activist three months after the company said it had terminated all contracts. The finding matters beyond Russia — it is documented proof that a surveillance-tech "sales cutoff" cannot stop an offline-capable hardware tool from continuing to operate in the hands of an authoritarian government that already has it.

The case is Andrey Pivovarov's. The evidence is double-sourced: forensic traces on his phone and Russia's own prosecution paperwork. Both point to the same tool, used on the same date, against someone the Kremlin had already decided to imprison.

Who Is Andrey Pivovarov?

Pivovarov served as executive director of the Russian branch of Open Russia, a pro-democracy organization the Kremlin had designated "undesirable" in April 2017. On May 27, 2021, he announced the branch's dissolution to protect members from prosecution. Four days later, Russian security services pulled him off a departing flight at St. Petersburg Airport, confiscated his iPhone 12 and Apple MacBook, and placed him under formal arrest. He never consented to a search and never surrendered his passwords.

A Russian court sentenced him to four years in prison in July 2022 on charges of operating an "undesirable organization," charges condemned as politically motivated by Amnesty International, Human Rights Watch, and the European Court of Human Rights. He was freed on August 1, 2024, in a multilateral prisoner exchange and now lives in exile in Germany.

Two Sources, Same Conclusion

What makes the Citizen Lab investigation unusual is the confluence of evidence. After Pivovarov connected with Citizen Lab researchers at the World Liberty Congress in Berlin in the fall of 2025, he submitted his iPhone for analysis. Researchers examined the device's MobileLockdown records — a log of trusted USB connections that iOS maintains natively — and found a pairing on June 17, 2021, to a Host ID they had previously attributed to Cellebrite in a separate investigation involving Jordanian civil society. That technical fingerprint was their forensic finding.

The second source is Russia's own prosecution paperwork. A document titled "Forensic Expert Report No. 1269-17," prepared by the Interior Ministry's Forensic Expert Center on behalf of the Investigative Committee, was disclosed to Pivovarov as part of his criminal prosecution. He shared it with the Citizen Lab. The report names Cellebrite's UFED Physical Analyzer and UFED 4PC by product name, confirms that data was extracted from WhatsApp, Telegram, and Viber, and documents keyword searches run against the extracted content. Search terms included "Open Russia Civic Movement" and the names of named opposition figures, among them Mikhail Khodorkovsky — the exiled founder of Open Russia — human rights lawyer Anastasiya Burakova, and Pivovarov's partner, Tatiana Usmanova.

Pivovarov's MacBook resisted. Russia's own report acknowledges that full-disk encryption blocked any extraction of the laptop's file system. Citizen Lab forensics found matching failed login attempts on June 17, 2021 — the same date — confirming the authorities never obtained the MacBook's password.

Why Surveillance Tool Sales Cutoffs Cannot Stop Offline Hardware

This is the finding that extends beyond Pivovarov's case. The UFED product series was designed specifically for field use by law enforcement in environments that may lack network connectivity. The hardware and software run extraction operations locally, without requiring an active connection to Cellebrite's servers. When a contract ends, the company can revoke software update access and withhold new device support packages. It cannot, under the current product architecture, remotely disable a UFED unit that is already in a police evidence lab and operating offline.

Cellebrite's own website has long stated that the company "can stop the device from functioning or receiving software updates." In this case, the device kept functioning. Stopping software updates is not the same as stopping core extraction functionality in a product built to run without a network.

Access Now, which co-authored the response alongside Citizen Lab, disclosed a further detail that undercuts Cellebrite's timeline: research by the Russian human rights organization First Department found in 2024 that Russian authorities may have continued receiving software updates for UFED devices even after the March 2021 cutoff date — not merely operating on legacy hardware already in hand. If confirmed, that would mean Cellebrite's "termination of existing licenses" claim does not fully describe what actually occurred.

Additionally, in 2023, Russian independent media Mediazona reported that after Russia's 2022 full-scale invasion of Ukraine, the FSB used Cellebrite's tools against anti-war activist Dmitry Ivanov, who was subsequently sentenced to eight and a half years in prison for opposing the war. The Ivanov case means the Pivovarov case is not an isolated carryover from pre-cutoff hardware — it is part of a documented pattern of continued operational use at least two years after Cellebrite's exit announcement.

Cellebrite's Response and Its Limits

Cellebrite's chief marketing officer David Gee responded to the Citizen Lab and Access Now in writing on June 24, 2026: the company "stopped all sales and services to the Russian Federation in March 2021, terminating existing licenses, and immediately began unwinding all legal contracts." He characterized any post-March 2021 use of legacy hardware as "entirely unauthorized" and asserted that the equipment "would now be incompatible with modern devices and would operate without our technical support, our consent or any legal sanction from Cellebrite."

The response is legally defensible. It does not explain why Cellebrite's own claim that it "can stop the device from functioning" did not apply here, nor does it address the First Department finding that updates may have continued. The company is, however, announcing a structural change: it is moving away from perpetual hardware licenses toward subscription-based licensing arrangements where access expires automatically if a contract lapses. That change would, if complete and applied to all future customers, close the gap this case exposed. It applies to future sales. For the installed base of governments that received hardware under older license models, it changes nothing.

From Pivovarov's Contacts to the Next Campaign

Citizen Lab researchers flagged an additional dimension. Several individuals whose names Russian investigators searched for on Pivovarov's phone — including Burakova — later surfaced as targets of COLDRIVER, an FSB-linked cyber-espionage group that the U.S. and British governments have attributed to the FSB's Center for Information Security. Burakova was targeted in May 2024 but did not open the phishing attachment. Citizen Lab does not assert a direct causal link between Pivovarov's extracted contact data and the later COLDRIVER targeting, but the operational mechanism is straightforward: extract one activist's communication graph, and you have a pre-qualified list of targets for the next phase of a campaign.

Cellebrite Abuse Now Confirmed Across Eight Countries

The Russia case is the latest in a documented series of Cellebrite abuse incidents that Citizen Lab and partner organizations have confirmed with forensic evidence. In January 2026, Citizen Lab published findings from Jordan, where authorities had extracted data from the phones of at least seven activists between late 2023 and mid-2025, all detained for speech critical of Israel's military campaign in Gaza. In February 2026, Citizen Lab documented Kenyan authorities using Cellebrite to break into the phone of prominent activist Boniface Mwangi while he was in police custody. In February 2025, Amnesty International published evidence that Serbian police had used Cellebrite to unlock devices and subsequently install domestic spyware — findings that led Cellebrite to suspend its Serbian contracts.

Cellebrite cut off Bangladesh, Myanmar, Russia, and Belarus — all in response to external exposure rather than internal audits. After Amnesty International named Serbia specifically and provided technical artifacts, Cellebrite suspended those contracts. In Jordan and Kenya, after Citizen Lab published findings relying on comparable forensic evidence, the company described the evidence as insufficient for action and declined to disclose its criteria for what would constitute adequate proof.

Senior Citizen Lab researcher John Scott-Railton told TechCrunch that Cellebrite "should also remote-disable deployments following credible reports of abuse, and end the era of plausible deniability by implementing cryptographically-signed watermarks on all imaged devices." The first measure would require designing a kill switch into the product; the second would ensure that any data extracted by a specific UFED unit carries a traceable digital identifier linking it to that device.

What Journalists, Activists, and Anyone Facing Seizure Can Do

Citizen Lab's practical guidance for anyone who faces or expects device seizure is straightforward, though none of it guarantees protection against a forensic tool applied to a phone in physical custody:

• Use a strong alphanumeric passcode rather than a short numeric PIN.
• Keep the device's operating system fully updated.
• Enable Lockdown Mode on iPhones, which restricts USB accessory connections and significantly raises the difficulty of forensic extraction.
• Enable Advanced Protection on Android 16 and later, which includes USB Protection that limits unauthorized data access when the screen is locked.
• Encrypt all laptops with full-disk encryption — Pivovarov's encrypted MacBook resisted extraction entirely where his iPhone did not.
• Power the device completely off before entering any high-risk situation, including border crossings, police encounters, or arrest.
• If a seized device is returned, change all account passwords and have the device professionally examined before restoring it to regular use.

Lockdown Mode, introduced by Apple in iOS 16 in 2022, is specifically designed to limit forensic tool access by blocking unauthorized USB connections and restricting incoming message attachments. Combining strong passcodes, full-disk encryption on laptops, and Lockdown Mode on iPhones raises the cost of extraction significantly — though no protection is absolute against a forensic tool applied to a device in custody for weeks.

Frequently Asked Questions

Can Cellebrite actually stop its tools from working after a contract ends?

Only partially. Cellebrite can revoke software update access and prevent new device support packages from reaching a customer's UFED unit. But the core extraction functionality of UFED was designed to run offline, without a network connection — it was built that way for field use by law enforcement. That architecture means core functions can continue operating even without vendor authorization or support. Cellebrite has announced it is shifting to subscription-based licensing that expires automatically, which would close this gap for future customers. The installed base of governments that received hardware under perpetual licenses is not affected by that change.

What is the Cellebrite UFED and how does it work?

The Universal Forensic Extraction Device is a forensic hardware and software platform that law enforcement agencies use to extract data from locked or encrypted phones. A UFED unit connects physically to a seized device and applies a combination of techniques — logical extraction through the device's API, file system extraction, and in some cases physical extraction that bypasses security controls — to pull data including messages, call logs, app data, deleted files, and location history. The UFED 4PC is a software-only version that runs on any Windows laptop; the Physical Analyzer is the analysis and reporting interface. Neither requires a live internet connection to perform an extraction.

What happened to Andrey Pivovarov, and where is he now?

Pivovarov was detained by Russian security services on May 31, 2021, at St. Petersburg Airport. Russian investigators used Cellebrite's UFED to extract data from his iPhone without his consent. He was sentenced in July 2022 to four years in prison on charges of leading an "undesirable organization," a designation the European Court of Human Rights found incompatible with human rights law. He was freed on August 1, 2024, as part of a prisoner exchange that also returned Wall Street Journal reporter Evan Gershkovich. Pivovarov now lives in exile in Germany and remains active in Russian anti-war civil society.

What can activists do to protect their phones from forensic surveillance tools like UFED?

Use a strong alphanumeric passcode and keep your phone's operating system current. Enable Lockdown Mode on iPhones (Settings > Privacy and Security > Lockdown Mode) — it restricts the USB connections that forensic tools like UFED depend on. For laptops, enable full-disk encryption; Pivovarov's encrypted MacBook resisted extraction entirely where his iPhone did not. Power devices completely off before entering high-risk situations, since forensic extraction is harder on a device that has never been unlocked in a given power cycle. No protection is absolute against a forensic tool applied to a phone in custody for an extended period, but combining strong passcodes, encryption, and Lockdown Mode raises the cost of extraction significantly.