Cellebrite Said It Cut Off Russia in 2021. Its Tool Showed Up on a Jailed Activist's iPhone That June.

Cellebrite told the world in March 2021 that it had "immediately" stopped selling its phone-cracking gear to Russia. On June 17, 2021, a Russian forensic unit plugged one of those tools into the iPhone of a jailed opposition politician and pulled it apart.

That is the finding from The Citizen Lab, the digital-rights research group at the University of Toronto, published June 25. The researchers examined the iPhone 12 of Andrey Pivovarov, the former director of the now-banned group Open Russia, and say they found forensic traces, with high confidence, of Cellebrite's UFED being used against it while the phone sat in police custody.

What the evidence actually is

The smoking gun is mundane, which is what makes it credible. Every time an iPhone trusts a computer over USB, it records that pairing in a system database. Apple keeps these MobileLockdown records on the device. The Citizen Lab found a pairing on June 17, 2021 to a host with the ID 9016926980658937761372207. They had seen that exact fingerprint before, in a 2024 investigation into Cellebrite use against civil society in Jordan, and attributed it to Cellebrite then.

A pairing record alone would be suggestive. In this case there is also paperwork. Pivovarov handed the researchers a forensic report his own prosecution produced, written by the expert center of Russia's Ministry of Interior. It names the tools by product: Cellebrite's UFED Physical Analyzer and the UFED 4PC kit. It documents the operators searching the extracted data for "Open Russia Civic Movement" and for named people, including Mikhail Khodorkovsky, who funded Open Russia, lawyer Anastasiya Burakova, and Pivovarov's partner Tatiana Usmanova.

One more detail is worth pausing on. Security researcher Hassen Selmi, working with the Citizen Lab, found what look like failed login attempts on the phone the same day. The reading is that the authorities did not have Pivovarov's passcode. UFED is the thing that got them in anyway. That is the product working as sold, not a leaked password or a careless suspect.

The part that contradicts the press release

Three months before that June extraction, in March 2021, Cellebrite announced it would stop selling to Russian and Belarusian government agencies, effective immediately. On its own site the company also states that it can flip licenses to an annual subscription and, when those expire, "the device will immediately stop working."

So either the kill switch did not reach this customer, or it does not work the way the marketing copy implies. Cellebrite's chief marketing officer David Gee told the Citizen Lab the company "stopped all sales and services to the Russian Federation in March 2021, terminating existing licenses, and immediately began unwinding all legal contracts," and that "any use of legacy Cellebrite hardware in Russia after March 2021 is entirely unauthorized." Gee and a company spokesperson did not answer TechCrunch's specific follow-up questions, and the full written reply is posted with the report.

"Unauthorized" is doing a lot of work in that sentence. It is also probably true. The question the report raises is whether unauthorized matters once the hardware is already in the building. Eitay Mack, an Israeli human-rights lawyer who has spent years litigating against surveillance vendors, put it bluntly to TechCrunch: "It's not surprising, and is the result of the policies of Cellebrite." Mack's point is that ending a contract and even revoking a software license does not force a former customer to physically hand back or destroy the boxes, and Cellebrite does not say it asks them to.

Why a license revocation is not an off switch

This is the actual mechanism story, so it is worth being precise. A UFED deployment is hardware plus software that runs locally against a phone you have physical possession of. It does not need to phone home to Tel Aviv to crack a handset sitting on the table. If the vendor's only lever is refusing future updates and support, a motivated state customer can keep running the version it already has. Old exploits keep working on old, unpatched phones, and a seized iPhone 12 from 2021 is exactly that.

John Scott-Railton, a senior Citizen Lab researcher, told TechCrunch what would actually close the gap: Cellebrite "should also remote-disable deployments following credible reports of abuse, and end the era of plausible deniability by implementing cryptographically-signed watermarks on all imaged devices." In plain terms, build a real remote brick, and stamp every extraction with a signature so anyone analyzing a phone later can tell which specific Cellebrite unit touched it. Neither is standard today. The Pivovarov case is what their absence looks like.

The pattern around it

Cellebrite has been here before. Researchers have documented its customers turning the tools on dissidents, activists, and journalists in Hong Kong, Kenya, and Jordan. The company has responded by cutting off specific governments after the fact, including Bangladesh, China and Hong Kong, Myanmar, and, as recently as February 2026, Serbia. The cutoffs come after the abuse is published, which is the recurring shape of this market: sell broadly, react to headlines.

The report adds one forward-looking thread it is careful not to overstate. Several of the names searched on Pivovarov's phone, including Burakova, were later targeted by COLDRIVER, a hacking group tied to Russia's FSB, per a 2024 Citizen Lab and Access Now investigation. The researchers do not claim the extraction fed those operations. They say the overlap "warrants further investigation," which is the honest version of that sentence.

Who Pivovarov is, briefly

Pivovarov was pulled off a flight at St. Petersburg's airport on May 31, 2021, and detained. Authorities took his iPhone 12 and a MacBook. He was sentenced to four years in 2022 and released in the August 2024 prisoner exchange that also freed Wall Street Journal reporter Evan Gershkovich. The forensic record of what happened to his phone outlasted his sentence.

For everyone else, the practical takeaway is smaller and older than the headline. A forensics tool sold to a government is a capability you do not get back. The contract is a piece of paper. The box on the desk is the thing that matters, and it keeps working.