Russian authorities hacked the phone of opposition politician Andrey Pivovarov in 2021 using Cellebrite’s forensic tools—three months after the company claimed it had severed ties with Moscow, digital rights researchers found.
The incident shows the difficulty tech firms face in controlling how surveillance tools are used once sold to governments. Cellebrite, an Israeli company with U.S. operations, had announced in March 2021 that it would stop selling hardware and software to Russian agencies. The company’s website states it can disable devices or block updates after ending a contract.
That capability failed in Pivovarov’s case.
Researchers at The Citizen Lab, based at the University of Toronto, discovered forensic evidence on Pivovarov’s iPhone 12 proving it was accessed with Cellebrite’s UFED tool in June 2021. Authorities had confiscated the phone the previous month after detaining Pivovarov, then director of the opposition group Open Russia. A court document later showed investigators used UFED to extract WhatsApp and Telegram messages, along with searches for political terms and names of opposition figures.
Pivovarov received a four-year prison sentence before being released in August 2024 as part of a prisoner exchange that included Wall Street Journal reporter Evan Gershkovich.
The case reveals a recurring issue in the surveillance tech industry: once tools are sold, companies frequently lose oversight of their use. Cellebrite has previously ended relationships with governments in Bangladesh, China, Hong Kong, Myanmar, and Serbia following reports of misuse. Yet revoking support does not always prevent abuse.
“Ending sales and revoking a software license doesn’t stop former customers from misusing the technology,” said Eitay Mack, an Israeli human rights lawyer who has campaigned against surveillance tech firms. Mack pointed out that Cellebrite has never explained whether it requires customers to dismantle the hacking tools it sells, leaving a key gap in its public statements about contract terminations.
Related: New law targets revenge porn online
In theory, revoking a license should reduce Cellebrite’s devices’ effectiveness. The Pivovarov case proves this assumption wrong. John Scott-Railton, a senior researcher at The Citizen Lab, argued Cellebrite should implement stronger measures, such as remotely disabling tools when abuse is reported and adding cryptographic watermarks to trace extracted data back to specific devices.
Cellebrite’s chief marketing officer, David Gee, told researchers in an email that the company “stopped all sales and services to the Russian Federation in March 2021, terminating existing licenses, and immediately began unwinding all legal contracts.” Gee stated any use of Cellebrite hardware in Russia after that date was “entirely unauthorized.” Neither Gee nor a company spokesperson answered follow-up questions about why the tools remained functional.
The Russian Embassy in Washington, D.C., did not reply to requests for comment.
Cellebrite’s UFED devices unlock and extract data from connected phones. Researchers have documented cases where government customers deployed the technology against dissidents, activists, and journalists in Hong Kong and other regions. The company has since withdrawn from some markets, but the Pivovarov case demonstrates how easily tools can outlast corporate promises.
Accountability remains unclear.
If a company cannot enforce its own policies, external oversight may be necessary to prevent misuse of AI-driven surveillance tools in the future.
Leave a Reply