Russian authorities hacked into the phone of a prominent political opponent while he was in prison, using technology made by the intelligence firm Cellebrite — even after the company said it had cut ties with Putin’s government agencies, according to a new report that raises new questions about how well Western tech companies can really control how their devices are used in the wild.
The case is a cautionary tale for any technology company that sells to governments. Cellebrite, an Israeli outfit with a second headquarters in Virginia that sells to governments around the world – including the US – had announced it would stop supplying hardware and software to Russia. Apparently it could not, or could not, follow.
Researchers at The Citizen Lab, a digital rights advocacy group based at the University of Toronto, say they have found evidence that the Russian government’s investigative unit used a Cellebrite phone-hacking tool to hack into the iPhone of local human rights activist and opposition politician Andrey Pivovarov in June 2021.
Three months before the hack, Cellebrite had announced it would “immediately stop” selling its technology to its Russian government customers. On its official website, Cellebrite says that starting in March 2021, when it cuts ties with Putin’s government, the company “may stop the device from operating or receiving software updates.”
It’s not clear why that didn’t happen in this case, and the episode reveals an unpleasant truth about surveillance technology, which is that if powerful hacking and surveillance technologies reach the wrong customer, it’s not that easy to get them back. Tools are proliferated, abused, and can continue to be abused, often long after the company that built them has washed its hands of the customer.
“No wonder, either [it] it’s a result of Cellebrite’s policies,” said Eitay Mack, an Israeli human rights lawyer who has long campaigned against surveillance technology makers like Cellebrite and spyware maker NSO Group.
contact us
Do you have more information about Cellebrite? Or about how Cellebrite’s customers abuse its technology? We would love to hear from you. On a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or via email.
Mack argued that stopping sales, even revoking the software license, does not stop a former Cellebrite customer from misusing the company’s technology, as this case shows. Mack also pointed out that Cellebrite refuses to say whether it asks customers to dismantle the hacking tools it sold them, a critical gap its disclaimer announcements made.
The case, Mack added, suggests that former customers may still be abusing Cellebrite’s phone unlocking tool, called UFED, even after the company stops supporting the customer and may revoke its software license. In theory, that should make the company’s devices less useful.
John Scott-Railton, senior researcher at Citizen Lab, told TechCrunch that Cellebrite “should also disable remote posting following credible reports of abuse, and end the era of sound deniability by using cryptographically signed watermarks on all imaging devices.” In plain words, Cellebrite should be able to remotely brick its devices if misused, and should build in a type of digital fingerprint so that any data released through its technology can be traced back to where a particular device was used.
Cellebrite sells hardware devices designed to unlock and access mobile phones connected to them. Over the years, researchers have documented cases where the company’s clients used its technology against dissidents, human rights activists, and journalists in Hong Kong, Kenya, and Jordan. In response to some of these findings, Cellebrite cut ties with Bangladesh, China and Hong Kong, Myanmar, and Serbia.
In an email to Citizen Lab, which he shared with TechCrunch, Cellebrite chief marketing officer David Gee said the company “ceased all sales and services in the Russian Federation in March 2021, terminated existing licenses, and began revoking all legal contracts. Any use of legacy Cellebrite hardware in Russia after March 2021 is strictly prohibited.”
Gee, along with Cellebrite spokesman Victor Cooper, did not respond to a series of specific questions sent by TechCrunch.
In Pivovarov’s case, Citizen Lab researchers say they were able to find evidence on his phone that it was hacked through Cellebrite UFED, after Russian authorities detained him and confiscated his iPhone 12 and MacBook in May 2021.
Pivovarov also shared with researchers a court document he obtained as part of his prosecution. In it, the Russian government’s Criminalist Expert Center detailed its use of Cellebrite UFED to hack into his phone, saying authorities used UFED to extract data including WhatsApp and Telegram messages. They also searched the phone for political names, as well as names of dissidents, including the targets of what the researchers described as alleged hacking of the Russian government.
Pivovarov was the director of the now defunct opposition group Open Russia. He was later sentenced to four years in prison, before being released in August 2024 as part of a prisoner swap between Russia and the West that also freed Wall Street Journal reporter Evan Gershkovich.
The Russian embassy in Washington DC did not respond to a request for comment.
If you shop through links in our articles, we may earn a small commission. This does not affect our editorial independence.
