Cellebrite Cut Off Serbia for Planting Spyware on a Journalist's Phone but Will Not Do the Same for Others

What Happened in Serbia

In February 2024, Serbian police detained investigative journalist Slavisa Milanov during what appeared to be a routine traffic stop. Officers took him to a police station, confiscated his phone, and questioned him. When he was released, he noticed his data and WiFi settings had been disabled.

Milanov took his phone to Amnesty International's Security Lab, where forensic analysis revealed what had happened while the device was in police custody. Serbian authorities had used a Cellebrite tool to unlock his phone without his knowledge, consent, or any disclosed legal authorization. They then extracted his data and installed a previously unknown spyware called NoviSpy.

NoviSpy can extract personal data from an infected device, activate the microphone and camera remotely, and transmit everything back to its operators. It was installed during the brief window when police had physical possession of the phone.

Why Cellebrite Cut Off Serbia

Cellebrite, the Israeli company that makes phone unlocking and data extraction tools used by law enforcement agencies worldwide, announced it had suspended Serbian police as customers. The company cited Amnesty International's technical report as the basis for its decision, calling the documented abuse a violation of its end user licensing agreement.

This was a rare instance of a surveillance technology vendor publicly cutting off a government client. Cellebrite stated that its tools are designed for lawful investigations and that misuse to target journalists and civil society crosses a line the company will not tolerate.

The decision followed sustained public pressure from human rights organizations and media coverage that made the Serbian case impossible to ignore.

The Double Standard

Cellebrite's decision to act against Serbia raises an uncomfortable question: why Serbia and not others? Documented cases of similar abuse exist in multiple countries where Cellebrite maintains active contracts.

In Kenya, Citizen Lab researchers found that authorities used Cellebrite tools to break into the phone of a political dissident while he was in police custody. The parallels to the Serbian case are striking, right down to the method of confiscation during detention.

In Jordan, human rights groups documented the use of phone cracking tools against activists critical of the government's response to the Gaza conflict. Cellebrite's response to both cases was to dismiss the allegations and decline to commit to any investigation.

The inconsistency suggests that Cellebrite's decision to cut off Serbia was driven more by public relations pressure than by a principled commitment to preventing abuse. When the evidence is equally strong but the media attention is weaker, the company stays quiet.

The Broader Surveillance Industry Problem

Cellebrite is not the only company in this space. The forensic phone cracking industry supplies tools to law enforcement agencies across more than 150 countries. Other vendors like Grayshift and MSAB provide similar capabilities with even less transparency about their customer lists and abuse prevention policies.

The fundamental problem is structural. These companies sell tools that can bypass the security protections on any phone, and once sold, they have limited ability or willingness to control how those tools are used. End user agreements prohibiting misuse are unenforceable in practice, especially when the customer is a government with sovereign authority.

Until there are binding international regulations governing the sale and use of phone cracking technology, individual vendor decisions like Cellebrite's will remain selective and reactive rather than systematic.

What This Means for Journalists and Activists

The Serbian case demonstrates that the greatest risk to a journalist's phone security is physical access. NoviSpy was not installed remotely through a zero click exploit like Pegasus. It was installed while police had the device in hand during a detention that lasted minutes.

For anyone working in journalism, activism, or human rights, this means:

• Never let your phone out of your sight during interactions with law enforcement. If it is confiscated, assume it has been compromised
• Use a strong alphanumeric passcode rather than biometrics. A fingerprint can be compelled; a password stored only in your memory cannot be extracted from the device
• Keep your operating system updated. Cellebrite exploits rely on known vulnerabilities that patches can close
• If your phone behaves unexpectedly after any encounter with authorities, have it forensically examined by a trusted organization like Amnesty International's Security Lab or Citizen Lab
• Consider using a secondary device for sensitive communications that never leaves your physical possession

Cellebrite cutting off Serbia is a step in the right direction. But until the same standard is applied to every government client that misuses these tools, the surveillance industry's self regulation remains a performance, not a policy.