Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 26, 2026 · 8 min read

Russia Hacked an Activist's iPhone With Cellebrite

Citizen Lab and Access Now published forensic proof that Russia's FSB used Cellebrite UFED to extract data from Andrey Pivovarov's phone in June 2021 — three months after Cellebrite's public announcement that it had cut off all Russian contracts.

Andrey Pivovarov was pulled off a flight at St. Petersburg's Pulkovo Airport on May 31, 2021, by Russian security service officers. His iPhone 12 and MacBook were confiscated. Three weeks later, on or around June 17, 2021, Russia's FSB cracked open the iPhone using a Cellebrite UFED forensic extraction device. The documents pulled from that phone were later used as evidence in the criminal prosecution that sent him to prison for four years.

None of that would be remarkable if not for one detail: Cellebrite had publicly announced it was terminating all sales and service contracts with Russian authorities in March 2021 — three months before the iPhone was broken into.

Key Takeaways

  • Citizen Lab and Access Now published forensic evidence showing Russia's FSB used Cellebrite UFED to extract data from Andrey Pivovarov's iPhone 12 on approximately June 17, 2021.
  • Cellebrite announced it had terminated all Russian contracts in March 2021, citing human rights concerns — making the extraction unauthorized by the company's own account.
  • The forensic smoking gun was Host ID 9016926980658937761372207 in MobileLockdown USB connection logs, previously linked to Cellebrite in a separate Citizen Lab investigation of Jordanian civil society.
  • Political documents and communications extracted from Pivovarov's iPhone were used in the prosecution that sentenced him to four years in prison in July 2022.
  • Citizen Lab's John Scott-Railton has called on Cellebrite to implement remote disable capability and cryptographically signed watermarks on all imaged devices.

Who Is Andrey Pivovarov?

Andrey Pivovarov was the executive director of Open Russia, a pro-democracy nonprofit founded by Mikhail Khodorkovsky. His arrest at Pulkovo Airport came one day after Russia formally designated Open Russia as an "undesirable organization" — a legal category that criminalizes participation. He was sentenced to four years in a Russian penal colony in July 2022. Pivovarov was released in the August 2024 prisoner exchange that also freed Wall Street Journal reporter Evan Gershkovich. He now lives in Germany.

His case is notable not because a Russian dissident was surveilled — that happens with grim regularity — but because the forensic record directly contradicts a corporate announcement that was treated, at the time, as meaningful accountability.

Cracked smartphone with forensic cables connected, dramatic indigo lighting representing state-sponsored surveillance and digital forensics used against dissidents

What Does the Forensic Evidence Show?

Citizen Lab and Access Now conducted a forensic analysis of Pivovarov's iPhone 12 and found two categories of artifacts that together constitute near-conclusive evidence of Cellebrite UFED use.

The first is a Host ID number — 9016926980658937761372207 — found in the iPhone's MobileLockdown USB connection records. Citizen Lab had previously attributed this exact Host ID to Cellebrite hardware in a separate investigation into the surveillance of Jordanian civil society activists. When the same identifier appears on devices in Jordan and Russia, it is not a coincidence; it is a forensic fingerprint.

The second category is UFED signature artifacts on the device consistent with the extraction workflow Cellebrite tools follow when copying data from an iPhone. The Russian government's own forensic report provided to Pivovarov's legal team states that UFED was used to examine the devices — a self-incriminating detail that corroborates the Citizen Lab findings from an official source.

The extracted material included political documents and communications that prosecutors framed as evidence of "carrying out the activities of an undesirable organization." The MacBook was not compromised. Only the iPhone.

What Did Cellebrite Say, and Why Isn't It a Sufficient Answer?

Cellebrite's official response is that "any use of legacy Cellebrite hardware in Russia after March 2021 is entirely unauthorized," and that older hardware is "incompatible with modern devices" without ongoing technical support.

There are two problems with this framing. First, an iPhone 12 running the software version it had in June 2021 was not beyond the reach of legacy UFED tooling. The extraction happened. The forensic record documents it.

Second: Cellebrite's architecture has historically included an offline mode. The hardware does not require a live connection to Cellebrite servers to function. There is no remote kill switch. There are no cryptographically signed watermarks that would identify which specific device performed an extraction. When Cellebrite terminates a contract, the physical hardware continues to work exactly as it did the day before the announcement. The announcement changes the legal relationship between Cellebrite and its customer. It does not change what the device can do.

John Scott-Railton of the Citizen Lab has been explicit about what accountability would actually require: Cellebrite "should also remote-disable deployments following credible reports of abuse, and end the era of plausible deniability by implementing cryptographically-signed watermarks on all imaged devices."

Why This Is a Pattern, Not an Anomaly

Russia is not the only government documented using Cellebrite against journalists and activists after the company expressed concern about human rights.

Amnesty International's Security Lab published findings in December 2024 showing Serbian authorities used Cellebrite UFED to unlock a journalist's phone during a police interview, and in at least one case exploited a previously unknown Android vulnerability using Cellebrite tools to install NoviSpy spyware on an environmental activist's device. Citizen Lab also published findings showing Cellebrite tools were used against Kenyan activist and politician Boniface Mwangi while he was in custody. A separate Citizen Lab investigation documented Cellebrite use against Jordanian civil society members including political activists, a student organizer, and a human rights defender.

The throughline across Russia, Serbia, Jordan, and Kenya is the same. Cellebrite sells hardware to a government customer. The hardware is used against civil society. A rights organization documents the abuse. Cellebrite expresses concern. The hardware keeps working.

What This Means for Journalists and Activists at Risk

The practical takeaway from the Pivovarov case is that physical hardware, once sold, is outside a vendor's operational control in ways that software often is not. A news cycle in which Cellebrite announces it is cutting off a country may feel like a protective development. It is not. The FSB did not need a new Cellebrite license to break into Pivovarov's phone. It needed the hardware it already had, an iPhone in physical custody, and a USB cable.

Several operational principles follow from this case:

  • Physical separation matters. A device that is not in the room when authorities arrive cannot be seized. Practicing compartmentalization — carrying a minimal travel device with no sensitive accounts linked — limits the blast radius of any single seizure.
  • Device encryption is necessary but not sufficient. Modern iPhones are encrypted, but Cellebrite UFED is specifically designed to bypass that encryption for devices it supports. Encryption protects against opportunistic access; it does not protect against a well-funded government actor with dedicated forensic hardware and physical custody of your device.
  • Apple's Lockdown Mode, introduced in iOS 16, has a documented record of blocking known spyware attack chains and represents the most significant iPhone hardening measure available to high-risk users.
  • Threat modeling extends beyond the device in hand. The Citizen Lab report notes that individuals whose names were searched on Pivovarov's device were later targeted in phishing campaigns by COLDRIVER, the FSB-linked hacking group — meaning a single physical seizure can seed subsequent surveillance operations against an activist's entire contact network. Understanding how state actors conduct phishing campaigns against journalists is equally important.

The Pivovarov case, five years after the fact, is the most clearly documented proof of the gap between corporate policy and operational reality. The forensic record is on the device. The contract was terminated. Both things are true — and journalists operating in high-risk environments cannot afford to treat vendor announcements as technical enforcement actions.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.