A new investigation by Citizen Lab has found evidence that Russian authorities used Cellebrite’s digital forensic tools to extract data from the iPhone of jailed opposition activist Andrey Pivovarov in June 2021—roughly three months after the company announced it would halt sales and support for customers in Russia and Belarus. The findings suggest that previously deployed forensic hardware remained operational despite the sales cutoff.
Researchers based their conclusions on forensic artifacts recovered directly from Pivovarov’s iPhone, including trusted USB pairing records linked to a known Cellebrite device fingerprint, as well as official Russian investigative documents that explicitly referenced Cellebrite’s UFED Physical Analyzer and UFED 4PC software. According to the report, investigators extracted data from messaging applications such as WhatsApp, Telegram, and Viber while searching for information related to opposition organizations and political figures.
While authorities successfully accessed data stored on the activist’s iPhone, the accompanying MacBook resisted forensic extraction thanks to full-disk encryption. Citizen Lab found evidence of unsuccessful login attempts that aligned with official reports indicating investigators were unable to bypass the computer’s security protections without the user’s password.
The report underscores a broader challenge surrounding commercial digital forensic tools. Although Cellebrite ceased new sales to Russia in early 2021, existing offline-capable systems reportedly continued functioning without vendor support, allowing authorities to keep using previously purchased equipment. In response, Cellebrite stated that any post-cutoff use of its legacy products in Russia was unauthorized and noted that it has since shifted toward subscription-based licensing models designed to prevent indefinite offline operation.
Researchers say the case illustrates how legacy forensic technology can remain effective long after commercial restrictions are imposed, raising questions about export controls, lifecycle management, and the continued availability of advanced digital investigation tools in sanctioned jurisdictions.
