"The historic architecture of Cellebrite forensic systems means that much of the functionality in the UFED product has continued to operate long after updates cease," Citizen Lab said.
Citizen Lab’s technical analysis of the Pivovarov device
The University of Toronto’s Citizen Lab reviewed a phone belonging to Andrey Pivovarov and court documents he supplied, and concluded that Russian authorities used Cellebrite’s UFED product to extract data from the device. Citizen Lab reported evidence that the phone was accessed around June 2021 while it was in Russian government custody. Those findings come from forensic traces on the device and corroborating entries in the court paperwork Pivovarov provided to investigators.
Timeline: arrest, access, sentence, release
According to the record Citizen Lab examined, Andrey Pivovarov was arrested in March 2021. The lab says authorities appear to have accessed his phone in June 2021. Pivovarov was later sentenced in 2022 and released in 2024 as part of a prisoner exchange. Citizen Lab’s reconstruction links the June 2021 access to the period when the phone was under government control.
Cellebrite’s legacy UFED architecture and the limits of contract cancellations
Citizen Lab highlighted design features of Cellebrite’s UFED systems — in particular, legacy architecture and an offline mode — as key factors that allowed access to continue after the company canceled a contract with the Russian government. "Furthermore, Cellebrite systems have historically featured an offline mode. Consequently, the way Cellebrite’s technology was designed appeared to make it difficult for the company to meaningfully cut off problematic customers," the lab wrote.
Cellebrite responded to Citizen Lab’s findings through a statement to CyberScoop. Victor Cooper, a Cellebrite spokesperson, said, "Any use of legacy Cellebrite hardware in Russia after March 2021 is entirely unauthorized." Cooper added that hardware sold prior to March 2021 "would now be incompatible with modern devices and would operate without our technical support, our consent or any legal sanction from Cellebrite," and asserted that "rapid technology advances render legacy digital forensic hardware and software ineffective within a short period of time." He also said that "Russia remains permanently on our restricted-customer list." Citizen Lab’s report, by contrast, concludes that legacy functionality continued to operate long enough to be used in this case.
Connection to later targeting of Anastasiya Burakova and the FSB-linked campaign
Citizen Lab’s investigators said the information recovered from Pivovarov’s phone appears to have been used to surveil other opponents of the regime. The lab combined the material in the court documents with a later campaign that targeted fellow dissident Anastasiya Burakova — a campaign Citizen Lab links to Russia’s Federal Security Service (FSB). The report therefore ties a forensic extraction of Pivovarov’s device to subsequent operations against other dissidents, according to the lab’s analysis.
What this means for technologists, policymakers, and activists
- Technologists and security teams: Citizen Lab’s account highlights how product architecture — in this case, legacy UFED functionality and offline modes — can outlast contractual relationships. Teams responsible for device forensics and endpoint protection will note that decommissioned or unsupported hardware can remain operational in the hands of third parties.
- Policymakers and regulators: Cellebrite’s statement that cancellations went "beyond what was legally required" and the lab’s countervailing evidence that cancellations did not immediately block use suggest a gap between export or contract controls and technical reality; policymakers will want to reconcile legal measures with the practical persistence of legacy systems.
- Activists and defenders of civil society: The chain Citizen Lab describes — extraction from Pivovarov’s phone in mid-2021 followed by apparent surveillance of other opponents — underlines how data taken from one detainee can feed broader targeting operations. The report will sharpen concerns about the downstream effects of forensic extractions on networks of dissidents.
Cellebrite’s public remarks and Citizen Lab’s forensic findings leave a stark overlap: the company says legacy equipment in Russia after March 2021 was unauthorized and unsupported, while the lab shows evidence that such legacy functionality was nonetheless used in June 2021 to access a detained activist’s phone. The Russian Embassy in Washington, D.C. did not immediately respond to a request for comment, and Citizen Lab concluded that contract cancellation did not immediately prevent the tools from being used for political persecution.
