"Any use of its legacy hardware in Russia after March 2021 is entirely unauthorized," Cellebrite told researchers — words that, on their face, do not square with a forensics trail inside a jailed activist's phone.
MobileLockdown records and the June 17, 2021 extraction
Citizen Lab published its finding on June 25 that traces on Andrey Pivovarov’s iPhone point to a Cellebrite UFED forensic read performed while the device was in Russian custody. MobileLockdown records — the log iPhones keep of trusted USB pairings — show a connection on June 17, 2021 to a host ID matching a Cellebrite fingerprint the researchers had previously identified in a Jordan case. Citizen Lab rated that match high-confidence: the phone itself recorded the pairing, and the pattern of evidence aligns with known Cellebrite artifacts.
Forensic Expert Report No. 1269-17 and the data pulled
Pivovarov received a court-facing document called "Forensic Expert Report No. 1269-17," prepared for Russia's Investigative Committee by the Interior Ministry's forensic center, and he provided a copy to Citizen Lab. The report names specific products — Cellebrite's UFED Physical Analyzer and UFED 4PC — and documents extraction of content from WhatsApp, Telegram, and Viber.
The report also shows targeted searches run by investigators for "Open Russia Civic Movement" and for named opposition figures, including Mikhail Khodorkovsky, lawyer Anastasiya Burakova, and Pivovarov's partner Tatiana Usmanova. Citizen Lab notes this was not remote spyware; it was a forensic tool applied to a seized device used to build a political prosecution.
Devices, custody timeline, and what failed to yield
Pivovarov — who ran Open Russia, an organization the Kremlin labeled "undesirable" — was removed from a flight at St. Petersburg airport on May 31, 2021. His iPhone 12 and a MacBook were confiscated and remained in state custody until 2023. He never consented to a search and never surrendered his passwords.
The MVD report describes a failed extraction from the MacBook, blocked by encryption; Citizen Lab found matching failed login attempts on the same date, corroborating that investigators did not have the laptop password. The iPhone, however, bore the USB pairing trace and the extracted messaging data whose presence is recorded in the forensic report.
Pivovarov was sentenced in July 2022 to four years in prison and was freed in August 2024 in a prisoner exchange. He handed the phone to Citizen Lab in the fall of 2025, enabling the retrospective forensic analysis.
Cellebrite's March 2021 sales cutoff and the installed-base problem
Cellebrite announced in March 2021 that it would stop selling its tools and services to Russia and Belarus. The company told Citizen Lab and Access Now on June 22 that use of its legacy hardware in Russia after that date is "entirely unauthorized," that such hardware runs without its support or consent, and that today it would be incompatible with modern devices. Cellebrite also said Russia remains on its restricted-customer list and that the firm is shifting to subscription licenses that stop working when they expire.
But the Citizen Lab underscores a practical gap: cutting future sales left an installed base of UFED devices inside police and intelligence offices. Much of UFED can continue to work offline long after vendor support ends, and in this case the tool still functioned on a seized phone in June 2021 — three months after the announced cutoff. The lesson Citizen Lab draws is narrow but sharp: a sales ban that ignores already-installed hardware may do little to halt operational use.
What this means for technologists, policymakers, and activists
- Technologists and security teams: MobileLockdown logs proved decisive here. Citizen Lab’s findings reinforce that forensic artifacts on devices can outlive the moment of seizure and that device-side controls — strong alphanumeric passcodes, up-to-date OSes, and platform hardening modes — are the practical mitigations the report recommends.
- Policymakers and regulators: The case illustrates a distinction the vendor emphasized — legal and contractual restrictions on sales versus the operational reality of installed hardware. Policymakers weighing export controls or sanctions may need to account for how long legacy tools remain usable in the field.
- Activists and legal defenders: The report documents a clear sequence — extract social contacts from one detainee, and those names can become targets for subsequent operations. Citizen Lab notes overlap between names searched on Pivovarov’s phone and people later targeted by COLDRIVER, an FSB-linked phishing operation; lawyer Anastasiya Burakova was targeted but did not fall for the phish.
Practical advice and the narrow takeaway
Citizen Lab’s recommendations for those at risk of seizure are blunt and pragmatic: use a strong alphanumeric passcode; keep the operating system current; enable Lockdown Mode on iPhones or Advanced Protection on Android 16 and up; encrypt computer disks; power devices fully off before entering high-risk situations; and if a seized device is returned, change every account password and have the device examined before wiping it.
The sharper, strategic conclusion is narrower than broad pronouncements about vendor behavior: a sales cutoff that leaves capable hardware sitting in custody rooms is not much of a cutoff. In Pivovarov’s case, a vendor decision in March 2021 did not prevent a forensic read in June 2021; the matching MVD paperwork and phone-side traces together make that operationally plain.
