A new report from the **Citizen Lab** has unveiled compelling evidence that Russian authorities employed **Cellebrite**'s **UFED** forensic tools to access the iPhone of detained opposition activist **Andrey Pivovarov** in June 2021. This occurred three months after **Cellebrite** announced it would halt sales and services to Russia and Belarus. The investigation, published on June 25, is supported by two critical pieces of evidence: digital traces found on the device itself and an official Russian government report explicitly naming the forensic tool. ### The Case of Andrey Pivovarov **Pivovarov**, who led **Open Russia**, an opposition group deemed "undesirable" by the Kremlin, was detained on May 31, 2021, at St. Petersburg airport. His iPhone 12 and MacBook were confiscated. Despite never consenting to a search or providing passwords, his devices remained in custody until 2023. He was subsequently sentenced to four years and eventually freed in a prisoner exchange in August 2024. ### Forensic Evidence Aligns Upon receiving the phone from **Pivovarov** in the fall of 2025, **Citizen Lab** researchers discovered **MobileLockdown** records dating back to 2021 when the device was in Russian custody. These records showed a connection on June 17, 2021, to a host ID consistent with a **Cellebrite** fingerprint previously identified in a case in Jordan, providing high-confidence evidence of **UFED** use. Further corroborating this, **Pivovarov** received a document titled "Forensic Expert Report No. 1269-17" during his prosecution. Prepared by the Interior Ministry's forensic center for Russia's Investigative Committee, the report explicitly names **Cellebrite**'s **UFED Physical Analyzer** and **UFED 4PC**. It details the extraction of data from **WhatsApp**, **Telegram**, and **Viber**, and highlights searches conducted for "Open Russia Civic Movement" and prominent opposition figures like **Mikhail Khodorkovsky**, **Anastasiya Burakova**, and **Tatiana Usmanova**.  ### The MacBook's Resilience Notably, **Pivovarov**'s MacBook remained secure. The MVD report described a failed extraction attempt, thwarted by encryption, which was consistent with failed login attempts observed by the **Citizen Lab** on the same date. This indicates authorities never gained access to his MacBook password. ### The Sanctions Loophole **Cellebrite**'s announcement in March 2021 to cease sales to Russia and Belarus was intended to restrict access to their digital intelligence offerings. However, as the **Citizen Lab** points out, much of the **UFED** functionality continues to operate offline even after support ends. This means that existing hardware already in the possession of law enforcement and intelligence agencies could still be utilized, effectively creating a loophole in the sales cutoff. When questioned on June 22, **Cellebrite** stated that any use of its legacy hardware in Russia after March 2021 is "entirely unauthorized." The company affirmed that Russia remains on its restricted-customer list and highlighted a shift towards subscription licenses that deactivate upon expiration. While legally significant, this distinction did not prevent the tools from being used in 2021.  ### The Broader Implications An intriguing overlap noted by the **Citizen Lab** is that individuals whose names were searched on **Pivovarov**'s phone later emerged as targets of **COLDRIVER**, an **FSB**-linked phishing operation. While no direct link is claimed, the mechanism is clear: extracting one activist's social graph can provide a ready target list for subsequent campaigns. This incident adds Russia to a growing list of nations, including **Serbia**, **Kenya**, and Jordan, where **Cellebrite** tools have been implicated in human rights abuse cases. The core lesson here is that a sales cutoff, without a mechanism to disable or render existing, offline-capable tools inoperable, may not be an effective deterrent once a device is in custody. ### Recommendations for High-Risk Individuals The **Citizen Lab** offers blunt advice for individuals at risk of device seizure, acknowledging that no measure is foolproof against sophisticated forensic tools: * Utilize a strong alphanumeric passcode. * Keep the operating system current with the latest updates. * Enable **Lockdown Mode** on iPhones or **Advanced Protection** on Android 16 and above. * Encrypt the disk on computers. * Completely power off devices before entering high-risk situations. * If a seized device is returned, change all account passwords and have the device professionally examined before wiping it.