Andrey Pivovarov was removed from a flight at St. Petersburg airport on May 31, 2021, and detained by the Russian security services. He never provided his passwords. He never consented to a device search. None of that mattered.

cover

According to a detailed forensic investigation by the Citizen Lab, Russian authorities used Cellebrite’s UFED (Universal Forensic Extraction Device) to break into his iPhone 12 on or around June 17, 2021, while the device was in official custody and Pivovarov was awaiting trial on politically motivated charges. The company had publicly cancelled its Russian contracts three months earlier.

In brief

  • The Citizen Lab forensically confirmed that Cellebrite’s UFED was used to extract data from Pivovarov’s iPhone 12 on June 17, 2021, during official custody.
  • Russia’s own MVD forensic report explicitly names Cellebrite’s UFED Physical Analyzer and UFED 4PC as the tools used in the extraction.
  • Russian authorities searched the device for political contacts including Mikhail Khodorkovsky and human rights lawyer Anastasiya Burakova, suggesting the extraction may have seeded further targeting campaigns.
  • Cellebrite cancelled its Russian contracts in March 2021, but the hardware continued to operate in offline mode, effectively nullifying the cancellation.
  • Pivovarov’s MacBook, protected by full-disk encryption, was not successfully accessed — a concrete demonstration of why encryption matters.
  • Cellebrite’s pattern across multiple countries remains reactive: it cancels contracts only after third-party exposure, and its technical architecture has historically made those cancellations easy to circumvent.

Who is Andrey Pivovarov

Pivovarov served as director of Open Russia, a non-profit organization the Russian government designated as “undesirable” in 2017, a classification the European Court of Human Rights later found incompatible with the European Convention on Human Rights. Sensing the escalating legal risk, Pivovarov dissolved the Russian branch of Open Russia on May 27, 2021. Four days later, he was arrested.

In July 2022, he was sentenced to four years in prison for “carrying out the activities of an undesirable organization” — charges that are, by any reasonable reading of international human rights law, politically motivated. He was released in August 2024 as part of a prisoner exchange. After his release, he made contact with Citizen Lab researchers at the World Liberty Congress in Berlin, and agreed to have his devices forensically examined. What they found was not a surprise, exactly, but it was documented for the first time with forensic precision.

The forensic evidence

The Citizen Lab’s analysis focused on MobileLockdown records from Pivovarov’s iPhone, specifically USB connection logs that include a Host ID, a unique identifier assigned to a Cellebrite device. The Host ID found on Pivovarov’s phone (9016926980658937761372207) was one the Citizen Lab had previously attributed to Cellebrite’s forensic hardware.

That alone would be strong evidence. But what makes this case unusual is the corroboration from an unexpected source: the Russian authorities themselves. The MVD Forensic Expert Report No. 1269-17, produced by Russia’s Forensic Expert Center of the Ministry of the Interior and provided to Pivovarov during his prosecution, explicitly confirms the use of Cellebrite’s UFED Physical Analyzer and UFED 4PC toolkit. The investigators documented extracting data from WhatsApp, Telegram, and Viber, and then searching the device contents for political terms: “Open Russia Civic Movement,” the name of opposition figure Mikhail Khodorkovsky, human rights lawyer Anastasiya Burakova, and Open Russia coordinator Tatiana Usmanova.

This is a useful reminder of how forensic tools actually get used in repressive contexts: to map political networks rather than to investigate crimes. As I’ve discussed before in the context of Android pattern-of-life forensics, the real power of device extraction lies in the reconstruction of relationships, habits, and associations, not in any single message or photo. In the hands of a state prosecutor pursuing political dissidents, that capability is a tool of repression rather than a law enforcement tool.

The MacBook that held

There is, in this story, one piece of genuinely good news. When Russian authorities seized Pivovarov’s Apple MacBook along with his iPhone, they could not get in. The MVD report itself documents the failure: the MacBook’s full-disk encryption made it impossible to extract the file system. The document includes screenshots of the login screen and macOS recovery functionality, the digital equivalent of a photo of someone staring at a locked door.

The forensic analysis found what appear to be failed login attempts on June 17, 2021. There was one apparent “successful” login in the records, but the Citizen Lab assessed this was actually a backdated timestamp: the MacBook’s battery had drained during its years in official custody, causing the system clock to reset to 1970-01-01 on first boot. When the device was eventually reconnected to Wi-Fi after being returned to Pivovarov in 2024, the clock corrected itself, jumping forward more than three years. The “successful” login of June 17, 2021 was in fact a login in November 2024. The Russian authorities got nothing from that machine.

The contrast with the iPhone outcome is instructive, and it connects to a topic I covered in some detail when examining iOS Lockdown Mode and its forensic implications: the security posture of a device at the moment of seizure determines what an investigator, or an adversary with forensic tools, can actually recover. Full-disk encryption on the MacBook worked. The iPhone’s protections, apparently, did not hold against Cellebrite’s extraction capabilities in 2021.

Cellebrite’s architecture of selective accountability

Cellebrite cancelled its Russian and Belarusian contracts in March 2021, following a legal petition filed the previous year by Israeli lawyer Eitay Mack alleging the company’s tools had been used by Russia’s Investigative Committee, the same body responsible for prosecuting Alexei Navalny, Pussy Riot, and others, for political repression.

The problem is structural. Cellebrite’s UFED systems have historically featured an offline mode, meaning they continue to function without phoning home for license validation. The Citizen Lab notes that the “historic architecture” of Cellebrite’s systems means that core functionality persists long after updates and support cease. In practice, a contract cancellation with a customer like the Russian Investigative Committee is less a hard cutoff than a gradual degradation. The hardware keeps working. It just stops receiving updates for new device compatibility.

This is not the first time this pattern has been documented. The Citizen Lab has forensically confirmed Cellebrite abuses in Serbia, Jordan, Kenya, and now Russia. In each case, Cellebrite’s response has been reactive: contracts cancelled after third-party exposure, with limited transparency about how the company evaluates customers or investigates reported abuses.

There is also a broader concern worth flagging. The MVD report shows Russian authorities using Cellebrite to search for Anastasiya Burakova, a human rights lawyer. In 2024, the Citizen Lab documented a global hacking campaign by COLDRIVER, a group linked to the Russian FSB, that targeted Burakova and other individuals in Pivovarov’s social network. The Citizen Lab notes the correlation: data extracted from Pivovarov’s phone under the color of legal prosecution may have contributed to identifying targets for subsequent FSB surveillance operations abroad.

Cellebrite markets its AI-enhanced analysis tools as capable of developing exactly the kind of pattern-of-life and social graph mapping that would be useful to a state looking to dismantle opposition networks. The increasing integration of AI into forensic platforms, something I’ve written about in the context of both mobile forensics and Apple Watch acquisition, raises the stakes considerably. LLMs can also introduce errors, creating false positives in pattern matching that could implicate innocent parties. In a system where the legal process itself is weaponized, those false positives have real consequences.

What you can actually do

The Citizen Lab’s recommendations are practical and worth reiterating, because they translate directly into personal security hygiene regardless of whether you face state-level adversaries.

  • Keep your device’s operating system up to date. Cellebrite’s extraction capabilities depend in part on known vulnerabilities in older OS versions.
  • Use a strong, preferably alphanumeric passcode. PIN codes are significantly more susceptible to brute force.
  • Enable Lockdown Mode on iPhone if you are at elevated risk. As I explored in detail in my analysis of iOS Lockdown Mode, it substantially reduces the attack surface available to forensic extraction tools.
  • Enable Full Disk Encryption on computers. Pivovarov’s MacBook is proof that this works, even against a state adversary with physical access and time.
  • Enable Advanced Data Protection on iCloud (or Android’s equivalent). Data in transit and at rest should be encrypted with keys the provider cannot hand over.
  • Power off your device completely before any situation where seizure is possible. A device at rest, never unlocked since last boot, is significantly harder to extract data from than one that has been recently unlocked.
  • Use a password manager and ensure every account has a unique credential. If a device is extracted, changing passwords for accounts that were accessible from that device should be your first step.

If your device is returned to you after seizure, do not factory reset it before having it examined by a qualified forensic professional. The forensic traces that allowed the Citizen Lab to identify Cellebrite’s involvement in Pivovarov’s case came from the device itself. Deleting that evidence before analysis eliminates any possibility of understanding or documenting what was done.

The Pivovarov case is a clean, forensically solid example of something that happens far more broadly and with far less documentation. Forensic tools sold to law enforcement do not check, at the moment of use, whether the criminal prosecution they are supporting is politically motivated or compatible with international human rights law. That responsibility falls entirely on the vendor — and Cellebrite’s track record suggests it would rather cancel contracts when the press coverage becomes uncomfortable than prevent the abuse in the first place.

FAQ

How did Russian authorities access Andrey Pivovarov’s iPhone?

Forensic analysis by the Citizen Lab found traces of Cellebrite’s UFED on Pivovarov’s iPhone 12, confirmed by an official Russian MVD forensic report that explicitly named Cellebrite’s UFED Physical Analyzer and UFED 4PC toolkit as the instruments used in the extraction.

Did Cellebrite authorize the use of its tools in Russia after 2021?

No. Cellebrite cancelled its contracts with Russian and Belarusian customers in March 2021. However, the hardware continued to function in offline mode, and the Citizen Lab’s investigation confirms Russian authorities continued leveraging it for political prosecutions after the cancellation.

What practical steps can activists take to protect their devices from forensic extraction?

Key measures include keeping device software up to date, using a strong alphanumeric passcode, enabling Lockdown Mode on iPhone, enabling Full Disk Encryption on computers, and powering devices off completely before any situation involving risk of seizure.