Russian authorities hacked into the phone of a prominent political opponent while he was in custody, using technology made by forensics firm Cellebrite — even after the company had said it cut ties with Putin’s government agencies, according to a new report that raises fresh questions about whether Western tech companies can truly control how their tools are used once they’re in the wild.

The case is a cautionary tale for any technology company that sells to governments. Cellebrite, an Israeli outfit with a second headquarters in Virginia that sells to governments all over the world — including in the U.S — had announced it would stop providing hardware and software to Russia. It apparently didn’t, or couldn’t, follow through.

Researchers at The Citizen Lab, digital rights group based at the University of Toronto, said they found evidence that a Russian government investigative unit used a phone hacking tool made by Cellebrite to break into the iPhone of local human rights dissident and opposition politician Andrey Pivovarov in June 2021. 

Three months before that hack, Cellebrite had announced that it would “immediately” stop selling its technology to its Russian government customers. On its official website, Cellebrite claims that as of March 2021, when it cut ties with Putin’s government, the company “can stop the device from functioning or receiving software updates.” 

It’s unclear why that didn’t happen in this case, and the episode exposes an uncomfortable truth about surveillance tech, which is that once powerful hacking and surveillance technologies reach the wrong customer, clawing them back isn’t so easy. The tools proliferate, get abused, and can keep getting abused, often long after the company that made them has washed its hands of the customer.

“It’s not surprising, and [it] is the result of the policies of Cellebrite,” said Eitay Mack, an Israeli human rights lawyer who has long campaigned against surveillance technology makers like Cellebrite and spyware maker NSO Group. 

Mack argued that ceasing sales, and even revoking a software license, doesn’t stop a former Cellebrite customer from abusing the company’s technology, as this case demonstrates. Mack also pointed out that Cellebrite refuses to say whether it asks customers to dismantle the hacking tools it sold to them, a critical gap that its own cut-ties announcements don’t address.

This case, Mack added, suggests that former customers can still abuse Cellebrite’s phone unlocking tool, dubbed UFED, even after the company stops supporting the customer and presumably revokes its software license. In theory, that should make the company’s devices less useful. 

John Scott-Railton, a senior researcher at the Citizen Lab, told TechCrunch that Cellebrite “should also remote-disable deployments following credible reports of abuse, and end the era of plausible deniability by implementing cryptographically-signed watermarks on all imaged devices.” In plain terms, Cellebrite should be able to remotely brick its own tools when they’re being misused, and it should build in a kind of digital fingerprint so that any data extracted with its technology can be traced back to which specific device was used.

Cellebrite sells hardware devices designed to unlock and hack into cellphones that are connected to them. Over the years, researchers have documented cases where company customers used its technology against dissidents, human rights activists, and journalists in Hong Kong, Kenya, and Jordan. In response to some of these findings, Cellebrite has cut ties with Bangladesh, China and Hong Kong, Myanmar, and Serbia.

In an email to the Citizen Lab, which he shared with TechCrunch, Cellebrite’s chief marketing officer David Gee said that the company “stopped all sales and services to the Russian Federation in March 2021, terminating existing licenses, and immediately began unwinding all legal contracts. Any use of legacy Cellebrite hardware in Russia after March 2021 is entirely unauthorized.”

Gee, as well as Cellebrite’s spokesperson Victor Cooper, did not respond to a series of specific questions sent by TechCrunch.

In the case of Pivovarov, the Citizen Lab researchers said they were able to find forensic evidence on his phone that it had been hacked with Cellebrite UFED, after Russian authorities detained him and confiscated his iPhone 12 and MacBook in May 2021. 

Pivovarov also shared with the researchers a court document he received as part of his prosecution. In it, the Russian government’s Criminalist Expert Center detailed its use of Cellebrite UFED to break into his phone, stating that the authorities used UFED to extract data including WhatsApp and Telegram messages. They also searched the phone for political terms, as well as the names of opposition figures, which included targets of what researchers have described as alleged Russian government hacking campaigns.   

Pivovarov was the director of the now defunct opposition group Open Russia. He was later sentenced to four years in prison, before being freed in August 2024 as part of a prisoner exchange between Russia and Western countries that also freed Wall Street Journal reporter Evan Gershkovich.

The Russian Embassy in Washington D.C. did not respond to a request for comment.