AINEWS
When surveillance vendors cut off customers, the tools often keep working
Cellebrite builds the phone cracking tools that law enforcement agencies use to break into locked devices.
Cellebrite builds the phone cracking tools that law enforcement agencies use to break into locked devices.
When Cellebrite announced in March 2021 that it was "immediately" halting sales of its phone-cracking tools to Russia and Belarus, the Israeli digital forensics vendor framed the move as a moral stand. The same product family was back in Russian hands three months later, used to break into the iPhone of an opposition politician already in Russian custody, according to a forensic investigation by Citizen Lab at the University of Toronto.
The victim was Andrey Pivovarov, a Russian opposition figure and head of the now-banned Open Russia movement. Citizen Lab's report found that a Russian government investigative unit ran a Cellebrite-built extraction tool against his device in June 2021, two days after he was detained at a St. Petersburg airport. The forensic evidence tied the breach to Cellebrite's UFED family of products rather than to any other phone-hacking vendor.
Cellebrite is a publicly traded Israeli company with a second U.S. headquarters in Virginia. It builds hardware and software that law enforcement and intelligence agencies use to extract data from locked mobile devices, including iPhones and Android phones. The company's U.S. customers include federal, state, and local law enforcement agencies, and its products are powerful because they sit at the boundary between legitimate criminal investigation and offensive surveillance. That same dual-use character is what made the March 2021 Russia cutoff such a public statement.
The Pivovarov case exposes the structural problem behind that kind of statement. A "we stopped selling" announcement only closes the front door of the distribution pipeline. It does not claw back devices already shipped, software licenses already issued, training already delivered, or distributor inventory already positioned in the target country. Cellebrite's March 2021 press release said the company "can stop the device from functioning or receiving software updates," but a software kill-switch only works for a vendor that still recognizes the deployed device. A device that was refurbished, resold on the gray market, or operated through an intermediary reseller may be logged under a customer the vendor no longer serves, or under a customer that never appeared in Cellebrite's books at all.
As TechCrunch's reporting frames the case, the Pivovarov hack is a cautionary tale for any Western surveillance vendor whose products travel through gray markets, refurbishment pipelines, and distributor networks. The contradiction is not that Cellebrite lied. It is that a sales announcement is not a recall, and the installed base of commercial phone-cracking tools persists long after the press release.
The harder question is what would actually work. License revocation tied to specific deployed devices, working kill-switches that survive a license transfer, third-party audits of in-field tooling, and export-control regimes that treat installed-base risk as part of the original export decision are all on the table. None of them are easy, and none of them are in place at scale. Until they are, every "we stopped selling" announcement from a surveillance vendor is a statement of corporate intent, not a guarantee that the targeted government has lost access to the tools.