Cellebrite promised to stop selling its phone-cracking tools to Russia, but that didn’t stop Putin’s government from using them anyway. Security researchers at Citizen Lab just uncovered evidence that Russian authorities deployed Cellebrite’s device to unlock and hack the iPhone of a political opponent, raising urgent questions about how surveillance tech reaches authoritarian regimes even after companies claim to cut them off. The discovery exposes a critical gap in tech export controls and puts a spotlight on corporate accountability when tools designed for law enforcement end up targeting dissidents.

Cellebrite finds itself in hot water after security researchers discovered its phone-unlocking technology being used exactly where the company said it wouldn’t be. According to a new report from Citizen Lab, Russian authorities successfully hacked into a political opponent’s iPhone using Cellebrite’s forensic tools, despite the Israeli company’s public commitment to stop doing business with Putin’s regime.

The discovery came during a routine security analysis of a compromised device belonging to an unnamed Russian political activist. Citizen Lab researchers found telltale signatures of Cellebrite’s extraction software, which is typically used by law enforcement to bypass iPhone security and pull data from locked devices. The timing is what makes this particularly damning – the hack occurred well after Cellebrite announced it would cease sales to Russia.

Cellebrite has built a lucrative business selling its Universal Forensic Extraction Device (UFED) and other tools to police departments and government agencies worldwide. The technology can crack even the latest Apple security measures, making it invaluable for legitimate criminal investigations but also a powerful weapon for surveillance states. The company went public in 2021 and has consistently marketed itself as a responsible player in the digital forensics space.

But the Russian case exposes how difficult it is to control where these tools end up once they’re out in the wild. Cellebrite didn’t respond to requests for comment about how its technology reached Russian authorities, and the company hasn’t explained whether this represents a violation of its own policies or merely the inevitable result of secondary market sales it can’t control.

The incident follows a pattern that’s become all too familiar in the surveillance tech industry. Companies announce ethical policies with fanfare, then struggle to enforce them as their products circulate through resellers, gray markets, and government-to-government transfers. Citizen Lab has documented similar cases with spyware from NSO Group and other vendors, where tools ostensibly sold for counterterrorism end up targeting journalists, activists, and political opponents.

What makes this case particularly troubling is the target. Political opponents in Russia face systematic persecution, and digital surveillance has become a key tool in that campaign. Being able to unlock someone’s iPhone gives authorities access to encrypted messages, contacts, locations, and the full digital life of a dissident. According to the Citizen Lab report, the compromised device contained evidence that Russian security services extracted extensive personal data.

The technical details matter too. Cellebrite’s tools work by exploiting vulnerabilities in iOS or using advanced techniques to bypass Apple’s security features. Apple constantly updates its defenses, but Cellebrite stays ahead through aggressive research and sometimes purchasing zero-day exploits. This cat-and-mouse game means the tools are extremely valuable and highly sought after by any government wanting to crack phones.

Export controls exist precisely to prevent this kind of technology transfer to authoritarian regimes, but enforcement remains spotty. The U.S. and European countries have rules about selling surveillance tech, yet the secondary market operates with minimal oversight. Once Cellebrite sells a device to, say, a police department in a friendly country, there’s little to stop that device from being resold or transferred elsewhere.

Industry observers say this incident will likely trigger renewed calls for stronger safeguards. Human rights groups have long argued that companies like Cellebrite need more than voluntary ethical policies – they need mandatory supply chain controls, regular audits, and consequences for violations. The challenge is balancing legitimate law enforcement needs against the risk of abuse.

Cellebrite has previously faced criticism over where its tools end up. Reports have linked the company’s technology to authoritarian governments in multiple countries, despite its stated commitment to human rights. The company typically responds that it can’t control what happens after a legitimate sale, but critics argue that’s exactly why the business model needs reform.

The Russian case also puts pressure on Apple, which positions iPhone security as a key selling point but remains locked in an endless battle against companies like Cellebrite. Every time Apple patches a vulnerability, forensic tool makers find new ones. The company has sued spyware vendors before but faces an uphill battle against an entire industry dedicated to breaking its encryption.

This isn’t just about one company’s failure to enforce its own policies – it’s about an entire ecosystem that lets powerful surveillance tools flow to the world’s most repressive governments. The Cellebrite-Russia case shows that voluntary corporate ethics policies aren’t enough when the technology itself is this dangerous. As long as there’s a market for phone-cracking tools and minimal enforcement of export controls, we’ll keep seeing these devices used against the exact people they shouldn’t be. The question now is whether this latest revelation finally pushes regulators and companies toward meaningful reforms, or whether it becomes just another data point in an ongoing pattern of abuse.