Cellebrite UFED Extraction on Pivovarov iPhone June 2021 Matches Russian MVD Forensic Report Despite March Sales Cutoff

Russian Interior Ministry forensic examiners connected Pivovarov's seized iPhone 12 to UFED 4PC hardware on 17 June 2021, generating trusted-host records that Citizen Lab matched to a known Cellebrite fingerprint previously observed in Jordan. The same device yielded WhatsApp, Telegram and Viber artifacts; investigators then ran keyword searches against opposition entities including Open Russia and named individuals later targeted by COLDRIVER phishing. The MacBook extraction failed on encryption, consistent with the MVD report's own failed login attempts logged the same day.

The evidence trail consists of two independent layers: on-device MobileLockdown pairing data and the official Russian forensic document that explicitly names UFED Physical Analyzer and UFED 4PC. Cellebrite's March 2021 cutoff halted new licenses and updates but left existing hardware functional offline. The installed base therefore continued to operate without vendor support, exposing the core limitation of export-control measures that address only future sales rather than hardware already fielded.

This pattern reveals systemic gaps in surveillance supply-chain oversight. Cellebrite shifted to subscription licensing that expires on non-payment, yet legacy units remain in service across multiple jurisdictions. The same extraction that mapped Pivovarov's contacts supplied targeting data reused in subsequent FSB-linked operations, illustrating how one forensic access point seeds downstream campaigns.

Cellebrite stated that post-March 2021 use is unauthorized and that modern devices will be incompatible. Operational reality shows the tool still functioned in 2021 custody; subscription enforcement may reduce future access only after existing hardware is retired or physically seized.