Cellebrite cuts off Serbia over alleged phone-hacking abuse

Israeli mobile forensics vendor Cellebrite says it cut off Serbian police after allegations that authorities used its phone-unlocking tools to hack a journalist and an activist and then plant spyware. The move, first announced last year and explicitly tied to an Amnesty International technical report, has been held up as proof that the surveillance industry can police itself—at least when the PR upside is large enough.

But a new TechCrunch review of recent cases suggests the “ethics” story is selective. This week, University of Toronto’s Citizen Lab reported that Kenyan authorities likely used Cellebrite-linked tooling to unlock the phone of activist and politician Boniface Mwangi while he was in police custody. Citizen Lab says it found traces of a specific application associated with Cellebrite on the device, and that the signal is “high confidence” because the app was previously seen on VirusTotal and was signed with digital certificates owned by Cellebrite. Citizen Lab made similar claims in January about Jordan, alleging that activists’ phones were accessed using Cellebrite-related tooling.

Cellebrite’s response has shifted from public contrition to procedural fog. In the Serbia case, the company cited the external evidence and suspended the customer—an unusually public sanction in a market where “lawful access” vendors typically avoid naming clients. In the Kenya and Jordan cases, however, Cellebrite declined to commit to investigating and largely disputed the evidentiary standard. A spokesperson told TechCrunch that “high confidence is not direct evidence” and called the Serbia and Kenya situations “incomparable,” while also saying the firm does not respond to “speculation.” According to Citizen Lab’s John Scott-Railton, the researchers contacted Cellebrite ahead of publication in both cases; in Kenya, the company acknowledged receipt but offered no substantive comment.

The awkward part is that Cellebrite’s business model is not a misunderstanding: it sells intrusion capability to states. The company claims more than 7,000 law-enforcement customers worldwide, which is another way of saying it monetizes the fact that governments can seize phones, compel access, or simply do what they want in custody. The same tools marketed for “lawful investigations” also enable rapid extraction of private data at scale—contacts, messages, location histories—often without meaningful adversarial process. Whether that extraction is “abuse” tends to be determined after the fact, by NGOs and forensic researchers, not by procurement checklists.

Cellebrite has previously cut off customers in Bangladesh and Myanmar, and stopped selling to Russia and Belarus in 2021; it also said it halted sales to Hong Kong and China following US export restrictions, TechCrunch notes. Those decisions look less like a moral awakening than a compliance-and-reputation calculus: embargo the politically radioactive clients, deny the rest, and keep the sales pipeline intact.

If Cellebrite wants to claim it enforces human-rights conditions, Citizen Lab argues it should publish the criteria used to approve sales and disclose how often licenses are revoked. Until then, “rigorous vetting” remains what it has always been in this industry: a slogan that travels well in press releases and poorly in police stations.