Cellebrite claimed it cut Russia off. Researchers say it still enabled iPhone hacking

Cellebrite said it was cutting Russia off. Researchers now claim Russian authorities used Cellebrite’s phone-unlocking tools anyway, to hack a political opponent’s iPhone.

The core of the allegation is simple and chilling: Russian actors reportedly leveraged a Cellebrite-made unlocking device to gain access to a specific target, the iPhone of a political opponent, according to the security researchers cited by TechCrunch. The finding matters because it implies the “we paused sales” message did not translate into “we blocked access.”

To understand why this lands like a credibility punch, you have to look at how phone-unlocking tools sit in the security and law-enforcement ecosystem. Devices like Cellebrite’s are designed to extract data from locked phones. That capability can be used for legitimate investigations, but it is also inherently powerful, because it collapses the barrier that normal device security tries to enforce. Once that power exists in the wild, the question becomes less about whether the vendor stopped shipping, and more about who already had the tools, how they were maintained, and what barriers actually prevent use.

Cellebrite’s reported decision to stop selling to Putin’s government, as described in the original reporting, was meant to change the equation for Russian access. But the researchers’ evidence suggests that the equation can keep working even when sales are supposedly halted. The “how” is what decision-makers will immediately worry about: whether prior purchases remained in active use, whether access can be obtained through channels other than direct sales, or whether the devices are being operated in ways the vendor cannot practically control after delivery. Even without more technical detail in the TechCrunch summary you provided, the implication is clear: stopping sales is not the same as stopping capability.

For executives, this turns a product and policy story into a governance story. The moment a company announces a restriction, regulators, customers, partners, and the public start treating that restriction like a control objective. Boards should think about what “cutting off” actually means operationally. Does it cover licensing, training, maintenance, updates, and spares? Does it include third-party deployments? And critically, how does the company verify that devices in the field are not being used for disallowed targets after the policy change?

This is where compliance, reputation, and risk management collide. A vendor can hold a formal position while still being tied to real-world outcomes. If researchers can connect an alleged hacking incident to tools made by a company that publicly said it would stop supplying Russia, that raises painful questions for legal teams and enterprise buyers alike. It also increases pressure on governments and regulators to demand more than announcements, and instead to require verifiable controls.

There is also a market second-order effect: customers who want to buy lawful-surveillance technology will be watching what happens to Cellebrite’s standing and what kinds of safeguards competitors will market next. In a space where the product is dual-use by nature, the differentiator becomes not just performance, but the story you can defend about preventing misuse. When one high-visibility case challenges that story, it tends to ripple across procurement processes, contracting language, and due diligence checklists for years.

Finally, the strategic stakes for peers are straightforward. Companies in this category cannot treat export restrictions and customer pauses as reputational insurance. They have to assume that sophisticated adversaries, governments, and threat actors may still benefit from tooling already present in the ecosystem. The executive lesson is not that “policies fail,” but that capability control requires continuous, enforceable steps. If you are running a product line that can unlock devices, the operational question for the board becomes: what exact mechanisms prevent your tools from being used in the ways you said you would stop enabling?