The recent findings of the Citizen Lab bring an uncomfortable reality back to the fore: commercial forensic tools that promise to help resolve crimes can become weapons against civil society. An independent forensic analysis determined with high confidence that Cellebrite's technology was used to extract data from Boniface Mwangi's phone, Kenyan activist and public figure who has announced their intention to stand for the presidency in 2027. The Citizen Lab report is available here: Citizen Lab - report on Mwangi.
The technical details that reveal the study are disturbing for its practical simplicity: Mwangi's phone, a Samsung held by the police after his arrest in July 2025, presented evidence of a forensic extraction dated around 20 and 21 July. When the device was returned in September, it no longer required a password to unblock. This suggests not only timely access to messages and files, but the possibility of a comprehensive copy of the activist's personal and professional information from private communications to credentials and financial data.
The use of tools such as Cellebrite's is neither new nor isolated. In recent months, the Citizen Lab published another report documenting similar uses of the same technology by Jordanian authorities against human rights defenders and pro-Palestinian protesters; in these cases the phones were seized during arrests and subsequently returned after the exactions. The report is available here: Citizen Lab - report on Jordan, and OCCRP's journalistic research on the matter provides additional context: OCCRP - Jordan used Israeli tech.
In the face of these revelations, Cellebrite told the press that his tools should be used according to due process and with the appropriate consent to support legal investigations, according to statements reproduced by The Guardian. However, the accumulation of cases in which these technologies are associated with rights violations raises questions about the controls that manufacturers and states apply on their effective use and on transparency in the sale and deployment of such capabilities.
In parallel, the technological threat landscape is growing in sophistication with the proliferation of commercial spyware designed explicitly for sustained monitoring. Amnesty International documented the case of Angolan journalist Teixeira Cândido, whose iPhone was compromised by the Predator spyware after opening a malicious link received by WhatsApp in May 2024. Amnesty's research, which rebuilds intrusion and subsequent attempts at re-infection, can be read here: Amnesty International - Predator in Angola.
Forensic reports indicate that Predator is not just a targeted Trojan: it is a modular platform that allows to activate or disable capabilities based on the activity of the target and that incorporates mechanisms to make it difficult to analyse and detect. A technical analysis published by Reverse Society offers a profound breakdown of these characteristics and of the anti-analysis techniques used by Predator: Reverse Society - Predator Analysis. The sophistication of these tools, which even avoid operating in certain locations, makes them particularly dangerous when they fall into the hands of governments with a history of political persecution.
Jamf Threat Labs researchers have drawn attention to telemetry systems and error codes that Predator uses to convert deployment failures into actionable information, facilitating operators to perfect their attacks. This work, which explains how operators get visibility about failed attempts, is documented in Jamf's blog: Jamf - Predator and anti-analysis techniques. That is, these platforms learn from their mistakes and adjust their tactics to ensure future successful intrusions.
The fabric that connects commercial forensic tool manufacturers to state buyers raises regulatory and ethical dilemmas. On the one hand, security forces argue that these technologies are useful for investigating serious crimes; on the other, documented cases show a pattern of use against journalists, activists and political opponents. International organizations and media have been calling for greater transparency in the export and control of these technologies, as well as accountability mechanisms when documenting their abuse.
In addition to public debate and regulatory demands, there are practical and human consequences: the violation of the privacy of activists and journalists can mean not only the exposure of talks and support networks, but immediate physical and legal risks. When a phone is the subject of a complete extraction or advanced intrusion, the vulnerability of its contacts and collaborators also increases, multiplying the damage beyond the individual directly affected.
The combination of forensic tools and commercial spyware creates an ecosystem in which state actors with few scruples can access technical capabilities that, in responsible and regulated hands, would serve to pursue crime; in irresponsible hands, they serve to silence dissent. Research by the Citizen Lab and organizations such as Amnesty helps shed light on practices that would otherwise remain in the dark, and their reports provide evidence that should serve as a basis for public policies and legal processes.
Meanwhile, the technological community and digital rights defenders insist on the need for a multifaceted response: stricter controls on the sale of these tools, independent audits of cases of use by states, and legal frameworks to ensure transparency and repairs when abuse is made. Policy makers, business and civil society are facing the challenge of balancing legitimate security needs with the protection of fundamental freedoms.
The stories of Mwangi and Teixeira Cândido are concrete examples of a global trend that demands attention. For those who want to elaborate on the technical details and forensic evidence, I recommend to consult the original documents mentioned in this article directly: Citizen Lab, the analysis of Revise Society on Predator and the Amnesty International. Only with rigorous information and citizen surveillance will it be possible to limit abuses and protect those who exercise their right to free expression and to protest peacefully.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...