How could organizations counter similar digital forensic abuse?

Stronger policy controls, clear vendor compliance requirements, and robust data-at-rest and secure device practices can limit the impact of unauthorized forensic data extraction.

Was Cellebrite’s technology acting as spyware in this case?

No, Cellebrite’s products were used to extract data from seized devices rather than ongoing surveillance; however, the nonconsensual use still raises major ethical and legal issues.

Jordan Government’s Use of Cellebrite Forensics Tools Targets Activists in 2024

Q: What compliance or legal gaps did this breach expose?

The breach revealed insufficient oversight on the use of digital forensic tools by governments, raising concerns over violations of international human rights treaties and inadequate vendor accountability.

A Citizen Lab and OCCRP investigation reveals how Jordanian authorities leveraged Cellebrite's phone-cracking technology to access and extract data from activists’ devices, sparking urgent compliance and human rights debates.

Published: January 23, 2026

Share this on:

Executive Summary

Between late 2023 and mid-2024, Jordanian authorities used Cellebrite’s digital forensic technology to access and extract data from the mobile phones of local activists and human rights defenders. According to an investigation by Citizen Lab and OCCRP, authorities seized activists’ devices—three iPhones and one Android—and subjected them to Cellebrite’s phone-cracking tools, often in connection with political protests. Court records and forensic analysis confirmed the use of Cellebrite products to nonconsensually access information, shaking victims’ trust and prompting self-censorship.

This incident underscores the growing risks of commercial digital forensics tools being repurposed for surveillance beyond criminal cases. Amnesty International and other watchdogs report a broader trend of such technologies being leveraged against civil society, signaling a need for stronger governance, vendor accountability, and compliance oversight globally.

Why This Matters Now

This incident highlights urgent concerns about the abuse of law enforcement and forensics technologies in suppressing dissent, especially as global protests and digital activism intensify. As more governments deploy commercial phone-cracking tools, risks to privacy, civil liberties, and compliance with international norms are rising, requiring immediate scrutiny and action.

Attack Path Analysis

The attack began when Jordanian authorities physically seized activists’ devices, gaining initial physical access. After device seizure, Cellebrite phone-cracking technology was used to bypass security controls or exploit device vulnerabilities, escalating privileges to access otherwise protected information. Once device data was accessible, authorities moved laterally within the device storage to gather comprehensive data sets across applications and user files. There was no evidence of traditional remote command and control, as operations were performed locally post-seizure. Sensitive data from phones was then exfiltrated using Cellebrite's forensic extraction tools, transferring private information to government-controlled repositories. The impact stage consisted of activists' personal and confidential data being used for investigation, prosecution, or broader intimidation, eroding trust and personal security within civil society.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Medium

Command & Control

High

Exfiltration

High

Impact

High

Initial Compromise

Description

Physical seizure of mobile devices by authorities, granting full hands-on access for subsequent exploitation.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2024-53104
CVSS 7.8
An out-of-bounds write vulnerability in the USB Video Class (UVC) driver allows local attackers to execute arbitrary code or cause a denial of service.
Affected Products:
Linux Kernel – < 5.10.0
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-53104 https://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/
CVE-2024-53197
CVSS 7.1
A flaw in the ALSA USB audio driver allows local attackers to cause memory corruption, potentially leading to privilege escalation.
Affected Products:
Linux Kernel – < 5.10.0
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-53197 https://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/
CVE-2024-50302
CVSS 5.5
A vulnerability in the USB HID device driver allows local attackers to leak kernel memory, potentially leading to information disclosure.
Affected Products:
Linux Kernel – < 5.10.0
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-50302 https://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/

MITRE ATT&CK® Techniques

ATT&CK techniques mapped for digital forensics abuse via Cellebrite technology based on current incident context. For advanced analysis, further STIX/TAXII enrichment may be applied.

Credential Access

T1110.002

Password Cracking

Collection

T1005

Data from Local System

Collection

T1056.001

Input Capture: Keylogging

Credential Access

T1552.001

Unsecured Credentials: Credentials in Files

Credential Access

T1539

Steal Web Session Cookie

Collection

T1025

Data from Removable Media

Credential Access

T1003.002

OS Credential Dumping: Security Account Manager

Exfiltration

T1567.001

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

NIS2 Directive – Access Control and Asset Management

Control ID: Article 21(2)(d)

Nonconsensual extraction of personal and sensitive data from activists’ devices demonstrates a failure to ensure proper access control and asset management as mandated for operators of essential services and digital service providers in the EU.

PCI DSS 4.0 – Limit Access to System Components and Cardholder Data

Control ID: 8.2.1

Unauthorized access and extraction of private device data exposes weaknesses in both technical and procedural access controls, even if cardholder data is not involved directly but broader privacy or personal data is at stake.

CISA Zero Trust Maturity Model (ZTMM) 2.0 – Continuous Identity, Device, and Access Validation

Control ID: Identity Pillar / Device Pillar

The incident illustrates insufficient controls around device access and authentication, contrary to ZTMM’s requirements for explicit and ongoing validation of all principals and endpoints.

NYDFS 23 NYCRR 500 – Access Privileges

Control ID: Section 500.7

The seizure and forensic exploitation of mobile devices without transparent legal oversight displays a breakdown in the enforcement and regular review of access privileges as required by NYDFS.

DORA (EU Digital Operational Resilience Act) – ICT Risk Management – User Access Management

Control ID: Article 9(2)

Forensic extraction of data by external or unauthorized entities points to ineffective management of user access to ICT systems and data, contravening the access management duties under DORA.

ISO/IEC 27001:2022 – Access to Networks and Network Services

Control ID: A.9.1.2

Unauthorized extraction of data from mobile devices indicates noncompliance with ISO/IEC 27001 access policy requirements, specifically regarding control and monitoring of access to information assets.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Government Administration

Direct exposure to digital forensics abuse as Jordanian authorities used Cellebrite technology against activists, violating human rights compliance standards.

Law Enforcement

Cellebrite phone-cracking technology misuse demonstrates risks of forensic tool abuse, requiring enhanced oversight and zero trust segmentation protocols.

Non-Profit/Volunteering

Human rights defenders and activists targeted through device seizure and forensic extraction, highlighting need for encrypted communications and egress security.

Civic/Social Organization

Political activists subjected to unauthorized device forensics during Palestinian protests, demonstrating vulnerability to state surveillance and data exfiltration threats.

Sources

Researchers find Jordan government used Cellebrite phone-cracking tech against activistshttps://cyberscoop.com/researchers-find-jordan-government-used-cellebrite-phone-cracking-tech-against-activists/
Verified

Cellebrite zero-day exploit used to target phone of Serbian student activisthttps://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/

Verified

Google addresses 2 actively exploited vulnerabilities in security updatehttps://cyberscoop.com/android-security-update-april-2025/

Verified

Frequently Asked Questions

The breach revealed insufficient oversight on the use of digital forensic tools by governments, raising concerns over violations of international human rights treaties and inadequate vendor accountability.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Zero Trust segmentation, strong egress controls, and traffic encryption would have raised the cost of data extraction by limiting internal access scope, enforcing policy on exfiltration, and ensuring data confidentiality even if device or workload storage was compromised. CNSF-aligned controls provide technical measures that reduce broad access and movement during forensic extraction and help detect anomalous inbound or outbound large data transfers.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: Minimizes risk by ensuring device and cloud access require dynamic policy checks beyond physical possession.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Restricts scope of breach by segmenting access based on identity and context, limiting privilege inheritance post-compromise.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Prevents broad data harvesting across cloud workloads by limiting authorized internal flows.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Detects and flags unexpected device or account behaviors within cloud services.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Blocks unauthorized outbound data transfers and enforces exfiltration controls.

Impact (Mitigations)

Reduces utility of exfiltrated data by keeping content encrypted and unreadable outside trusted environments.

Impact at a Glance

Affected Business Functions

Legal Compliance
Public Relations
Human Rights Advocacy

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Unauthorized access to activists' personal data, including photos, videos, chats, files, saved passwords, location history, Wi-Fi history, phone usage records, web history, and social media accounts.

Recommended Actions

• Enforce device- and workload-level encryption to ensure data remains protected even if storage is compromised or physically seized.
• Implement zero trust segmentation and least privilege access to minimize information exposure across cloud and endpoint environments.
• Apply granular egress controls to block unauthorized data transfers from both cloud workloads and end-user devices.
• Centralize visibility and analytics across multi-cloud and hybrid infrastructure to detect signs of large-scale extraction or anomalous access.
• Regularly review and test incident response, focusing on readiness for physical device compromise and forensic extraction scenarios.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Jordan Government’s Use of Cellebrite Forensics Tools Targets Activists in 2024

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2024-53104

Affected Products:

Exploit Status:

References:

CVE-2024-53197

Affected Products:

Exploit Status:

References:

CVE-2024-50302

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Password Cracking

Data from Local System

Input Capture: Keylogging

Unsecured Credentials: Credentials in Files

Steal Web Session Cookie

Data from Removable Media

OS Credential Dumping: Security Account Manager

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Potential Compliance Exposure

NIS2 Directive – Access Control and Asset Management

PCI DSS 4.0 – Limit Access to System Components and Cardholder Data

CISA Zero Trust Maturity Model (ZTMM) 2.0 – Continuous Identity, Device, and Access Validation

NYDFS 23 NYCRR 500 – Access Privileges

DORA (EU Digital Operational Resilience Act) – ICT Risk Management – User Access Management

ISO/IEC 27001:2022 – Access to Networks and Network Services

Sector Implications

Government Administration

Law Enforcement

Non-Profit/Volunteering

Civic/Social Organization

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads