Full Report
The findings, published by Citizen Lab Thursday, are based on the research institute’s digital forensic analysis of seized phones in four cases and Jordanian court records in three cases.
Analysis Summary
# Incident Report: Jordanian Authorities Use of Cellebrite Against Activists
## Executive Summary
Between late 2023 and mid-2025, Jordanian authorities repeatedly utilized Cellebrite software to perform forensic extractions on the mobile devices of at least seven critical activists and human rights defenders, primarily during detention or interrogation. The compromise of these devices occurred through physical coercion or forced unlocking, leading to the extraction of sensitive personal data related to speech critical of the war in Gaza. The investigation by Citizen Lab uncovered evidence across four seized phones and three court records, highlighting state-sponsored surveillance and suppression via commercial hacking tools.
## Incident Details
- Discovery Date: Thursday, January 22nd, 2026 (Date of Citizen Lab publication)
- Incident Date: Late 2023 through Mid-2025 (Period during which data extractions occurred)
- Affected Organization: At least seven Jordanian activists/human rights defenders (Civil Society)
- Sector: Human Rights / Civil Society
- Geography: Jordan
## Timeline of Events
### Initial Access
- Date/Time: Late 2023 – Mid-2025
- Vector: Physical seizure of devices followed by forced unlocking or covert access.
- Details: Authorities seized phones (3 iPhones, 1 Android) from activists detained or interrogated over speech critical of Israel’s campaign against Gaza. Access gained via the owner providing Face ID/passcodes under duress, or through covert means (e.g., passcode found on a tape stuck to the back of the phone).
### Lateral Movement
- *Not explicitly detailed as traditional network lateral movement.* The tool (Cellebrite) was used directly on the seized endpoint device to perform deep data extraction.
### Data Exfiltration/Impact
- Details: Sensitive data was extracted via Cellebrite, including chats, files, photos, videos, location history, saved passwords, Wi-Fi history, phone logs, email, web history, social media accounts, and even deleted data. This access supported prosecutions under Jordan's cybercrime law.
### Detection & Response
- Detection: Digital forensic analysis conducted by Citizen Lab on seized phones (4 cases) and review of Jordanian court records (3 cases).
- Response Actions: Citizen Lab published findings and shared a statement from Cellebrite regarding their policy on use and vetting.
## Attack Methodology
- Initial Access: Physical access to the device, compelling victims to unlock via biometric (Face ID) or passcode entry under duress.
- Persistence: *N/A for endpoint seizure, but the extraction tool facilitates deep data capture.*
- Privilege Escalation: Exploitation of device vulnerabilities or use of administrative functions/forensic backdoors inherent in the Cellebrite platform to bypass standard encryption/security, even when passcodes were provided.
- Defense Evasion: The use of a commercial, lawful intercept tool (Cellebrite) means that standard endpoint protections are often circumvented by the authorized forensic capabilities.
- Credential Access: Extraction of saved passwords and authentication tokens from the device.
- Discovery: Forensic analysis by Citizen Lab revealed iOS and Android Indicators of Compromise (IoCs) tied to Cellebrite operations.
- Lateral Movement: Not applicable in the traditional sense; focus remains on endpoint compromise.
- Collection: Comprehensive data gathering from nearly all accessible partitions of the mobile OS, including deleted artifacts.
- Exfiltration: Data was extracted by the examining government agency (Jordan’s Criminal Investigations Department) via the forensic software.
- Impact: Data seizure used as evidence in legal prosecution under broad cybercrime laws.
## Impact Assessment
- Financial: Costs associated with the legal prosecution of activists; cost to Cellebrite for internal review/potential loss of business in other jurisdictions. (Specific figures not available.)
- Data Breach: Comprehensive personal information, communications history, location data, and deleted files belonging to at least seven high-profile activists.
- Operational: Disruption and silencing of critical civil society voices advocating against government actions (related to Gaza).
- Reputational: Damage to the reputation of Jordanian judiciary/authorities for using surveillance tools against political dissent; potential reputational damage for Cellebrite linked to misuse.
## Indicators of Compromise
- Network Indicators: (None specified as defanged in the text; this pertains to the tool's operation, not necessarily network C2 infrastructure typically monitored for malware.)
- File Indicators: iOS and Android Indicators of Compromise (IoCs) tied to Cellebrite forensic processes (Specific hashes/filenames not provided).
- Behavioral Indicators: Forced unlock of devices (biometrics/passcode) during detention; subsequent technical reports generated by Jordan’s Criminal Investigations Department summarizing forensic extraction.
## Response Actions
- Containment measures: The immediate exposure ended when the analysis period concluded. The ongoing containment is political/legal pressure on the utilizing state.
- Eradication steps: N/A for the victims once phones were returned, but external pressure may lead to Cellebrite auditing usage.
- Recovery actions: Activists are in the process of restoring privacy and seeking redress following public disclosure.
## Lessons Learned
- Commercial surveillance tools, even those intended for law enforcement, present a significant risk of misuse against political dissent and civil society when regulatory oversight is weak.
- The presence of broad cybercrime laws facilitates the legal justification for seizing and extracting private data from citizens deemed critical of government policy.
## Recommendations
- Strengthen national laws regarding digital privacy and the conditions under which digital devices can be legally compelled for access during detention.
- Civil society organizations should adopt enhanced physical and digital security protocols, including using secure devices, avoiding storing sensitive data locally, and employing robust encryption/passphrases resistant to brute-force methods.
- International stakeholders should increase scrutiny and transparency requirements for the export and usage monitoring of mobile forensic tools like Cellebrite.