New research from Citizen Lab indicates that Kenyan authorities used a commercial forensic extraction tool made by Israeli company Cellebrite to break into the phone of a prominent dissident, making it the latest case of misuse of technology targeting civil society.
The Interdisciplinary Research Unit at the University of Toronto’s Munk School of Global Affairs and Public Policy said it found the indicators on the personal phone of Boniface Mwangi, a Kenyan pro-democracy activist who has announced plans to run for president in 2027.
Notably, it has emerged that Cellebrite’s forensic extraction tool was used on his Samsung phone while he was in police custody following his arrest in July 2025.
About two months later, in September, the phone was returned to her, at which time Mwangi discovered that the phone was no longer password protected and could be unlocked without requiring the password. It has been assessed with high confidence that Cellebrite’s technology was used on the phone on or about July 20 and July 21, 2025.
“Using Cellebrite, it was possible to completely extract all content from Mwangi’s device, including messages, private content, personal files, financial information, passwords and other sensitive information,” Citizen Lab said.
The latest findings follow a separate report released last month, in which researchers said authorities in Jordan likely used Cellebrite to extract information from the mobile phones of activists and human rights defenders who were critical of Israel and spoke out in support of Palestinians in Gaza.
The devices were confiscated by Jordanian authorities during detention, arrest and interrogation and were later returned. Citizen Lab said the documented events occurred between late 2023 and mid-2025.
In response to the findings, a spokesperson for Cellebrite told The Guardian that the company’s technology is “only used to access private data with appropriate consent in accordance with legal process or to lawfully assist investigations after an incident has occurred.”
These two cases add to a growing body of evidence documenting misuse of Cellebrite technology by government customers. It also reflects the broader ecosystem of surveillance abuse by various governments around the world to enable highly targeted surveillance using mercenary spyware like Pegasus and Predator.
Predator spyware targets Angolan journalist
The development also coincides with another report by Amnesty International, which found evidence that the iPhone of Angolan journalist and press freedom advocate Teixeira Cândido was successfully targeted by Intelexa’s Predator spyware in May 2024 after he opened an infection link received via WhatsApp.
The iPhone was running iOS 16.2, an older version of the operating system with known security issues. It is not currently known what measure was used to trigger the infection. In several reports published last year, Recorded Future revealed that it has observed suspected Predator operations in Angola in 2024.
“This is the first forensically confirmed case of Predator spyware being used to target civil society in Angola,” the international human rights organization said. “Once the spyware was installed, the attacker could gain unrestricted access to Teixeira Candido’s iPhone.”
“The Predator spyware infection lasted less than a day, with the infection appearing to have been removed when Teixeira Cándido restarted his phone on the evening of May 4, 2024. From that time until June 16, 2024, the attackers made 11 new attempts to re-infect the device by sending him new malicious Predator infection links. All subsequent attack attempts failed, possibly due to the links not opening. Reason.”
According to an analysis published by French offensive security company Reverse Society, Predator is a commercial spyware product that is “built for reliable, long-term deployment” and allows operators to selectively enable or disable modules based on target activity, giving them real-time control over surveillance efforts.
Predator has been found to contain various unspecified anti-analysis mechanisms, including crash reporter monitoring systems for anti-forensics and springboard hooking to suppress recording indicators from victims when the microphone or camera is activated, indicating the sophistication of the spyware. Additionally, it has been explicitly tested to avoid running in US and Israeli areas.
“These findings demonstrate that Predator operators have detailed visibility into failed deployments, […] “Enabling them to tailor their approach to specific targets,” said researchers Shen Yuan and Nir Avraham of Jamf Threat Labs. This error code system transforms failed deployments from black boxes to diagnostic events.
