An investigation by BIRN and a forensic analysis by Amnesty International have confirmed that Serbia’s Security Intelligence Agency (BIA) used Israeli Cellebrite technology to hack the phones of activists. These devices were unlocked, monitored, and equipped with Serbian spyware, NoviSpy, which allowed the agency to not only extract messages and contacts but also access private photos, track families, and activate cameras and microphones.
This story is told through the accounts of those whose data and freedom were compromised by BIA’s illegal surveillance.
One activist from the Krokodil Association shared how, during a routine interview at the BIA, he was asked to leave his phone in a chair facing an office. “An hour and a half later, I noticed a notification on my phone showing that all my contacts had been exported,” he told BIRN, insisting on anonymity. Forensic experts from Amnesty International later confirmed that, in addition to digital forensic data extraction, BIA had installed spyware on the device.
The activist revealed, “For two weeks, they were watching my daughter’s every move, photos shared with her grandparents – everything. It was terrifying.”
This is just one of many cases where Serbian security services attempted or succeeded in illegally hacking the phones of activists, extracting data, and installing spyware.
BIRN spoke with five Serbian activists, including Ivan Bjelic, Ivan Milosavljeviq Buki, Nikola Ristic, Nenad Kovacevic, and another Krokodil Association activist. Forensic analysis from Amnesty International confirmed that Serbian security services accessed their phones and installed spyware. Additionally, BIRN interviewed over twenty activists who suspect their phones were infected with spyware, as well as digital forensic and legal experts who documented this illegal data collection and spyware infection.
The investigation revealed that police and BIA used various tactics to summon activists for interviews and, in some cases, arrest them by force. These interviews were often described by activists as mere pretexts to gain access to their devices and compromise phone security.
Confiscated phones were taken behind closed doors and connected to advanced digital forensic equipment from Cellebrite, a well-known Israeli provider of unlocking technology. In some cases, Serbian spyware, NoviSpy, was installed on the devices. By November 2024, Amnesty International had analyzed more than 20 devices belonging to civil society members, mostly Android phones. Four confirmed cases involved the use of NoviSpy spyware between February and November 2024. Traces of failed spyware installations were also found on additional devices.
Amnesty International’s report confirmed the extensive nature of this surveillance, as more than 20 unique samples of NoviSpy spyware were created and potentially installed within just one month.
Lawyers highlighted that BIA had severely overstepped its authority, as no court warrants were issued for these activities. They also noted that Serbia has no legal framework for the use of spyware.
“This has a negative impact on privacy, freedom of speech, and freedom of assembly, not just for the individuals targeted but for the wider activist community and organizations. The consequences for democracy and democratic processes in Serbia are catastrophic because it gives the impression that there is no control over the actions of the police and BIA,” Ana Toskić Cvetinović from the NGO Partners told BIRN.
Cellebrite’s forensic tools, used on the phones of Ivan Bjelic, a government protest participant, and many other activists, allow deep penetration into phone architecture. These tools can retrieve deleted messages, hidden data, cloud accounts, and even access protected apps.
The devices also showed signs of strange behavior, including random vibrations, heating up during conversations, and self-shutting down. It was clear that something was amiss.
Technical specifications, along with Cellebrite’s official data, reveal that their devices can extract deleted messages, hidden data, location history through base stations, Bluetooth connections, Wi-Fi networks, and more.
Additionally, the Serbian security services also utilized Cellebrite’s analytical modules to filter, sort, visualize, map, and process data with the help of artificial intelligence, including facial recognition.
Amnesty International’s report confirms that Cellebrite’s equipment helped Serbian security services unlock phones, leaving space for the installation of spyware.
“If this is true, Serbia has violated the contract, and we will reconsider if it is a country we will work with,” Cellebrite responded to BIRN’s inquiry.
Amnesty International issued a similar response, stating that their equipment is strictly regulated and licensed for use only with a court order and by law enforcement after a crime has been committed.