The document, labeled “top secret,” was addressed to the Serbian Security and Intelligence Agency (BIA).

It pertains to the renewal of licenses for Cellebrite’s forensic tool, an Israeli company known for its ability to unlock and download data from smartphones.

This document, which Radio Free Europe (RFE) has accessed, dates back to September 2015.

It is one of several leaked documents related to Serbian security service procurement, found by RFE/RL on the dark net—a part of the internet that requires specialized browsers for access and is frequently associated with anonymous communication and transactions.

Existing data indicate that the BIA has utilized mobile surveillance tools over the last few years; however, RFE/RL’s investigation reveals that the Serbian security service seems to possess extensive forensic equipment for nearly all device types, some dating back at least a decade.

RFE/RL reporters also cross-referenced the documents with publicly accessible databases, investigating companies, individuals, and specific details on the documents themselves, including signatures and seals.

What is in dispute?

Analysis of the documents released on the dark net indicates that the BIA secretly solicited bids from companies for renewing licenses for various forensic tools on at least two occasions: in 2015 and 2019.

Among these tools is the powerful “UFED” (Universal Forensic Extraction Device) from Cellebrite.

A report by the international NGO Amnesty International from December 2024 indicates that this device was used to forcibly unlock phones in at least seven cases in Serbia that year.

The report details forensic evidence of the illegal use of these devices during interrogations by the Serbian police and BIA.

It is alleged that the software from Cellebrite was employed to unlock the phones of journalists and activists, subsequently downloading all their data.

The report further mentions the installation of previously unidentified spyware “NoviSpy” on some devices, allowing for surveillance of ongoing activities—photos, messages, and internet searches.

Despite Cellebrite’s products being utilized globally by law enforcement, two months after the Amnesty report, the Israeli company announced it had withdrawn certain licenses in Serbia, without clarification about which institutions were affected.

At the time, the BIA’s response to allegations regarding the misuse of Cellebrite tools was succinct—calling it “trivial sensationalism.”

However, the BIA has not addressed RFE/RL’s questions regarding how and why they obtained the “disputed” software a decade ago.

Cellebrite also did not respond to RFE/RL’s inquiries about the duration of BIA’s use of their licenses, the acquisition process, or how the company vets clients to avoid potential abuse.

Nevertheless, in a July 24 letter, Cellebrite highlighted that their technology assists in approximately 1.5 million cases annually, including critical investigations involving human trafficking, abuse, and the apprehension of murderers, arsonists, terrorists, and others posing threats to society.

What is UFED?

UFED can “download” data even when a phone is locked, allowing access to deleted messages, calls, photos, and applications.

The device can analyze user locations and activities.

It has generated controversies due to potential privacy violations and misuse, particularly when employed without a court order or the explicit consent of the device owner.

What do the leaked documents reveal?

Documents containing bids for various forensic software were submitted by the state-owned IT company “Informatika AD” from Belgrade at the BIA’s request.

The documents were uploaded to the dark web following a hacking incident at the company in late June 2025.

In their responses to RFE/RL on July 24, “Informatika AD” expressed doubts about the documents’ authenticity but confirmed being targeted in a hacker attack.

“Informatika AD faced a criminal group that sought to blackmail the company for data ransom. This incident has been reported to the Prosecutor’s Office for Organized Crime,” the response noted.

In response to inquiries regarding offers for software licenses for BIA’s needs, as well as vetting procedures for cooperating clients, the company stated that their operations are protected by strict confidentiality clauses, including internal client regulations and broader laws governing official secrets and data privacy.

They claimed to have “never had any business dealings with the Israeli firm ‘Cellebrite’.” However, “Informatika AD” did not clarify why, if there were no business relationships, they made an offer to BIA in 2015 for a license for the “UFED” tool.

What is known about “Informatika AD”?

“Informatika AD” is the oldest state-owned IT firm, primarily engaged in “IT engineering, development of business and industrial software solutions, as well as business process automation,” according to their website.

The company primarily serves state institutions, large corporations, and industrial systems, listing clients such as the Government of Serbia, Elektroprivreda, Infostan, and the Ministry of Internal Affairs.

They are partners with major tech companies including “Microsoft”, “Huawei”, and “Oracle”.

What did the BIA procure?

The initial proposal, which includes the renewal of Cellebrite’s “UFED” licenses alongside other forensic tools, was prepared by “Informatika AD” on September 22, 2015, as per leaked records.

The overall value of the contract was approximately 6.6 million dinars (around 55 thousand euros), encompassing licenses for multiple forensic tools and software solutions needed by the BIA.

The list identifies two licenses for the Cellebrite “UFED” device.

Aside from the tools from the Israeli company, the BIA is also acquiring licenses from Swedish manufacturer “Micro Systemation” for the “XRY/XACT” tool, according to one of the documents.

This tool facilitates data extraction from mobile devices, including messages, contacts, applications, and comprehensive device memory copies, even of deleted or hidden data (memory dump).

This tool shares similar functionalities with Cellebrite’s products.

RFE/RL’s investigation did not uncover a signed contract between BIA and “Informatika AD” confirming that this particular company was awarded the contract.

The BIA conducts software license procurements through negotiation processes with various companies, of which “Informatika AD” is merely one among several bidders, as indicated by the leaked documents.

Neither BIA nor “Informatika AD” responded to questions regarding who orchestrated this procedure.

Six licenses acquired in 2019

The offer from “Informatika AD” indicates that the BIA continued to extend the license for the “Cellebrite” tool in subsequent years.

“The bid opening and negotiation will be held on July 15, 2019, at noon at the client’s address, Kraljice Ane bb,” states the invitation to tender that the BIA sent to “Informatika AD” in early July 2019.

The procurement related to a variety of forensic tools for data extraction from phones, segmented into two lots.

The first lot pertains to various forensic licenses, while the second includes six licenses for “UFED” devices from Cellebrite.

The annual license renewal also encompasses the aforementioned “XRY/XACT” forensic tool from Sweden, along with the FT software (forensic toolkit) from “AccessData,” and tools like “Forensic Explorer,” “Magnet Axiom,” and “X-ways Forensic,” utilized for analyzing computers and hard drives.

RFE/RL did not find a signed contract for this procurement either, with participation from five other Serbian companies in the bidding process.

What capabilities do the tools purchased by the BIA possess?

“All these tools cover virtually all digital forensic functions, applicable to mobile phones, tablets, desktop and laptop computers, and data storage devices like hard drives and flash drives,” explains Filip Milošević from the Share Foundation, which monitors the implications of new technologies on digital rights.

Milošević indicates that certain tools, such as “Forensic Explorer,” can recover previously deleted data, as well as browsing history and email correspondence.

He adds that tools like “Magnet Axiom” and “AccessData Tools” can effectively process large datasets from various sources.

These tools can organize data by timelines, correlate information from phones and Google accounts, reconstruct suspect activities, and visualize this data in various formats, he elaborates.

“Top Secret” Procurement

The procurement is classified as strictly confidential in the documents.

According to the Law on BIA, the agency is authorized to determine the method of conducting procurements relevant to operational work and security, inclusive of designating them as confidential.

Consequently, the Serbian public has been kept in the dark for years concerning the nature and processes behind the BIA’s procurements.

“We acknowledge that the procurement is not conducted according to the Public Procurement Law but rather follows the by-laws of the Government of the Republic of Serbia and the Security and Information Agency,” states the text of the offer from “Informatika AD,” dated September 22, 2015, signed by a company representative.

That same employee—whose name is known to the editorial staff—signs a dedicated form asserting that “other individuals in the supply chain will not disclose the end user,” i.e., the BIA, and that they will first obtain the BIA’s consent for any information requested about the end user.

“A Dangerous Global Trend”

“The RFE/RL investigation reaffirms that powerful surveillance tools are acquired and employed in complete secrecy, devoid of public scrutiny or accountability, a global trend that is both unacceptable and perilous,” says Aljoša Ajanović Andelić from the organization EDRi (European Digital Rights).

EDRi comprises a network of entities across Europe committed to safeguarding citizen digital rights, including privacy rights, freedom of expression, and information access. Ajanović Andelić states that these new revelations heighten the existing concerns.

“Cellebrite is integral to the spyware ecosystem and should be regarded as such. When deployed against activists, journalists, political opponents, or migrants, it turns into a mechanism for political repression,” he insists.

Ajanović Andelić emphasizes that such application not only poses ethical dilemmas but also constitutes blatant violations of fundamental human rights, warranting prohibition.

News