The document is marked "top secret" and was sent to the address of the Serbian Security and Intelligence Agency (BIA).
The offer is for the renewal of licenses for the Israeli company Cellebrite's forensic tool, which is used to unlock and download content from smartphones.
This document, which Radio Free Europe (RFE) has had access to, dates back to September 2015.
It is just one in a series of leaked documents from Serbian security service procurement that RFE/RL found on the so-called dark net, a part of the internet accessed with the help of special browsers, and which is often used for anonymous communication and exchange.
Although previous data suggests that the BIA has been using mobile communications surveillance tools for the past few years, RFE/RL's research has shown that the Serbian security service appears to have comprehensive forensic equipment for almost all types of devices.
And that's at least a decade ago.
RFE/RL journalists also conducted a cross-check of the documents through publicly available databases - by searching for companies, individuals, as well as certain details visible on the documents themselves, such as signatures and seals.
What is disputed?
Analysis of documents published on the "dark net" shows that the BIA secretly invited companies to submit bids for the renewal of licenses (permits) for various forensic tools on at least two occasions, in 2015 and 2019.
Among them is the powerful device for extracting data from mobile phones, "UFED" (Universal Forensic Extraction Device), from the company "Cellebrite".
A report by the international NGO Amnesty International from December 2024 shows that this device was used to forcibly unlock phones in at least seven cases in Serbia that year.
The report contains detailed forensic evidence on the practice of illegal use of devices during interrogations in the Serbian police and BIA.
It is alleged that, using software from the company "Cellebrite", the phones of journalists and activists were unlocked, after which their complete content was downloaded.
According to the report, previously unidentified spyware "NoviSpy" was installed on some phones, through which further activities on the mobile phone were monitored - photos, messages and internet searches.
Although Cellebrite products are used by police departments around the world, two months after Amnesty International's discovery, the Israeli company announced that it had withdrawn certain licenses in Serbia, without specifying which institutions they pertained to.
The BIA's comment on the report on the misuse of Cellebrite's tools was brief at the time - "trivial sensationalism".
The BIA, however, has not responded to RFE/RL's inquiries about how and why they acquired the "disputed" software ten years ago.
The company "Cellebrite" also did not respond to a series of questions from RFE/RL - since when has the BIA been using their licenses, how it acquires them, and how the company itself checks the clients it cooperates with for potential abuses.
In a letter dated July 24, however, they emphasized to RFE/RL that their technology assists in approximately 1,5 million cases annually, including some of the most significant investigations of our time - from protecting children from human trafficking, through abuse, to arresting murderers, arsonists, terrorists, and others who wish to cause harm.
What is UFED?
UFED allows you to "download" data even when the phone is locked, and it is possible to access even deleted messages, calls, photos and applications.
The device can be used to analyze user locations and activities.
It has been surrounded by numerous controversies as it has been linked to privacy issues and abuse, especially when used without a court order or the consent of the device user.
What do the leaked documents show?
Documents containing bids for the procurement of several different forensic software were sent by the state-owned IT company "Informatika AD" from Belgrade, at the invitation of the BIA.
The documents were leaked onto the dark web after a hacker attack on the company in late June 2025.
In its responses to RFE/RL on July 24, "Informatika AD" questions their authenticity, but confirms that it was the target of a hacker attack.
"Informatika AD was the target of a criminal group that attempted to blackmail the company by demanding the ransom of data. This was reported to the Prosecutor's Office for Organized Crime," the response states.
In response to a series of questions about offers for software licenses for the needs of the BIA, as well as the method of vetting the clients they cooperate with, the company stated that their business is "protected by numerous confidentiality provisions that include internal, client rules, but also general regulations on official secrets and data confidentiality."
They also claim that they "never had any business activity with the Israeli company 'Cellebrite'".
"Informatika AD", however, did not explain why, if there was no business cooperation, it made an offer to the security service in 2015 for a license for the "UFED" software tool from the company "Cellebrite".
What is known about the company "Informatika AD"?
"Informatika AD" is the oldest state-owned IT company which, according to the description on their website, deals with "IT engineering, development of business and industrial software solutions, as well as automation of business processes."
"Informatika AD" clients are mainly state institutions, large companies and industrial systems. Among the largest clients, the website lists the Government of Serbia, Elektroprivreda, Infostan, and the Ministry of Internal Affairs.
They are partners of major computer companies "Microsoft", "Huawei" and "Oracle".
What did the BIA procure?
The first offer, which, among other forensic tools, also concerns the renewal of licenses for the Cellebrite "UFED" device, was drawn up by "Informatika AD" on September 22, 2015, according to leaked documents.
The total value of the deal was around 6,6 million dinars (around 55 thousand euros) and includes licenses for several forensic tools, as well as licenses for various software solutions for the needs of the BIA.
The list includes two licenses for the Cellebrite "UFED" tool.
In addition to the Israeli company's tools, the BIA is also acquiring licenses from the Swedish manufacturer "Micro systemation" for the "XRY/XACT" tool, one of the documents shows.
This tool is used to extract data from mobile devices such as messages, contacts, applications, as well as copies of the entire device memory, including deleted, hidden, or protected data (memory dump).
The tool has similar characteristics to the Israeli "Cellebrite".
In the leaked documents, RFE/RL journalists did not find a signed contract between BIA and "Informatika AD", which confirms that this particular company was awarded the procurement.
The BIA procures software licenses through a process of bargaining and negotiations with individual companies, among which "Informatika AD" is only one of several bidders, leaked documents show.
Neither BIA nor "Informatika AD" responded to questions about who was engaged in this procedure.
Six licenses acquired in 2019
From the offer of the company "Informatika AD", it is noticeable that BIA extended the license for the "Cellebrite" tool in subsequent years.
"The bid opening and negotiation will take place on July 15, 2019 at 12 noon at the client's address, Kraljice Ane bb," states the invitation to submit bids that BIA sent to "Informatica AD" in early July 2019.
The procurement, which relates to a series of forensic tools for extracting data from phones, has been divided into two lots.
The first relates to a series of forensic licenses, while the second batch of procurement includes six licenses for "UFED" devices from the company "Cellebrite".
The annual license extension also includes the aforementioned forensic tool "XRY/XACT" from the Swedish manufacturer, as well as the FT software (forensic toolkit) from the company "AccessData", as well as the tools "Forensic Explorer", "Magnet Axiom", "X-ways Forensic", which are used to process computers and hard drives.
RFE/RL journalists did not find a signed contract for this procurement either, and five other companies from Serbia participated in the procedure.
What can the tools purchased by the BIA do?
"All these tools cover practically all digital forensics operations, for working with mobile phones and tablets, desktop and laptop computers, as well as all data storage devices such as hard drives and flash drives," explains Filip Milošević from the Share Foundation, an organization that monitors the impacts of new technologies and the state of digital rights.
Milošević states that certain tools, such as "Forensic Explorer", can recover previously deleted data, and find browsing and Internet search history and email correspondence.
He says that tools such as "Magnet Axiom" and "AccessData Tools" efficiently process large amounts of data from various sources.
"They can sort them by timeline, correlate data from phones and, for example, Google accounts, reconstruct the activities of suspects, and visualize all of that in different ways," adds Milošević.
"Top Secret" Procurement
The procurement is marked as strictly confidential in the documents.
The Law on BIA gives the service the authority to independently decide on the manner of conducting procurements that are important for operational work and security, including the ability to classify them as confidential.
As a result, the Serbian public has not had information for years about what and how the BIA procures.
"We are aware that the procurement is not being carried out in the manner and procedure stipulated by the Public Procurement Law, but rather in accordance with the by-laws of the Government of the Republic of Serbia and the Security and Information Agency," states the text of the offer from "Informatika AD" dated September 22, 2015, signed by a company representative.
The same employee, whose name is known to the editorial staff, signs a special form stating that "other persons in the service supply chain will not name the end user", i.e. the BIA, and that he will first obtain the BIA's consent for all information requested about the end user.
"Dangerous global trend"
"The RFE/RL investigation once again confirms that powerful surveillance tools are being acquired and used in complete secrecy, without public insight or accountability, and this is a global trend that is not only unacceptable, but also dangerous and harmful," says Aljoša Ajanović Andelić from the organization EDRi (European Digital Rights).
EDRi is a network of organizations from Europe that deal with the protection of citizens' digital rights, such as the right to privacy, freedom of expression and access to information, and Ajanović Andelić states that the new findings make the situation even more disturbing.
"Cellebrite is part of the spyware ecosystem and must be treated as such. When used against activists, journalists, political opponents or migrants, it becomes a tool of political repression."
Ajanović Andelić underlines that its application is not only problematic then - it represents a clear violation of basic human rights and should be prohibited.
Bonus video:
