Political Forensics: What Farage’s phone hacking claim tells us – and what it doesn’t 

We are not here to litigate whether Farage is right about Russian involvement in the leak. We believe that a more fundamental question has been raised by this story than the one currently being argued in the press. 

The personal mobile device of a high-profile individual like the leader of a political party will often sit outside almost every defensive control that enterprises routinely apply to corporate endpoints. Since these devices typically carry material of equal or greater sensitivity than anything on the corporate network, there is a dangerous irony here: the people most likely to attract sophisticated targeting – politicians, company executives, high-net-worth and high-profile individuals – are often those least likely to benefit from continuous defensive monitoring of the sort that most mature companies provide by default to their employees.  

Our digital forensics and incident response (DFIR) team is routinely called in to examine the personal devices of individuals at all levels of an organisation; the more senior the individual, the more likely they are to blur the distinction between personal and professional devices – and the less likely it is that the device in question fell within the organisation’s security perimeter. 

Attribution Theatre: Single-Device Forensics and the Limits of State-Actor Identification

The forensic claim at the centre of the Farage story - that Russian state actors compromised the device and exfiltrated communications relating to a £5 million donation - has been challenged by experienced practitioners on reasonable technical grounds. Peter Sommer, professor of digital forensics at Birmingham City University, has pointed out that the two principal artefact types a forensic examiner would rely on, the initial phishing lure and the implant code itself, are both trivially spoofable or obtainable from non-state sources; state-grade tooling and obfuscation techniques have been made available to a much broader population of operators by the likes of the leaked CIA Marble Framework, the Hacking Team disclosure, the Shadow Brokers releases and the wider commercial spyware market.

Credible attribution goes beyond a single-device forensic engagement, drawing on patterns across victims, infrastructure, behavioural patterns and where available signals intelligence corroboration. Therefore, a single-device analysis – by an unnamed firm, with no published methodology and zero peer review cannot reasonably produce a conclusion of "almost certainly Moscow". A concern reinforced by the absence of NCSC engagement and reflected in the public commentary of Ciaran Martin, founding chief executive of the NCSC. Where conclusions reach the public domain without baseline data, defined scope or peer review, they function as public relations rather than as forensic findings.

Outside the Defensive Perimeter: Personal Mobile Devices in High-Profile Threat Models

The personal mobile device of a high-profile individual is, in almost every realistic threat model, the highest-value single endpoint. Holding deal flow, off-the-record communications conducted through Signal and WhatsApp, voice notes outside any retention regime, the personal and professional social graph, location history, financial credentials, healthcare data and family material. A successful compromise creates a comprehensive personal dossier, from a single source. and the threshold for weaponising any element of that material is low. One single artefact, taken out of context or released selectively, is sufficient to drive reputational, financial or political consequences.

The pattern of mobile-based targeting of senior public figures is well established in the open record. The Citizen Lab's CatalanGate investigation identified at least 65 individuals targeted or infected with Pegasus and Candiru spyware. This includes members of the European Parliament, Catalan Presidents, legislators and jurists, while subsequent reporting has documented suspected Pegasus indicators on devices associated with the UK Prime Minister's Office and the Foreign, Commonwealth and Development Office.

Despite the value of the data held, the personal mobile device sits outside every defensive perimeter that enterprises routinely build around corporate endpoints. Neither Mobile Device Management (MDM) nor Endpoint detection response (EDR) extends to it. The corporate DFIR retainer typically does not cover it, and where an incident is identified, the corporate DFIR team often cannot legally examine the device without protracted negotiation, by which point evidence may have been overwritten or the handset replaced. The gap is partly legal and partly cultural. Devices are personal and users resist intrusive control. Meanwhile, incident response remains built around corporate environments.  The result is that the device most likely to be targeted is consistently the device with the least defensive support around it.

Detection Limits on Consumer Mobile

The detection picture on consumer iOS and Android compounds the scoping gap. Unlike corporate windows systems, they don’t support continuous behavioural monitoring, with no equivalent of an EDR sensor running with privileged  visibility against a SIEM. The architectural restrictions that protect mobile user privacy from third-party applications also restrict the visibility available to defensive tooling.

Several partial mitigations exist within the public ecosystem. Apple's Lockdown Mode is an optional, extreme protection that meaningfully raises the operational cost of zero-click exploitation. The Mobile Verification Toolkit released by the Amnesty International Security Lab in 2021 provides a structured framework for forensic analysis of iOS and Android devices against published indicators of compromise, and Apple's mercenary spyware threat notification programme issues direct alerts when it detects suspected state-grade spyware targeting. None of these constitutes continuous monitoring, functioning instead as point-in-time integrity checks or selective alerts rather than as a defensive layer comparable to corporate EDR.

The practical consequence is that defensive activity for high-profile individuals on consumer mobile cannot be modelled as detection and must instead be modelled as readiness, with the quality of any post-incident forensic position determined by what was prepared in advance rather than by what the device itself can produce after the fact.

Forensic Readiness and the Market Gap for Principal Protection

We built our DFIR capability for high-profile individuals around precisely this specification, structured as a sustained engagement rather than a point-in-time service. It begins with a forensic baseline taken when the device is in a known-good state – typically an encrypted backup and a sysdiagnose collection - refreshed at defined intervals so that any future investigation has a clean comparison point rather than starting from zero. It includes a segregated communication layer for genuinely sensitive material, on a device that is not also the principal's everyday handset, removing the most consequential material from the highest-volume attack surface. It extends to a hardened provisioning standard for the day-to-day device - Lockdown Mode where the threat model justifies it, hardware-key multi-factor authentication and strict application hygiene. And it is underpinned by an IR retainer with the legal authority for personal-device work, agreed in advance, scoped to the principal personally rather than to a corporate entity, so that if an incident occurs, the first hour is spent imaging the device rather than negotiating who owns the data on it.

None of these elements requires technically novel tooling, and the capability already exists within the DFIR market. Investigative journalists, human rights defenders and political dissidents receive substantive mobile defensive support from civil society organisations such as the Citizen Lab and Access Now's Digital Security Helpline;  at the same time, executives, politicians, board members and ultra-high-net-worth principals, despite holding materially more sensitive information and possessing significant resources to pay for protection, generally do not access a comparable service from their commercial providers. The cause of this – in my view – is that the grey area between the professional and the personal for senior individuals is too often put in the ‘too difficult’ or ‘not worth the argument’ category by organisations’ security teams, while the individuals themselves do not know what questions to ask. 

If you advise a principal – or you are one – three questions are worth asking this week. Who has the legal authority to image the personal phone if it is compromised tomorrow morning? When was the last forensic baseline taken on it? And which of the principal’s communications are genuinely segregated from the device that everyone in their network already has the number for? As ever, we are happy to work through these questions on a confidential basis, with no requirement to engage further.