BIRN, in cooperation with the SHARE Foundation, has uncovered that the Serbian Security Intelligence Agency (BIA) inserted NoviSpy spyware into the phones of four farmers and environmental activists during their detention. Speaking to BIRN for the first time, they describe their arrests, the threats they faced, and what life is like when you know someone is constantly watching you.

When three unknown men pushed Slobodan Vidojević, a farmer from Bresnica and president of the Šumadija and Pomoravlje Milk Producers Association, into a black van on the morning of October 1, 2024, his first thought was of his daughter.
“People, my child is still at school, someone has to pick her up. Call my family—if anything happens to my child, you’ll answer for it,” he said.

They didn’t identify themselves. They shoved him, hit him in the head, and told him to keep quiet. They seized his phone the moment he entered the vehicle. A few hours later, Vidojević walked out of the Čačak police station a free man. But his phone would never again truly be his, BIRN writes.

Months after the arrest, something was wrong. His battery drained unusually fast. His signal often disappeared. He heard strange static while talking with his family. It turned out that his phone had been sending data directly to a BIA server for more than a year.

Slobodan Vidojević was not the only one.

A new BIRN investigation reveals that the phones of four farmers and environmental activists from different regions of Serbia were infected with NoviSpy during their time in BIA and police facilities.

These cases were documented using digital forensics and the Mobile Verification Toolkit (MVT) developed by Amnesty International. SHARE Foundation used the toolkit together with BIRN journalists to examine the phones. The analysis revealed signatures typical of NoviSpy, including access to the microphone, camera, messages, and location, as well as heavy data flow to a BIA server.

The experiences of Vidojević, Zlatko Kokanović, Vladimir Višić, and Jovan Topalović further illuminate a broader pattern of digital surveillance and pressure in Serbia.

All four men had been summoned or detained by BIA and police between July and October of last year, during major protests against Rio Tinto and in support of farmers’ demands. Their phones were confiscated, and the BIA-developed Android spyware NoviSpy was installed without their knowledge.

Legal experts told BIRN that spyware use is not legally regulated and is difficult to justify due to its extreme intrusion into personal data.

“This negatively affects privacy, freedom of expression, and freedom of association—not only for targeted individuals but also for the wider activist community. The consequences for democracy in the country are disastrous because it creates the impression that there is no oversight of BIA’s work,” said Ana Toskić Cvetinović from the NGO Partners Serbia.

What do we know so far?

At the end of last year, BIRN reported cases involving activists Nikola Ristić, Ivan Bjelić, Buki Milosavljević, and a member of the organization Krokodil, whose phones were proven to have been targeted by secret surveillance. In some cases, data was extracted using Cellebrite tools; in others, NoviSpy was installed once the devices were unlocked. According to Amnesty International’s researchers, NoviSpy communicates directly with a server inside BIA.

Due to evidence of misuse, Cellebrite revoked licenses for some Serbian users in February. However, according to Radio Free Europe, the Ministry of Interior regained its Cellebrite licenses by April, just two months later. A criminal complaint was filed against unknown persons within the security services, but progress has been minimal.

The newly discovered infections described in this article date from 2024. BIRN and SHARE researchers have not recorded any NoviSpy infections in 2025 so far.

A “movie-style” arrest: “I’m not an enemy of the state, I’m just a farmer”

Farmer Slobodan Vidojević woke earlier than usual on October 1, 2024. His association had planned a protest for that afternoon. Tractors were to block the roads; their demands had been ignored for months.

At around 8 a.m., before anything began, two BIA officers appeared in his yard.

“They had no papers. The younger one was from Čačak; I don’t know about the older one. They came into my home, had coffee, stayed almost two hours. They kept insisting we cancel the protest—said everything would be resolved, that they’d call the agriculture minister, even the president if needed,” Vidojević said.
The officers told him, “My advice is: come with us, because we’re sending a team from Belgrade.”

Vidojević replied: “People, I’m not enemy of the state number one, I’m just a farmer.”

His family and neighbors witnessed the whole exchange.

Later that day, when he briefly stood alone waiting for his child outside the village school, a black Mercedes van pulled up, three men jumped out, and grabbed him.

“They beat me and forced me inside. I later learned the village was full of police, some in plain clothes, and one BIA officer near the school directed the operation. I didn’t expect a movie-style kidnapping,” he said.

His phone was taken immediately. He was driven to Čačak police, to the BIA office on the upper floor. After a two-hour interrogation, he was released. Villagers had blocked the road demanding his return.

Months later, his phone showed all the classic signs of surveillance—because NoviSpy had been active more than a year.

Kokanović: “They wanted to stop me from going to the government meeting”

Zlatko Kokanović, activist of “Ne damo Jadar,” was on his way to a scheduled meeting at the Serbian Government on July 18, 2024. At 8:15 a.m., BIA called him to a “15-minute conversation.” Instead, he was held for four hours at the BIA office in Loznica.

Before entering, he left his phone in a locker. The phone remained with the officers for 30–45 minutes—long enough for NoviSpy to be installed at 9:38 a.m. Exactly then, logs show, the spyware appeared on his device.

Spyware researcher Filip Milošević explains that NoviSpy can gain administrator permissions, disguise itself as an accessibility app, collect calls, contacts, SMS, record audio, take screenshots, track location, activate the camera, and then send all the data to a BIA server—usually when the device is charging or connected to Wi-Fi.

Kokanović says his infected phone was used for about a month before he switched devices.
“Then tabloids began publishing articles based on my phone conversations,” he said.

He added: “Let them listen. They know we’re not foreign agents. They can hear me arguing with my wife if they want.”

More at BIRN.rs

MORE TOPICS:

EMOTIONAL ADDRESS BY ŽELJKO OBRADOVIĆ: “Ostoja Mijailović bears responsibility for the situation in Partizan!” (FULL VIDEO)

CONFESSION OF A SERBIAN NURSE: “When I moved to Norway I had no idea what would befall us, I watched my children crying” (VIDEO)

“BRIAN PUSHED ANA IN A PANIC, SHE FELL OFF THE BED”: The defense presented shocking details at the trial in the case of the murdered Serbian woman!

PROSECUTOR’S OFFICE FOR ORGANIZED CRIME ORDERED THE ARREST OF THE MINISTER: Selaković came in front of the building and insulted the prosecutors!

ARRESTED SERBIAN POLICEMAN FROM CHICAGO RETURNED TO WORK: Radule Bojović accused of overstaying his visa, then put on his uniform again! (VIDEO)

SourceBIRN.rs, Foto: Milos Tesic / ATAImages 

Leave a comment

Your email address will not be published. Required fields are marked *