A former European Parliament member who helped investigate spyware abuses in Europe was himself hacked with Pegasus, according to researchers, raising new questions about how surveillance tools are used against politicians, journalists and critics.
Security researchers confirmed Greek journalist and former politician Stelios Kouloglou had his phone hacked with Pegasus while serving on an investigatory committee probing abuses of the surveillance tool.
A Pegasus Investigator Became a Pegasus Target
The case is striking because Kouloglou was not only a lawmaker but also part of the European Parliament’s PEGA Committee.
Reuters reported that Kouloglou was serving on the PEGA Committee, which was set up in 2022 to examine illegal phone hacking across the European Union. The Pega committee was established in March 2022 after the Pegasus Project revealed how journalists, activists, politicians and other members of civil society were being targeted by governments using Pegasus.
TechCrunch reported that this marks the first time a member of the European Parliament’s PEGA committee has been publicly identified as a spyware victim.
Kouloglou, who was first elected to the European Parliament as a member of Greece’s Syriza party, said he was shocked by the attack.
Reuters quoted him as saying, “I was not expecting that a PEGA member would be spied on by Pegasus,” adding that he did not expect the operators to be “as reckless as that”.
Citizen Lab Links the Attacks to Earlier Spyware Campaigns
Citizen Lab did not name the government behind the hacking.
The Guardian reported that researchers at the University of Toronto’s Citizen Lab could not attribute the attacks to any particular government operator of Pegasus.
Citizen Lab linked some of the hacking activity to earlier discoveries involving Pegasus attacks on Russian- and Belarusian-speaking journalists and activists in exile.
The timing also matters. Kouloglou’s mobile device was first infected on October 21, 2022, about seven months after he joined the committee and during an intense period of Pega deliberations and drafting.
The October 2022 hack coincided with intense discussions ahead of a first draft covering spyware abuses in Cyprus, Greece, Hungary, Poland and Spain. Kouloglou was hacked again in March 2023, during the period when the committee was still working toward its final report.
Zero-Click Exploit Exposed Private Data
The spyware reportedly used an iPhone vulnerability. Citizen Lab said Kouloglou was hacked using an exploit that compromised a security vulnerability in Apple’s iPhone software, through a “zero-click” bug that did not require user interaction. Apple said that the vulnerability referred to in the Citizen Lab report had since been patched and that the company regularly issues alerts to hacking targets.
The potential exposure went far beyond political work. The exploit could grab private data from Kouloglou’s phone, including text messages, correspondence, location data and photos. Kouloglou shared realizing his private life had been scrutinized made him angry and raised issues tied to “corruption, justice and democracy”.
Pressure Grows on Europe and NSO Group
NSO Group did not respond to requests for comment. NSO has said its tools are used to police serious crime and protect national security, but the company has repeatedly been accused of enabling intrusive surveillance of journalists, political opponents and civil rights activists.
NSO sells Pegasus to governments around the world for stopping serious crime and terror attacks. Kouloglou plans to sue NSO Group.
The case could intensify calls for tighter spyware rules in Europe. Former EU lawmaker Sophie in ’t Veld said that the spread of mercenary spyware had created a situation where “anybody could spy on anyone”. Citizen Lab senior researcher John Scott-Railton shared that the case shows “the ultimate irony of Europe’s spyware crisis” because someone investigating Pegasus was infected by it.
The hacking of Kouloglou turns Europe’s spyware debate into something more personal and political. If even the people investigating spyware abuses can be hacked, the question is no longer whether Europe has a surveillance problem. It is whether its institutions can control the tools they are supposed to investigate.