Surveillance

MEP who investigated spyware was himself hacked with Pegasus, researchers find

The Citizen Lab says Greek MEP Stelios Kouloglou, who sat on the European Parliament's committee probing spyware, had his iPhone hacked with NSO Group's Pegasus at least twice during the inquiry.

By Camille Reuter · · 4 min read

An iPhone on a European Parliament committee table showing Apple's state-sponsored attack warning, with blurred EU flags behind.
An illustrative image: an iPhone displaying Apple's state-sponsored-attack notification, evoking the Pegasus spyware the Citizen Lab found on MEP Stelios Kouloglou's phone. Image is AI-generated and illustrative, not a photograph of the actual device. Illustration: AI-generated — Status

A lawmaker who helped investigate the abuse of commercial spyware inside the European Union was himself hacked with the very tool his committee was scrutinising, according to a forensic report published on 3 July by the Citizen Lab.

The researchers say the iPhone of Stelios Kouloglou, a Greek investigative journalist who served as a Member of the European Parliament from 2015 to 2024, was infected with Pegasus — the zero-click spyware made and sold by the Israeli firm NSO Group — on at least two occasions while he sat on the Parliament's PEGA Committee of Inquiry. That panel was created in 2022 specifically to examine the illegal use of Pegasus and equivalent tools by EU governments.

The Citizen Lab, an interdisciplinary laboratory at the University of Toronto, concluded with “high confidence” that Kouloglou's device was compromised on or around 21 October 2022 and again on 6–7 March 2023, while he was in Athens and Brussels. The report, its 194th, notes the findings do not rule out further infections; several news outlets have described at least three incidents across the two years. Apple sent Kouloglou state-sponsored-attack threat notifications months after the fact.

An inquiry's own investigator, turned target

Pegasus lets an operator take covert control of a phone, reaching its messages, photos, contacts, camera and microphone. The timing of the intrusions, the researchers say, tracked the committee's most sensitive work: the first infection coincided with an intense stretch of PEGA hearings, including sessions on “Big Tech and Spyware” and spyware and e-privacy; the second lined up with discussions of the committee's final report.

For those who ran the inquiry, the symbolism was hard to miss.

It is ironic that a member of the committee charged with investigating Pegasus was himself targeted with Pegasus spyware.

That assessment came from Ron Deibert, the Citizen Lab's founder and director. Kouloglou, for his part, told the Associated Press he had assumed his role afforded some protection. “I was not expecting that a PEGA member would be spied on by Pegasus,” he said, adding that he had not expected whoever was behind it to be “as reckless as that.” He has said his phone held 15 years of messages and photographs, including exchanges with party leaders and journalists.

Who did it — and who did not

Crucially, the Citizen Lab did not attribute the hacking to any specific government. The researchers said explicitly that they found no indications the Greek government was responsible, and noted there are no reports that Greece is or was a customer of NSO Group — a pointed clarification given Athens' own earlier surveillance scandal.

Instead, the analysts traced a technical thread. The lure used to deliver the exploit — a message abusing Apple's HomeKit software, part of a chain the lab associates with an exploit it calls PWNYOURHOME — relied on an email address that also appeared in a May 2024 campaign against seven Russian- and Belarusian-speaking exiled journalists and activists in Europe. From that overlap, the researchers assess that a single Pegasus operator ran both operations, pointing to a customer authorised to spy across multiple European jurisdictions.

The findings, in other words, describe not a rogue actor but a client of a regulated commercial product operating on EU soil. NSO Group did not respond to requests for comment; the company has previously said it vets its government buyers and cancels contracts with those found to abuse its software.

A fight the Parliament never finished

The disclosure lands on unfinished business. The PEGA committee spent 2022 and 2023 documenting how member states — among them Greece, Poland, Hungary and Spain — had deployed spyware against journalists, opposition figures and civil society, and it issued a set of recommendations for tighter controls. Lawmakers involved say the European Commission has largely left those proposals on the shelf.

Serving MEPs framed the new report as an attack on the institution itself.

  • Hannah Neumann, a German Green who negotiated on the committee, said: “Many of us were expecting some hacks during the committee, but it's still frustrating now to figure out that it really happened.”
  • John Scott-Railton, a senior Citizen Lab researcher and co-author, warned the problem is far from contained: “I know what the next chapter of this story is — it's going to be more hacked members of parliament, and I would bet that there are members of the European Parliament today walking around with no idea that their phone in their pocket has been turned into a spy.”

Sophie in 't Veld, the former Dutch MEP who served as the committee's rapporteur, has described a landscape in which accountability has all but vanished. “We're in a situation where anybody could spy on anyone,” she told the Associated Press, “and they're spying on citizens, they're spying on journalists, they're spying on NGOs, on lawyers, on politicians, and nobody knows who's behind it.”

Why it reaches Luxembourg

The European Parliament divides its work between Brussels, Strasbourg and Luxembourg, and the guarantees at stake — parliamentary independence, press freedom and the confidentiality of an inquiry's sources — bind all 27 member states, Luxembourg included. A successful intrusion into a lawmaker scrutinising surveillance strikes at the EU's own capacity to hold that surveillance to account. Whether the latest evidence finally moves Brussels from recommendation to regulation remains, for now, an open question.

Frequently asked

Who is Stelios Kouloglou?
A Greek investigative journalist who served as a Member of the European Parliament from 2015 to 2024 and sat as a substitute member on the PEGA committee, which investigated the abuse of Pegasus and similar spyware in the EU.
Which spyware was used, and who makes it?
Pegasus, a zero-click surveillance tool developed and sold to governments by NSO Group, an Israeli company headquartered in Herzliya. It can covertly access a phone's messages, photos, camera and microphone.
Who was blamed for the hacking?
No government was named. The Citizen Lab said it found no indications the Greek government was responsible, but linked the operator to a separate campaign against exiled Russian and Belarusian journalists, suggesting a Pegasus customer able to operate across several European countries.
Why does this matter for the EU and Luxembourg?
The European Parliament works across Brussels, Strasbourg and Luxembourg, and the case bears on parliamentary independence and press-freedom protections that apply in all 27 member states, including Luxembourg, while reviving calls for EU-wide spyware rules.
Sources(6)
  1. 1Espionage Against the European Parliament: Member of Committee Investigating Spyware Hacked with PegasusThe Citizen Lab · citizenlab.ca
  2. 2Politician who investigated spyware abuses had his phone hacked with Pegasus spywareTechCrunch · techcrunch.com
  3. 3EU lawmaker investigating surveillance hacked by Israeli spyware, report saysAl Jazeera · aljazeera.com
  4. 4Someone infected a spyware probe overseer with spywareCyberScoop · cyberscoop.com
  5. 5Spyware found on phone of European Parliament member probing itThe Record (Recorded Future News) · therecord.media
  6. 6Researchers Say EU Lawmaker Who Investigated Surveillance Was Hacked by Israeli SpywareAsharq Al-Awsat (Associated Press) · english.aawsat.com

navigateopenescclose