Surveillance
MEP Who Investigated Pegasus Was Himself Hacked With It, Citizen Lab Finds
Forensic analysis confirms Stelios Kouloglou's iPhone was infected with Pegasus twice while he sat on the European Parliament's spyware inquiry, reviving a stalled EU push to rein in the industry.
By Camille Reuter · · 4 min read

The European lawmaker who spent more than a year investigating how governments abuse commercial spyware was, it turns out, being spied on with the very tool at the centre of his inquiry.
Stelios Kouloglou, a Greek journalist and former member of the European Parliament, had his iPhone infected with Pegasus — the spyware sold by Israel's NSO Group — while he served on the Parliament's committee examining the software's abuse, according to a forensic analysis published on 3 July by the Citizen Lab, the digital-rights research group at the University of Toronto.
The Citizen Lab said it established "with high confidence" that Kouloglou's phone was compromised on two occasions: on 21 October 2022 and again on 6–7 March 2023. Both fell within his term as a substitute member of the committee, known by its acronym PEGA, which sat from 2022 to July 2023 and was created specifically to scrutinise the use of Pegasus and similar tools against journalists, activists and politicians across the European Union.
An investigator turned target
Kouloglou, who sat in the Parliament from 2014 until 2024 and built his career as an investigative reporter and documentary filmmaker, brought his phone to the Citizen Lab for examination in May. He had received three Apple threat notifications about possible state-sponsored spyware in recent years, the researchers said, but had never seen them.
The timing is what makes the case more than an embarrassment. Both infections coincided with sensitive periods of PEGA's work, meaning the spyware could have swept up confidential deliberations of the very body set up to expose such surveillance. The Citizen Lab said the intrusion "could have exposed strictly confidential exchanges among PEGA Committee members" and urged EU institutions to open immediate investigations into the breach. It is the first time a serving member of the inquiry has been publicly identified as a Pegasus victim.
"It is ironic that a member of the committee charged with investigating Pegasus was himself targeted with Pegasus spyware," said Ron Deibert, director of the Citizen Lab.
For Kouloglou, the violation was intimate as much as political. "You realize that all of your personal data [was taken] — not all the professional exchanges or messages with ministers — but also the very private things, like the happy moments and the sad moments," he told TechCrunch.
Who was behind it — and who was not
The Citizen Lab did not attribute the hacking to any single government. Crucially, it said it found "no indications that the Greek Government is responsible," noting that there are no reports of Greece being a client of NSO Group. Kouloglou himself believes Athens was behind the operation; the researchers say they have no evidence for that.
Instead, the analysts traced the attacks to an operator whose infrastructure overlapped with a Pegasus campaign that had earlier targeted exiled Russian- and Belarusian-speaking journalists and activists in Europe. That pattern, they wrote, points to a Pegasus customer with authorisation to conduct surveillance across several European countries — a conclusion that widens rather than narrows the field of suspects. NSO Group did not respond to requests for comment.
The confirmed findings, according to the report, are:
- Two Pegasus infections of Kouloglou's iPhone, assessed with high confidence, in October 2022 and March 2023.
- Both intrusions falling inside his PEGA committee mandate and its confidential proceedings.
- No attribution to the Greek state, but an operator linked to cross-border targeting of Russian and Belarusian émigrés.
A stalled reckoning in Brussels
The revelation lands on an EU debate that has been frozen for years. PEGA was established in March 2022 after it emerged that several member states had deployed Pegasus and rival tools against reporters, opposition figures and officials. In June 2023 the Parliament adopted the committee's final recommendations, calling for a conditions-based moratorium on the sale and use of spyware and a common European framework to govern it.
Little of that has been implemented. The European Commission and national governments have largely left the recommendations on the shelf, while critics argue that the European Media Freedom Act's safeguards against surveillance of journalists were watered down at member states' insistence. Hannah Neumann, a German Green who also served on PEGA, said the new case should force the issue.
"Spyware doesn't make democracies safer. It weakens democratic oversight, parliamentary independence and the rule of law," she said. The failure to act on the committee's work, she added, "shows a total disregard for Parliamentarians' role to scrutinize and, as such, for European democracy."
The stakes are not confined to Athens or Brussels. Because Pegasus and its competitors are marketed to state clients across the bloc, the question of who may lawfully deploy them — and against whom — reaches every one of the EU's 27 member states, Luxembourg included. The hacking of the lawmaker assigned to hold that industry to account has handed reformers their sharpest illustration yet of what happens when oversight itself becomes a surveillance target.
Frequently asked
- Who is Stelios Kouloglou?
- A Greek investigative journalist and documentary filmmaker who was a Member of the European Parliament from 2014 to 2024 and a substitute member of the PEGA committee investigating spyware abuse in the EU.
- Who confirmed that his phone was hacked?
- The Citizen Lab, a digital-rights research group at the University of Toronto, which analysed his iPhone in May 2026 and published its findings on 3 July 2026.
- Was the Greek government blamed?
- No. The Citizen Lab found no indications that Greece was responsible and did not attribute the attack to any specific state, though Kouloglou himself believes Athens was behind it.
- Why does the case matter for the EU?
- It targets the very lawmaker tasked with scrutinising spyware, sharpening pressure on the EU to act on stalled recommendations to regulate the industry — an issue affecting all member states, including Luxembourg.
Sources(6)
- 1Espionage Against the European Parliament: Member of Committee Investigating Spyware Hacked with PegasusThe Citizen Lab · citizenlab.ca
- 2EU lawmaker investigating surveillance hacked by Israeli spyware, report saysAl Jazeera · aljazeera.com
- 3Spyware found on phone of European Parliament member probing itThe Record (Recorded Future News) · therecord.media
- 4Politician who investigated spyware abuses had his phone hacked with Pegasus spywareTechCrunch · techcrunch.com
- 5Someone infected a spyware probe overseer with spywareCyberScoop · cyberscoop.com
- 6Investigation of the use of Pegasus and equivalent surveillance spyware (Recommendation), 15 June 2023European Parliament · europarl.europa.eu



