
Stelios Kouloglou spent two years on the European Parliament committee set up to investigate governments spying on their own citizens with commercial hacking tools.
According to a report published Friday by Citizen Lab, the University of Toronto research group, his own phone was hacked with Pegasus spyware while that inquiry was under way.
Kouloglou, a Greek former MEP with the left-wing SYRIZA party, served as a substitute member of the PEGA committee, the parliamentary body formed in 2022 to examine the use of Pegasus and similar spyware across EU member states.
Citizen Lab found forensic evidence of three separate infections on his iPhone, one in October 2022 and two more in March 2023, while the committee was drafting its findings.
The spyware was Pegasus, made by Israel’s NSO Group, and Citizen Lab says it identified it with high confidence. The October 2022 infection landed while Kouloglou was in hospital for a scheduled procedure.
The other two arrived within a day of each other in March 2023, as he travelled between Athens and Brussels during the final stretch of negotiations over the committee’s report.
What Citizen Lab has not done is name who ordered the hack. The exploit relied on a previously patched Apple vulnerability that had not yet been installed on Kouloglou’s device, a zero-click method needing no action from the target.
Researchers linked the infrastructure behind it to a campaign already used against journalists elsewhere in Europe, pointing to an NSO government client rather than the company itself, though that client remains unidentified.
NSO licenses Pegasus exclusively to government agencies, but that is not the same as naming an attacker. No country has been identified as the operator, and Citizen Lab’s report is explicit that attribution stops there.
Kouloglou called the intrusion “reckless” and said he intends to sue NSO Group. He told researchers he only learned of the infections in May, after a lawyer referred him to Citizen Lab for a phone check. NSO Group did not respond to requests for comment from either Citizen Lab or the reporters who covered the findings.
The European Parliament, asked about the case, did not address Kouloglou’s situation directly. A spokesperson said the institution’s IT security team “constantly monitors cybersecurity threats” and that spyware-screening tools have been available to members since 2022, the same year the PEGA committee was formed.
A follow-up report adopted by parliament last month called for extending that screening to every device MEPs use for parliamentary business.
Other members of the PEGA committee were quick to react. German MEP Hannah Neumann called for parliament to finally implement the committee’s original recommendations, which have largely sat untouched since 2023.
Ron Deibert, Citizen Lab’s director, described the case as “ironic” given Kouloglou’s role investigating the same technology that was used against him, and warned that an unregulated spyware industry corrodes trust in democratic institutions well beyond any single target.
The PEGA committee’s 2023 report had already concluded that Pegasus and comparable tools were misused in Poland, Hungary, Greece and Spain, and called for tighter EU-wide controls on their sale and use. Little of that has translated into binding law.
A separate case out of Bulgaria, where leaked export licences showed a Sofia-based NSO affiliate shipping surveillance equipment to intelligence agencies from Azerbaijan to the UAE, suggests the enforcement gap the committee warned about has only widened since.
Even outside the Pegasus market proper, cheaper commercial spyware sold to European law enforcement, like the fake WhatsApp app built by Italy’s SIO, shows how far the underlying problem has spread beyond a single vendor.
Kouloglou’s case adds a personal detail to what has largely been an abstract policy fight. The people who spent two years documenting spyware abuse for the European Parliament were plausible targets for the tool they were scrutinising, and at least one of them was hit while the ink on the findings was still drying.
View original source — The Next Web ↗

