Former MEP Investigating Pegasus Abuse Was Hacked With Pegasus Spyware
Former Greek MEP Stelios Kouloglou was hacked with NSO Group’s Pegasus spyware while serving on the European Parliament committee investigating spyware abuse in Europe, according to new forensic findings from Citizen Lab.
The case is significant because Kouloglou was not only a former lawmaker and journalist. He was also a substitute member of the European Parliament’s PEGA committee, which examined the use of Pegasus and similar surveillance tools across Europe.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Citizen Lab said its forensic analysis found high-confidence evidence that Kouloglou’s iPhone was infected on or around October 21, 2022, and again on March 6 and March 7, 2023. Those dates overlapped with sensitive committee work, including report drafting, hearings, and discussions linked to spyware scandals in EU member states.
Pegasus Infection Hit During Sensitive EU Spyware Work
Kouloglou served on the Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware from March 24, 2022, to July 18, 2023. The committee was set up after major reporting showed that spyware had been used against journalists, politicians, lawyers, activists, and other public figures in Europe.
The European Parliament has said the PEGA committee interviewed more than 215 people, commissioned studies, held hearings, and organized fact-finding visits to several countries, including Greece and Cyprus.
Citizen Lab said the first known infection came shortly before PEGA members traveled to Cyprus and Greece in November 2022. Kouloglou helped plan and joined that visit, which focused on spyware allegations and the wider surveillance industry.
| Date | Event | Why it matters |
|---|---|---|
| October 21, 2022 | First confirmed Pegasus infection | The committee was preparing hearings and discussing draft report material. |
| November 1 to 4, 2022 | PEGA delegation visit to Cyprus and Greece | Kouloglou joined the visit and helped with related committee work. |
| March 6 to 7, 2023 | Second confirmed Pegasus infection period | The committee was working through final report negotiations. |
| June 2023 | Parliament adopted spyware recommendations | The findings fed into EU calls for stronger spyware controls. |
How Citizen Lab Detected the Pegasus Attack
The first infection involved the PWNYOURHOME zero-click exploit, according to Citizen Lab. Researchers said Kouloglou’s phone showed a lookup for a HomeKit-linked email address, followed by Pegasus network activity two minutes later.
Zero-click attacks are especially dangerous because the target does not need to open a link, install an app, or approve a file. In high-value surveillance cases, spyware can target the phone silently and then extract sensitive data.
Apple later sent Kouloglou threat notifications on March 2, 2023, August 29, 2023, and April 10, 2024. Apple says threat notifications are designed to warn users who may have been individually targeted by mercenary spyware attacks.
Citizen Lab Does Not Blame Greece
Citizen Lab did not name the government or Pegasus customer behind the operation. The researchers also said they found no indication that the Greek government was responsible, and no public evidence that Greece has been an NSO Group customer.
The group did identify an overlap with an earlier Pegasus campaign. The same HomeKit-linked email address used in Kouloglou’s first infection also appeared in a 2024 investigation by Access Now and Citizen Lab into Pegasus targeting of exiled journalists and activists in Europe.
That earlier investigation found that Russian, Belarusian, Latvian, and Israeli journalists and activists had been targeted with Pegasus while living in EU countries. Citizen Lab said the overlap suggests a Pegasus operator with authorization to target people in multiple European jurisdictions may be responsible.
- Citizen Lab confirmed Pegasus infections on Kouloglou’s iPhone during PEGA committee work.
- The first infection happened while Kouloglou was in hospital in Greece.
- The second infection period happened while he was in Brussels.
- Researchers did not attribute the attack to a specific government.
- The case raises fresh concerns about spyware threats to parliamentary work.
Hospital Infection Raises Privacy Concerns
The October 2022 infection occurred while Kouloglou was hospitalized for elective surgery. On the same day, he was visited by Greek investigative journalist Thanasis Koukakis, who had previously testified before the PEGA committee after being targeted with Predator spyware.
Citizen Lab warned that spyware active during a hospital stay could have exposed medical information, private communications, and in-room conversations. That makes the case more serious than a political surveillance incident alone.
The timing also matters because the PEGA committee was preparing hearings on spyware and fundamental rights. If attackers accessed messages, emails, or documents, they may have gained insight into internal parliamentary deliberations.
Why the Case Matters for Europe
The case appears to be the first public confirmation that a member of the PEGA committee was hacked with Pegasus while actively serving on the inquiry. Other MEPs have previously been linked to spyware targeting, but Kouloglou’s case directly intersects with the committee’s own investigation.
The European Parliament later concluded that Pegasus and similar tools had been used for political and even criminal purposes, and called for stronger safeguards around spyware use in the EU.
The new findings will likely renew pressure on EU institutions to act on spyware oversight. The concern is not only personal privacy. Spyware targeting of lawmakers can threaten committee work, confidential documents, source protection, and democratic accountability.
Apple Warnings Show the Wider Spyware Risk
Apple says mercenary spyware attacks are usually aimed at a small number of people because of who they are or what they do. Targets often include journalists, activists, politicians, diplomats, and others whose communications may interest state-backed or commercial surveillance operators.
The company says users who receive Apple threat notifications should take them seriously and follow recommended protection steps. However, only forensic analysis can confirm whether a device was successfully infected.
For the EU, Kouloglou’s case adds a new layer to the spyware debate. The committee investigating spyware abuse may itself have been exposed to spyware during one of its most sensitive periods.
Previous Pegasus Campaign Shows Possible Link
The overlap with the earlier Access Now investigation does not prove who carried out the attack. It does, however, give researchers a technical clue that may narrow the field of possible operators.
Citizen Lab said Pegasus infrastructure indicators suggest the first Kouloglou infection may be linked to the operator involved in that earlier campaign. The second infection period remains less clear.
The findings also highlight a larger problem for Europe. Spyware tools can cross borders, target officials, and expose the communications of institutions that are supposed to investigate surveillance abuse.
What Happens Next?
Kouloglou’s case may push European lawmakers to revisit the PEGA committee’s recommendations and strengthen forensic support for officials at risk of surveillance. Citizen Lab urged MEPs and staff who took part in the committee to seek forensic screening and preserve devices that may contain evidence.
The report also raises questions for NSO Group and the governments allowed to use Pegasus. Without stronger transparency and accountability rules, European institutions may continue to face spyware threats from operators that remain hidden.
For now, the central finding is clear: a former MEP investigating spyware abuse was himself hacked with Pegasus while serving on the inquiry. That makes the case one of the most politically sensitive spyware revelations in Europe in recent years.
FAQ
Stelios Kouloglou is a Greek journalist and former Member of the European Parliament. He served as a substitute member of the PEGA committee, which investigated Pegasus and similar spyware abuses in Europe.
Yes. Citizen Lab said forensic analysis of his iPhone found high-confidence evidence of Pegasus infections on or around October 21, 2022, and again on March 6 and March 7, 2023.
Citizen Lab did not attribute the attack to a specific government or Pegasus customer. It also said it found no indication that the Greek government was responsible.
The case is important because Kouloglou was serving on the European Parliament committee investigating spyware abuse when his phone was infected. The spyware may have exposed confidential committee communications and sensitive parliamentary work.
Pegasus is mercenary spyware developed by NSO Group. It can be used to compromise smartphones and access sensitive data, including messages, files, contacts, and potentially microphone or camera data.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages