In a chilling development that has sent shockwaves through the corridors of European power, security researchers have confirmed that a high-profile European politician and journalist was subjected to sophisticated state-sponsored surveillance while serving on a committee explicitly tasked with investigating such abuses. The confirmation that Stelios Kouloglou, a former member of the European Parliament (MEP), had his mobile device compromised by Pegasus spyware represents a watershed moment in the ongoing global controversy regarding the unchecked use of mercenary surveillance tools.
This revelation, provided by the University of Toronto’s Citizen Lab, is not merely a case of individual privacy violation; it is a direct assault on the institutional integrity of the European Union. Kouloglou served on the European Parliament’s PEGA committee, a body formed specifically to probe the proliferation of phone spyware used by European governments. That he was targeted by the very technology he was investigating suggests a brazen, high-stakes effort to undermine democratic oversight.
The Anatomy of an Intrusion: A Chronology of Surveillance
The digital forensic investigation conducted by Citizen Lab paints a grim picture of a targeted, persistent campaign. The exploitation of Kouloglou’s iPhone did not occur in a vacuum; it mirrored critical junctures in the PEGA committee’s investigative timeline.
October 2022: The Hospital Breach
The initial compromise occurred in October 2022. During this period, the PEGA committee was engaged in intense, high-level communications, drafting the initial reports that would eventually expose spyware abuses in Cyprus, Greece, Hungary, Poland, and Spain. Crucially, Kouloglou was hospitalized at the time for a pre-scheduled surgery.
The attackers utilized a "zero-click" exploit—a potent weapon in the cyber-espionage arsenal that requires absolutely no interaction from the victim. By leveraging a previously undiscovered vulnerability in Apple’s HomeKit (smart home) software, the spyware bypassed all security protocols, granting the operator total access to Kouloglou’s encrypted text messages, location history, private photos, and, most alarmingly, the ability to activate the device’s microphone to capture ambient audio during his most vulnerable moments of recovery.
March 2023: The Transit Interception
The surveillance did not cease after the initial breach. Citizen Lab identified subsequent successful intrusions on March 6 and 7, 2023. At the time of these attacks, Kouloglou was traveling between Athens and Brussels, coinciding with a critical window of committee hearings. This second phase of the operation suggests that the threat actor was interested not just in historical data, but in the real-time movements and strategic deliberations of a key legislator.
Supporting Data: The Fingerprints of a Global Mercenary
Citizen Lab’s analysis remains careful regarding formal attribution; they have not named the specific nation-state behind the hack. However, the technical indicators are damning. The forensic evidence revealed that the operator used the exact same email address for the command-and-control infrastructure that had been identified in previous campaigns targeting journalists across the European continent.
The reuse of this specific digital infrastructure implies that the client—a government entity—had been granted broad authorization by the NSO Group to conduct multi-jurisdictional surveillance. It highlights the disturbing reality that Pegasus is not a "lock and key" tool for specific, isolated criminal threats, but rather a flexible instrument of power that, in the hands of a determined state, can be used to monitor political opponents and democratic watchdogs alike.
The Human Cost: A "Direct Attack on the Rule of Law"
When interviewed by TechCrunch, Kouloglou expressed a mixture of indignation and profound violation. For a man who has spent his career defending democratic norms, the discovery that his most intimate moments—his "happy moments and his sad moments"—had been exfiltrated by a government actor was a bitter pill to swallow.
"You realize that all of your personal data [was taken]—not just the professional exchanges or messages with ministers—but also the very private things," Kouloglou stated. He described the act as "reckless," a sentiment echoed by his peers in Brussels. One serving European lawmaker, speaking on the condition of anonymity, described the event as a "direct attack on the rule of law," warning that if a member of a parliamentary committee is not safe from surveillance, then the fundamental concept of legislative privilege is effectively dead.
Kouloglou has confirmed his intention to pursue legal action against the NSO Group. This lawsuit is expected to be a significant test case, potentially opening the door for other victims to seek damages for the violation of their human rights.
Official Responses and the Silence of the Gatekeepers
The response from the entities most implicated in the affair has been notably muted. The European Commission, despite being urged by various MEPs to implement stricter, bloc-wide limits on the sale and use of spyware, has yet to issue a substantive comment.
Similarly, the NSO Group—the Israeli-headquartered developer of Pegasus—did not respond to multiple requests for comment regarding the Citizen Lab report. This silence is consistent with the company’s long-standing policy of refusing to comment on specific customers, even as it faces increasing scrutiny from international bodies.
The NSO Group currently exists in a state of corporate limbo. While it has been largely blacklisted in the United States following a Biden-era executive order that explicitly prohibits federal agencies from using spyware that facilitates human rights abuses, the company continues to seek rehabilitation. Last year, the firm confirmed that an undisclosed American investment group provided a massive influx of capital—tens of millions of dollars—into the company. Critics argue this is a clear effort to "rebrand" the firm and secure a pathway back into Western markets, a move that is now being heavily scrutinized in the wake of the Kouloglou revelations.
Implications: The Death of Privacy and the Future of Democracy
The implications of this hack extend far beyond the technical failure of an iPhone’s software. This incident poses an existential question for the European Union: How can a legislative body function when its own members are being watched by the very governments they are investigating?
1. The Erosion of Parliamentary Privilege
If a government can monitor an MEP, they can monitor the trajectory of an entire investigation. By capturing the communications of the PEGA committee, the perpetrators could potentially anticipate lines of questioning, identify whistleblowers, and prepare counter-narratives before the committee’s findings were even finalized. This creates a "chilling effect" that threatens to silence dissent and stall critical investigations into corruption.
2. The Failure of Export Controls
The fact that a European government—or a client authorized by NSO to operate within Europe—could deploy such a tool against a fellow citizen and a public official demonstrates a catastrophic failure of export controls. The current regulatory framework, which relies on the "good faith" of purchasing governments, has proven entirely inadequate in the face of political expediency.
3. The Need for Global Accountability
Kouloglou’s decision to go public is rooted in a desire to catalyze change. "Corruption concerns everybody," he noted, emphasizing that his fight is not personal, but a defense of democratic institutions. His case is likely to force the European Parliament to revisit the need for a total moratorium on the sale and use of such intrusive software until a robust, binding international framework is established.
As the digital landscape becomes increasingly weaponized, the Pegasus case serves as a stark warning. The line between legitimate national security and state-sponsored repression has become dangerously blurred. For now, the "Pegasus Paradox" remains: the tools intended to protect the state are being used to dismantle the very democratic processes that give the state its legitimacy. As Kouloglou prepares his legal challenge, the eyes of the world remain fixed on the outcome—an outcome that will determine whether privacy in the 21st century is a fundamental right or a casualty of the new surveillance state.








